{"id":8910,"date":"2021-04-30T21:58:40","date_gmt":"2021-04-30T21:58:40","guid":{"rendered":"https:\/\/gtechbooster.com\/?p=8910"},"modified":"2023-06-21T11:42:47","modified_gmt":"2023-06-21T11:42:47","slug":"feasibility-of-stealthily-introducing-vulnerabilities-in-open-source-software-via-hypocrite-commits","status":"publish","type":"post","link":"https:\/\/gtechbooster.com\/feasibility-of-stealthily-introducing-vulnerabilities-in-open-source-software-via-hypocrite-commits\/","title":{"rendered":"Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"},"content":{"rendered":"\n

The release of a research paper and its aftermath has cause a stir in the linux kennel developer circles with ban being tooled as a redress action.<\/p>\n\n\n\n

\"\"<\/a><\/div><\/div>

Greg Kroah-Hartman has banned the University of Minnesota from contributing to the Linux Kernel and gone to a great deal of effort to revert and re-evaluate 190 patches that had come from the same University. Is this an overreaction or is it the one and only possible response?<\/p>\n\n\n\n

The irony of this situation is that the controversial project that led to loss of trust in the University of Minnesota was intended to improve the security of Linux. The research, conducted in August 2020, was by Kangije Lu, Assistant Professor and graduate student Qjushi Wu and their paper “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits<\/em>” has been accepted for 42nd IEEE Symposium on Security and Privacy. The research, which was supported by the NSF (National Science Foundation), included explicit safeguards to ensure that no bugs were merged into the Linux Kernel as a result of the experiment, although it now seems that a mutex close error many have slipped though, an error that has been fixed.<\/p>\n\n\n\n

The ban however wasn’t made as a response to this paper. Instead the trigger was a more recent set of “obviously-incorrect patches” submitted by Aditya Pakki, another of Lu’s Ph.D students who has explained that they were submitted as a result of his work on “a new static analyzer”.<\/p>\n\n\n\n

For Kroah-Hartmann, who as the main Linux kernel maintainer, has the ultimate responsibility for its safety and security,  the submission of new buggy patches was the last straw and his suspicion was that it again part of some research experiment as reflected in his tweet:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The link in the tweet goes to an email reply to Aditya Pakki in which Hartmann  writes:<\/p>\n\n\n\n

You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.<\/p><\/blockquote>\n\n\n\n

Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?<\/em><\/p>

\"\"<\/a><\/div><\/div>\n\n\n\n

They obviously were _NOT_ created by a static analysis tool that is of any intelligence, as they all are the result of totally different patterns, and all of which are obviously not even fixing anything at all.\u00a0 So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?…<\/p><\/blockquote>\n\n\n\n

Our community does not appreciate being experimented on, and being\u00a0“tested” by submitting known patches that are either do nothing on\u00a0purpose, or introduce bugs on purpose.\u00a0 If you wish to do work like\u00a0this, I suggest you find a different community to run your experiments\u00a0on, you are not welcome here.<\/p><\/blockquote>\n\n\n\n

Because of this, I will now have to ban all future contributions from\u00a0your University and rip out your previous contributions, as they were\u00a0obviously submitted in bad-faith with the intent to cause problems.<\/p><\/blockquote>\n\n\n\n

Asked his opinion Linus Torvalds, came up with a very mild response:<\/p>\n\n\n\n

“I don’t think it has been a huge deal _technically_, but people are pissed off, and it’s obviously a breach of trust.”<\/p><\/blockquote>\n\n\n\n

In an attempt to lift the ban, an apology was submitted yesterday as “An Open Letter to the Linux community and signed by Kangjie Lu, Qiushi Wu, and Aditya Pakki, University of Minnesota. It includes the statement:<\/p>\n\n\n\n

We just want you to know that we would never intentionally hurt the Linux kernel community and never introduce security vulnerabilities. Our work was conducted with the best of intentions and is all about finding and fixing security vulnerabilities.<\/p><\/blockquote>\n\n\n\n

It later states:<\/p>\n\n\n\n

We are a research group whose members devote their careers to improving the Linux kernel. We have been working on finding and patching vulnerabilities in Linux for the past five years. The past observations with the patching process had motivated us to also study and address issues with the patching process itself.\u00a0<\/p><\/blockquote>\n\n\n\n

Acknowledging the anger felt towards them by the Linux community they say:<\/p>\n\n\n\n

We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps.<\/p><\/blockquote>\n\n\n\n

But it’s not that simple. Trust was broken – and the action of this research group has tainted not just the three signatories to the open letter but the entire University of Minnesota. Hartman’s response to this apology was a simple “Thank you” and refers to a letter sent by the Linux Foundation’s Technical Advisory Board to the University of Miinesota outlining specific action required for the research group and the university in its entirety to regain the trust of the Linux kernel community.<\/p>\n\n\n\n

It seems entirely justified that it should take more than words to rebuild trust in this situation – but let’s go further. This should never have been allowed to happen. Linux is mission-critical software relied on by big companies and even Mars exploration projects – it should not be seen as an environment in which do research, however laudable the aims of the research.\u00a0<\/p>\n\n\n\n

More Information<\/h6>\n\n\n\n