Posted on 05/06/2021 4:00:34 AM PDT by ShadowAce
The fire between the Linux kernel community and the University of Minnesota (UMN) is being put out. Thanks to an ill-thought-out Linux security project, two UMN graduate students tried to insert deliberately buggy patches into Linux. Greg Kroah-Hartman, the well-respected Linux kernel maintainer for the Linux stable branch, responded by banning not only them but any UMN-connected developers from contributing to the Linux kernel. Now, UMN has addressed the Linux kernel developer's community's concerns. And, in a message to the Linux Kernel Mailing List (LKML), the Linux Foundation Technical Advisory Board (TAB) and volunteer senior Linux kernel maintainers and developers have reported on what they found when they closely and thoroughly examined patches from UMN academics.
First things first: 435 commits coming from UMN-associated developers were re-reviewed. "The huge majority of the reviewed commits were found to be correct." Of the rest, 39 commits were incorrect and in need of fixing; 25 had already been fixed by later commits; 12 no longer mattered; 9 had been made before the guilty research group existed and one commit has been removed by its author's request.
Five deliberately corrupt changes had been submitted to the LKML. "These changes were submitted using two fake identities, which is against the documented requirements for how to contribute code to the Linux kernel. The University appears to have allowed researchers to use fake identities when agreeing to the 'Developers Certificate of Origin,' a legal statement about the work being submitted."
However, unlike what was claimed by the researchers, Qiushi Wu and Aditya Pakki, and their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department's paper, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits," aka "Hypocrite Commits" the TAB reported in clear detail that "All patch submissions that were invalid were caught, or ignored, by the Linux kernel developers and maintainers. Our patch-review processes worked as intended when confronted with these malicious patches."
Still, although no new attacks had been found, the kernel developers felt this enormous review had to be done. As Kroah-Hartman told me, "We were required to be thorough." That's because there was also the possibility, no matter how small, that deliberately corrupt code had been placed in the program.
In the meantime, the UMN had responded favorably to most of the Linux Foundation TAB's requests. Later the UMN gave full disclosure to the Linux community about who did what and how the Hypocrite Commits project was conducted.
Looking ahead, the Linux community wants to work with the UMN again if the school improves "the quality of the changes that are proposed for inclusion into the kernel."
On the Linux side, the TAB members wrote: the "TAB, working with researchers, will create a document explaining best practices for all research groups to follow when working with the kernel (and open-source projects in general)."
Specifically, with UMN, since trust has been lost, the TAB asks that UMN, as many companies and other research organizations do:
designate a set of experienced internal developers to review and provide feedback on proposed kernel changes before those changes are submitted publicly. This review catches obvious mistakes and relieves the community of the need to repeatedly remind developers of elementary practices like adherence to coding standards and thorough testing of patches. It results in a higher-quality patch stream that will encounter fewer problems in the kernel community.
Until that's done, "patches from UMN will continue to find a chilly reception."
I call BS on the excuse from UM.
To run tests like this, they should be run in VMs, not releases to the public.
Also, I notice the Chinese looking names (plus 1 other, I imagine is moslem)..
I always expect some mal-intent code to be put in there, but to be quickly found by another honest coder before release.
I *think* the experiment was to release these “patches” to the public to see if they would be caught. The experiment was not about the “patches” themselves.
One might wonder if this was some CCP-backed attempt to install a backdoor on Linux systems which could be later exploited in a cyber attack.
"I *think* the experiment was to release these "patches" to the public to see if they would be caught. The experiment was not about the “patches” themselves."
"One might wonder if this was some CCP-backed attempt to install a backdoor on Linux systems which could be later exploited in a cyber attack."
And what of the professor who allowed (encouraged?) this dangerous misbehavior? Where do his allegiances lie and will he ever be held accountable?
I doubt that “their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department” will ever be held accountable.
Pretty hard to put a backdoor in open-source code. You’re trying to hide something in plain sight.
I think that is why they were trying this first—as a dry run.
Check their bank accounts. See when their income and spending habits started to change significantly and if it preceded/correlated with the acts in question.
We wont do that now though. Not unless they were suspected white nationalists. Heh
The Linux community is very vigilant. Is this why election software needs to be open source?
Yes. Seeing the code and verifying that it is not corrupt is very powerful.
Yup, that is the beauty of open source. That’s why it’s generally safer and more secure than proprietary. Imagine what back doors are in Windows.
All election software should, as a matter of law, be open source. Otherwise, it simply can't be trusted.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.