Security researchers criticised for project that deliberately added vulnerabilities to Linux

Researchers at the University of Minnesota have been publicly excoriated after being caught deliberately adding bugs to the Linux kernel in an ongoing project that assessed the feasibility of manipulating open source software.

All those involved, as well as the university, have been permanently banned from contributing to the Linux codebase after submitting patches laced with security vulnerabilities into the 28 million-line codebase.

Because the Linux codebase is so vast, and contributors around the world submit patches each day, kernel admins are tasked with reviewing these contributions manually before merging them with the official kernel tree. The researchers, however, wanted to stress-test this review process, in Linux and other projects, by deliberately submitting patches containing bugs without the consent of the admins, then watching how the respective communities reacted.

Their findings were first published in a paper in February 2021, which concluded that the openness of these projects, as well as the complexity of software and limited resources of maintainers, meant the review process generally failed to detect vulnerabilities. It's thought that around 60% of the submissions made it past the admins, according to Fosspost, an online magazine themed around open source.

Their paper also referenced the need for “future research”, suggesting these experiments would continue in order to build on this initial body of research.

On 6 April, PhD student Aditya Pakki submitted a seemingly innocuous patch, only for kernel contributor Al Viro to rebuke the submission a few weeks later, finding it didn’t actually fix anything. He then identified a link with the University of Minnesota research project, while another admin identified three similar patches from the same researcher.

However, in emails between all parties involved, Linux maintainer Greg Kroah-Hartman reacted angrily to the experiments, accusing those involved of “totally unethical” and malicious behaviour. In one of the latest emails, sent on 21 April, he accused them directly of treating the Linux community like test subjects.

“You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work,” he said. “Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?

“Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.”

As a result, the moderator has banned all future contributions from the researchers’ university, and has removed their previous contributions “as they were obviously submitted in bad faith with the intention to cause problems”.

The University of Minnesota's Department of Computer Science and Engineering head, Mats Heimdahl, and associated department head, Loren Terveen, said in a statement that they take this situation "extremely seriously".

"We have immediately suspended this line of research," they added. "We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safebuard against future issues, if needed. We will report our findings back to the community as soon as practical."

The researchers chose Linux given its status as the biggest and most well-resourced open source project in the world. It’s unclear, however, which other open source projects they targeted, and how many bugs they successfully submitted to their respective ecosystems.

GitHub research published last year found that many vulnerabilities in open source software can take as long as four years to discover and fix.