Security researchers criticised for project that deliberately added vulnerabilities to Linux

Open source maintainer Greg Kroah-Hartman slams their project, claiming “our community does not appreciate being experimented on”

Linux code on a black background

Researchers at the University of Minnesota have been publicly excoriated after being caught deliberately adding bugs to the Linux kernel in an ongoing project that assessed the feasibility of manipulating open source software.

All those involved, as well as the university, have been permanently banned from contributing to the Linux codebase after submitting patches laced with security vulnerabilities into the 28 million-line codebase.

Because the Linux codebase is so vast, and contributors around the world submit patches each day, kernel admins are tasked with reviewing these contributions manually before merging them with the official kernel tree. The researchers, however, wanted to stress-test this review process, in Linux and other projects, by deliberately submitting patches containing bugs without the consent of the admins, then watching how the respective communities reacted.

Their findings were first published in a paper in February 2021, which concluded that the openness of these projects, as well as the complexity of software and limited resources of maintainers, meant the review process generally failed to detect vulnerabilities. It's thought that around 60% of the submissions made it past the admins, according to Fosspost, an online magazine themed around open source.

Their paper also referenced the need for “future research”, suggesting these experiments would continue in order to build on this initial body of research.

On 6 April, PhD student Aditya Pakki submitted a seemingly innocuous patch, only for kernel contributor Al Viro to rebuke the submission a few weeks later, finding it didn’t actually fix anything. He then identified a link with the University of Minnesota research project, while another admin identified three similar patches from the same researcher.

However, in emails between all parties involved, Linux maintainer Greg Kroah-Hartman reacted angrily to the experiments, accusing those involved of “totally unethical” and malicious behaviour. In one of the latest emails, sent on 21 April, he accused them directly of treating the Linux community like test subjects.

“You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work,” he said. “Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?

“Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.”

As a result, the moderator has banned all future contributions from the researchers’ university, and has removed their previous contributions “as they were obviously submitted in bad faith with the intention to cause problems”.

The University of Minnesota's Department of Computer Science and Engineering head, Mats Heimdahl, and associated department head, Loren Terveen, said in a statement that they take this situation "extremely seriously".

"We have immediately suspended this line of research," they added. "We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safebuard against future issues, if needed. We will report our findings back to the community as soon as practical."

The researchers chose Linux given its status as the biggest and most well-resourced open source project in the world. It’s unclear, however, which other open source projects they targeted, and how many bugs they successfully submitted to their respective ecosystems.

GitHub research published last year found that many vulnerabilities in open source software can take as long as four years to discover and fix.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
Trend Micro and Snyk team up to combat open source flaws
vulnerability

Trend Micro and Snyk team up to combat open source flaws

10 May 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

7 May 2021
Redis closes another round of funding, raking in an additional $110 million
open source

Redis closes another round of funding, raking in an additional $110 million

8 Apr 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021