University from Minnesota Developers Apologized to Linux Community
Developers from the University of Minnesota finished their experiment a few days ago and apologized to the Linux community.
Earlier, Greg Kroah-Hartman, who is responsible for the stable branch of the Linux kernel, said that specialists at the University of Minnesota are now prohibited from submitting any changes to the Linux kernel, and all commits from @umn.edu addresses will be rejected.The fact is that three researchers from the University of Minnesota (Qushi Wu, Kanje Lu, and Aditya Pakki) decided to conduct an experiment they called “hypocritical commits.” The experts deliberately added vulnerabilities to the code in order to demonstrate that potentially malicious code could stay unnoticed and go through the approval process.
To do this, the researchers used a static analysis tool and found a number of low-priority vulnerabilities in the kernel code, which they called “immature”. Then they created fixes for them, but these patches only exacerbated the “immature” vulnerabilities and made them complete.
After that, university representatives sent their “fixes” to the kernel maintainers to see if the developers would find a serious issue in their minor bug fix patch. When the researchers received a response, they reported that their patch was “wrong,” pointed out a bug in it, and suggested a normal fix.
When this experiment became known, Greg Kroah-Hartman rolled back about 200 commits from @ umn.edu addresses and sent them for re-check. Because of their work, researchers at the University of Minnesota have come under heavy criticism not only from Croa-Hartman, but from the entire community.
“Our community doesn’t like to be experimented with and ‘tested’ by submitting patches that either intentionally do nothing or intentionally introduce bugs into the code”, — wrote Kroah-Hartman.
In turn, the research team reports that it has already stopped this experiment, and last weekend published an open letter in which it apologizes to the entire Linux community. However, many experts note that apologies are more like attempts to justify themselves and convey their position.
“We want you to know that we will never intentionally harm the Linux kernel community and will never intentionally introduce vulnerabilities. Our research was conducted with the best of intentions and was aimed at finding and fixing vulnerabilities. The hypocritical commits were conducted in August 2020 to improve the security of the Linux patching process. As part of the project, we investigated potential issues with the patching process, including the root causes of the issues, and suggested methods for resolving them. Our research did not introduce vulnerabilities into the Linux code. Three incorrect patches were just discussed, but did not go further than this, they did not make it into the code. We presented the results and our conclusions (with the exception of incorrect patches) in our work for the Linux community before the publication of the article, collected feedback and included them in the publication”, — the letter from the university representatives says.
Now the university is conducting a trial, because, for example, this work for some reason was not classified as research in humans.
As for the apology, Kroah-Hartman doesn’t seem to be overly impressed with the open letter:
“As you know, the Linux Foundation and the Technical Advisory Board sent your university a letter on Friday outlining specific actions to take so that your group and your university can rebuild trust in the Linux kernel community. Until these actions are taken, we have nothing more to discuss”, — he writes.
Let me remind you that we also wrote that Experts note the growing interest of cybercriminals in Linux systems and that Linus Torvalds criticized Intel for occasional using of ECC memory.