Last week, researchers at University of Minnesota (UMN) were banned by Linux maintainers for sending malicious code to the project as part of a study. Last Saturday (24), they released an open letter to the community in which they apologize for what they did. It was no use: the text with almost 800 words received a cold reception.
Basically, the study in question aimed to demonstrate that open source projects can be susceptible to receiving contributions that introduce known vulnerabilities in the software.
For this, the researchers adopted a tactic that consisted of finding three low-priority flaws in the kernel, correcting them and submitting them to Linux maintainers. However, each fix had an “immature vulnerability”, that is, a flaw that only causes problems in the presence of an additional feature, such as a call to a library.
The corrections were submitted to the maintainers, without the additional resources, in order to check if they would detect the vulnerabilities intentionally inserted in them, which did not happen.
As soon as they had feedback on the corrections submitted, the researchers pointed out the flaws introduced and offered patches without loopholes. Despite this, the maintainers did not like to know that they were being tested in this way and without notice.
As a reaction, Greg Kroah-Hartman, one of the main maintainers of Linux after Linus Torvalds, decided to reject by default all contributions submitted by developers with email @ umn.edu, except for those that prove to be legitimate and that can be verified. But in relation to these, Kroah-Hartman said: “seriously, why waste your time doing this extra work?”
In the apology letter, Kangjie Lu, Qiushi Wu and Aditya Pakki, the three UMN members who star in this story, explain that they did not warn the maintainers about the study because, instead, instead of following the standard routine of activities, they would be focused on looking for the flaws inserted in the corrections – these, by the way, were called by the researchers “hypocritical commits”.
In addition, they point out that Linux was not vulnerable because the three fixes in question had their implementation halted and that the group’s findings were reported to the community before the research was published.
The trio also argues that the 190 corrections sent by UMN members that were reversed or reevaluated by the maintainers – another “punishment” applied – are legitimate, that is, they have no connection with the study.
We just want you to know that we would never intentionally harm the Linux kernel community and never introduce security holes. Our work was conducted with the best of intentions and was focused on finding and correcting flaws.
Kangjie Lu, Qiushi Wu and Aditya Pakki
Letter did not convince
The letter was sent last Saturday (24). The following day, Greg Kroah-Hartman confirmed the receipt, but was not moved by the arguments.
In response, he warned that, on Friday (23), the Linux Foundation sent a letter to the University of Minnesota describing the actions the institution needs to take to regain the trust of the kernel community. “As long as these actions are not carried out, we will have nothing more to discuss on the subject,” concluded Kroah-Hartman.
The Linux Foundation requirements sent to UMN have not yet been revealed. In any case, the university had already announced the decision to suspend this line of research and take corrective measures.
With information: Ars Technica.