Those responsible for maintaining the Linux will no longer accept codes provided by members of the University of Minnesota (UMN). The reason is surprising: doctoral student Qiushi Wu and assistant professor Kangjie Lu, both linked to the institution, sent commits of malicious code to the kernel.
It was not a mistake or lack of attention. The vulnerable codes were deliberately submitted to the Linux community. Qiushi Wu and Kangjie Lu conducted a study to demonstrate that open source projects can be susceptible to receiving contributions that introduce known vulnerabilities in the software. The Linux kernel was one of the targets of this research.
This type of study is not unprecedented and is not usually rejected by communities that work with open source. The problem is that the researchers’ approach has irritated the kernel maintainers. To make matters worse, the pair did not warn anyone in the community about the experiment.
University of Minnesota is banned
The subject only came up after the research was published (PDF), in February of this year. Displeased, Greg Kroah-Hartman, one of the main maintainers of Linux after Linus Torvalds, decided to act: this week, he announced the decision to ban contributions to the kernel made by developers linked to UMN.
Commits from @ umn.edu addresses sent in “bad faith” to test the community’s ability to review known ‘malicious changes’ have been found.
Because of this, all contributions coming from this group must be removed from the kernel tree and we must review them again to ensure that they are valid fixes.
The decision was not made immediately. On the kernel mailing list, Kroah-Hartman asked members of the University of Minnesota to stop submitting invalid code to the project. In one of the messages, the developer warned that the professor responsible for the study was trying to publish a paper in a bizarre way and insisted that the submissions stop.
Aditya Pakki, a UMN member, responded by saying that Kroah-Hartman made accusations that bordered on slander and that he would not send any more code because of this attitude, which he considered “intimidating for beginners and non-experts”.
It was the last straw for Greg Kroah-Hartman:
You and your group have publicly admitted that you have submitted vulnerable code to find out how the kernel community would react to this and published a paper based on that work.
Now you submit a series of new, obviously incorrect codes. What am I supposed to think of such a thing?
Because of this, I now have to ban all future contributions from your university and remove previous contributions, as it is obvious that they were sent in bad faith with the intention of causing problems.
Shortly after the decision, the UMN Department of Computer Science and Engineering released a statement in which it acknowledged that its researchers’ approach has raised serious concerns for the Linux kernel community. In the message, the institution announced the decision to immediately suspend this line of research.
The university also promised to investigate the method used by the researchers and take corrective action.
Ban has more support than criticism
For Brad Spengler, president of Open Source Security, the decision of the Linux maintainers was an overreaction and will give more work to all parties.
On Twitter, Spengler points out that the community was warned about the risk of suspicious kernel uploads last year and that legitimate commits could be affected by the ban. With that, vulnerabilities already fixed could return to Linux, he adds.
But most members of the community seem to support the decision. For Jered Floyd, from Red Hat, what the UMN researchers did is equivalent to going to a market and cutting the brakes on all the cars parked there to find out how many people will be in an accident when they leave.
Debian developer Sudip Mukherjee said on the mailing list that many of the code sent by the researchers reached the stable kernel trees in response to the researchers’ argument that none of the malicious commits were directed to the Linux repositories.
With information: Bleeping Computer, ZDNet.