Security researchers criticised for project that deliberately added vulnerabilities to Linux

Open source maintainer Greg Kroah-Hartman slams their project, claiming “our community does not appreciate being experimented on”

Linux code on a black background

Researchers at the University of Minnesota have been publicly excoriated after being caught deliberately adding bugs to the Linux kernel in an ongoing project that assessed the feasibility of manipulating open source software.

All those involved, as well as the university, have been permanently banned from contributing to the Linux codebase after submitting patches laced with security vulnerabilities into the 28 million-line codebase.

Because the Linux codebase is so vast, and contributors around the world submit patches each day, kernel admins are tasked with reviewing these contributions manually before merging them with the official kernel tree. The researchers, however, wanted to stress-test this review process, in Linux and other projects, by deliberately submitting patches containing bugs without the consent of the admins, then watching how the respective communities reacted.

Their findings were first published in a paper in February 2021, which concluded that the openness of these projects, as well as the complexity of software and limited resources of maintainers, meant the review process generally failed to detect vulnerabilities. It's thought that around 60% of the submissions made it past the admins, according to Fosspost, an online magazine themed around open source.

Their paper also referenced the need for “future research”, suggesting these experiments would continue in order to build on this initial body of research.

On 6 April, PhD student Aditya Pakki submitted a seemingly innocuous patch, only for kernel contributor Al Viro to rebuke the submission a few weeks later, finding it didn’t actually fix anything. He then identified a link with the University of Minnesota research project, while another admin identified three similar patches from the same researcher.

However, in emails between all parties involved, Linux maintainer Greg Kroah-Hartman reacted angrily to the experiments, accusing those involved of “totally unethical” and malicious behaviour. In one of the latest emails, sent on 21 April, he accused them directly of treating the Linux community like test subjects.

“You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work,” he said. “Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?

“Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.”

As a result, the moderator has banned all future contributions from the researchers’ university, and has removed their previous contributions “as they were obviously submitted in bad faith with the intention to cause problems”.

The University of Minnesota's Department of Computer Science and Engineering head, Mats Heimdahl, and associated department head, Loren Terveen, said in a statement that they take this situation "extremely seriously".

"We have immediately suspended this line of research," they added. "We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safebuard against future issues, if needed. We will report our findings back to the community as soon as practical."

The researchers chose Linux given its status as the biggest and most well-resourced open source project in the world. It’s unclear, however, which other open source projects they targeted, and how many bugs they successfully submitted to their respective ecosystems.

GitHub research published last year found that many vulnerabilities in open source software can take as long as four years to discover and fix.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021