Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Linux's Technical Advisory Board reports on the UMN 'Hypocrite Commits' patches
ZDNet ^ | 5 May 2021 | Steven J. Vaughan-Nichols

Posted on 05/06/2021 4:00:34 AM PDT by ShadowAce

The fire between the Linux kernel community and the University of Minnesota (UMN) is being put out. Thanks to an ill-thought-out Linux security project, two UMN graduate students tried to insert deliberately buggy patches into Linux. Greg Kroah-Hartman, the well-respected Linux kernel maintainer for the Linux stable branch, responded by banning not only them but any UMN-connected developers from contributing to the Linux kernel. Now, UMN has addressed the Linux kernel developer's community's concerns. And, in a message to the Linux Kernel Mailing List (LKML), the Linux Foundation Technical Advisory Board (TAB) and volunteer senior Linux kernel maintainers and developers have reported on what they found when they closely and thoroughly examined patches from UMN academics.

First things first: 435 commits coming from UMN-associated developers were re-reviewed. "The huge majority of the reviewed commits were found to be correct." Of the rest, 39 commits were incorrect and in need of fixing; 25 had already been fixed by later commits; 12 no longer mattered; 9 had been made before the guilty research group existed and one commit has been removed by its author's request. 

Five deliberately corrupt changes had been submitted to the LKML. "These changes were submitted using two fake identities, which is against the documented requirements for how to contribute code to the Linux kernel. The University appears to have allowed researchers to use fake identities when agreeing to the 'Developers Certificate of Origin,' a legal statement about the work being submitted."

However, unlike what was claimed by the researchers, Qiushi Wu and Aditya Pakki, and their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department's paper, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits," aka "Hypocrite Commits" the TAB reported in clear detail that "All patch submissions that were invalid were caught, or ignored, by the Linux kernel developers and maintainers. Our patch-review processes worked as intended when confronted with these malicious patches."
        
Still, although no new attacks had been found, the kernel developers felt this enormous review had to be done. As Kroah-Hartman told me, "We were required to be thorough." That's because there was also the possibility, no matter how small, that deliberately corrupt code had been placed in the program. 

In the meantime, the UMN had responded favorably to most of the Linux Foundation TAB's requests. Later the UMN gave full disclosure to the Linux community about who did what and how the Hypocrite Commits project was conducted.

Looking ahead, the Linux community wants to work with the UMN again if the school improves "the quality of the changes that are proposed for inclusion into the kernel."

On the Linux side, the TAB members wrote: the "TAB, working with researchers, will create a document explaining best practices for all research groups to follow when working with the kernel (and open-source projects in general)."

Specifically, with UMN, since trust has been lost, the TAB asks that UMN, as many companies and other research organizations do: 

designate a set of experienced internal developers to review and provide feedback on proposed kernel changes before those changes are submitted publicly. This review catches obvious mistakes and relieves the community of the need to repeatedly remind developers of elementary practices like adherence to coding standards and thorough testing of patches.  It results in a higher-quality patch stream that will encounter fewer problems in the kernel community.

Until that's done, "patches from UMN will continue to find a chilly reception."


TOPICS: Computers/Internet
KEYWORDS: linux

1 posted on 05/06/2021 4:00:34 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; JosephW; martin_fierro; Still Thinking; zeugma; Vinnie; ironman; Egon; raybbr; AFreeBird; ...

2 posted on 05/06/2021 4:01:35 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I call BS on the excuse from UM.
To run tests like this, they should be run in VMs, not releases to the public.
Also, I notice the Chinese looking names (plus 1 other, I imagine is moslem)..

I always expect some mal-intent code to be put in there, but to be quickly found by another honest coder before release.


3 posted on 05/06/2021 4:23:36 AM PDT by Bikkuri (If you're conservative, you're an "extremist." If you're liberal, you're an "activist.")
[ Post Reply | Private Reply | To 2 | View Replies]

To: Bikkuri

I *think* the experiment was to release these “patches” to the public to see if they would be caught. The experiment was not about the “patches” themselves.


4 posted on 05/06/2021 4:25:26 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 3 | View Replies]

To: Bikkuri

One might wonder if this was some CCP-backed attempt to install a backdoor on Linux systems which could be later exploited in a cyber attack.


5 posted on 05/06/2021 4:35:58 AM PDT by Flick Lives (“Today we celebrate the first glorious anniversary of the Information Purification Directives.”)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce; Flick Lives
"I *think* the experiment was to release these "patches" to the public to see if they would be caught. The experiment was not about the “patches” themselves."


I agree, it is what I was thinking also.

"One might wonder if this was some CCP-backed attempt to install a backdoor on Linux systems which could be later exploited in a cyber attack."


Also what I was thinking as a possibility, goes with the above post too (like a dry run, like ShadowAce mentioned).
6 posted on 05/06/2021 4:52:27 AM PDT by Bikkuri (If you're conservative, you're an "extremist." If you're liberal, you're an "activist.")
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce

And what of the professor who allowed (encouraged?) this dangerous misbehavior? Where do his allegiances lie and will he ever be held accountable?


7 posted on 05/06/2021 5:28:00 AM PDT by rockrr ( Everything is different now...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rockrr

I doubt that “their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department” will ever be held accountable.


8 posted on 05/06/2021 5:30:30 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 7 | View Replies]

To: Flick Lives

Pretty hard to put a backdoor in open-source code. You’re trying to hide something in plain sight.


9 posted on 05/06/2021 5:48:57 AM PDT by Campion (What part of "shall not be infringed" don't they understand?)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Campion

I think that is why they were trying this first—as a dry run.


10 posted on 05/06/2021 5:52:44 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 9 | View Replies]

To: rockrr

Check their bank accounts. See when their income and spending habits started to change significantly and if it preceded/correlated with the acts in question.

We wont do that now though. Not unless they were suspected white nationalists. Heh


11 posted on 05/06/2021 6:21:15 AM PDT by z3n
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce

The Linux community is very vigilant. Is this why election software needs to be open source?


12 posted on 05/06/2021 6:21:58 AM PDT by OldCountryBoy (You can't make this stuff up!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: OldCountryBoy
Is this why election software needs to be open source?

Yes. Seeing the code and verifying that it is not corrupt is very powerful.

13 posted on 05/06/2021 6:24:42 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 12 | View Replies]

To: OldCountryBoy

Yup, that is the beauty of open source. That’s why it’s generally safer and more secure than proprietary. Imagine what back doors are in Windows.


14 posted on 05/06/2021 6:26:59 AM PDT by Pollard
[ Post Reply | Private Reply | To 12 | View Replies]

To: OldCountryBoy; ShadowAce; Pollard
Is this why election software needs to be open source?

Indubitably! No closed, proprietary code can be trusted.
15 posted on 05/06/2021 7:11:46 AM PDT by Montana_Sam (Truth lives.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: OldCountryBoy
The Linux community is very vigilant. Is this why election software needs to be open source?

All election software should, as a matter of law, be open source. Otherwise, it simply can't be trusted.

16 posted on 05/06/2021 8:14:06 AM PDT by zeugma (Stop deluding yourself that America is still a free country.)
[ Post Reply | Private Reply | To 12 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson