University of Minnesota researchers intentionally submitted vulnerable Linux Patches and earned permanent suspension

University of Minnesota Linux
Internationally sabotage Linux under the guise of research? Pic credit: Sárfi Benjámin/Pixabay

Researchers at the University of Minnesota attempted to intentionally submit Linux patches that were vulnerable to exploitation. Now the Linux community has prohibited the entire university from submitting any new patches or code updates.

The University of Minnesota has suspended a research project that sought to sabotage the foundation of the Linux operating system. Apparently, there were complaints about two student researchers submitting code they knew was vulnerable to misuse.

University of Minnesota researchers wanted to plant vulnerabilities within Linux to check if a software supply chain could be attacked:

Two student researchers had reportedly submitted vulnerable code to the maintainers of the Linux kernel. They apparently intended to investigate whether supply chain integrity issues affected the widely used Linux ecosystem.

The researchers from the university had released a paper detailing how they had submitted known security vulnerabilities to the Linux kernel. They sought to prove how potentially malicious code could get through the approval process.

In a statement meant to clarify the study, the researchers said they intended to bring attention to issues with the submission process — mainly, the fact that bugs, including ones that were potentially maliciously crafted, could slip through.

Incidentally, on a separate occasion, another student from the university submitted a code that reportedly does nothing. This was apparently the incident that unraveled the entire process or willing attempts at weakening Linux.

Kernel developer Laura Abbot responded in a blog post, stating the possibility of bugs slipping through is “well-known in the open-source software community”. However, in what seems to be a private message, the researcher who submitted the reportedly nonfunctional code called Linux Foundation fellow Kroah-Hartman’s accusations “wild” and “bordering on slander.”

University of Minnesota on the banned list, while the Linux community peer-reviews previously submitted code:

In addition to not accepting any new code from the university, the Linux community has removed, nullified, or redacted all of the code that researchers from the university had submitted in the past.

It is a massive undertaking. However, Kroah-Hartman has made it clear that the developer community doesn’t appreciate “being experimented on”. Hence, all of the code from the university is under question due to the research.

The University of Minnesota has accepted responsibility, and put out a statement, saying it’s been made aware of the research and its subsequent ban from contributing. The university added that it has suspended that particular line of research. Additionally, it will be investigating how the researchers secured approval and carried out their research.

While the researchers claimed they intended to highlight the potential loopholes within the submission, review, approval, and inclusion process, their clarification appears dubious. This is because one of the researchers reportedly submitted a few patches through random Gmail addresses. Additionally, the researcher even added that a tool helped created faulty code.

The decision to pull any and all patches submitted by the members of the University of Minnesota may seem harsh. Experts argue that the reaction may reintroduce bugs that legitimate patches, originating from the university, had fixed. However, Kroah-Hartman has clarified that the community will re-review the code and re-submit them if found valid.

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
1 month ago

no criminal charges?

Would love your thoughts, please comment.x