Researchers at the University of Minnesota attempted to intentionally submit Linux patches that were vulnerable to exploitation. Now the Linux community has prohibited the entire university from submitting any new patches or code updates.
The University of Minnesota has suspended a research project that sought to sabotage the foundation of the Linux operating system. Apparently, there were complaints about two student researchers submitting code they knew was vulnerable to misuse.
University of Minnesota researchers wanted to plant vulnerabilities within Linux to check if a software supply chain could be attacked:
Two student researchers had reportedly submitted vulnerable code to the maintainers of the Linux kernel. They apparently intended to investigate whether supply chain integrity issues affected the widely used Linux ecosystem.
The researchers from the university had released a paper detailing how they had submitted known security vulnerabilities to the Linux kernel. They sought to prove how potentially malicious code could get through the approval process.
University of Minnesota banned from contributing to Linux kernel.https://t.co/1Hcu2Ci5Ic
— Barmak Nassirian (@BarmakN) April 23, 2021
In a statement meant to clarify the study, the researchers said they intended to bring attention to issues with the submission process — mainly, the fact that bugs, including ones that were potentially maliciously crafted, could slip through.
#Greg #Kroah -Hartman bans University of Minnesota from Linux development for deliberately buggy patches. That is #right approach. @UMNews should care about community and follow #Netiquette https://t.co/J5iFx8KaMn
— reticent owl (@ReticOwl) April 23, 2021
Incidentally, on a separate occasion, another student from the university submitted a code that reportedly does nothing. This was apparently the incident that unraveled the entire process or willing attempts at weakening Linux.
Kernel developer Laura Abbot responded in a blog post, stating the possibility of bugs slipping through is “well-known in the open-source software community”. However, in what seems to be a private message, the researcher who submitted the reportedly nonfunctional code called Linux Foundation fellow Kroah-Hartman’s accusations “wild” and “bordering on slander.”
University of Minnesota on the banned list, while the Linux community peer-reviews previously submitted code:
In addition to not accepting any new code from the university, the Linux community has removed, nullified, or redacted all of the code that researchers from the university had submitted in the past.
It is a massive undertaking. However, Kroah-Hartman has made it clear that the developer community doesn’t appreciate “being experimented on”. Hence, all of the code from the university is under question due to the research.
— BleepingComputer (@BleepinComputer) April 21, 2021
The University of Minnesota has accepted responsibility, and put out a statement, saying it’s been made aware of the research and its subsequent ban from contributing. The university added that it has suspended that particular line of research. Additionally, it will be investigating how the researchers secured approval and carried out their research.
Leadership in the University of Minnesota Department of Computer Science & Engineering learned today about the details of research being conducted by one of its faculty members and graduate students into the security of the Linux Kernel. pic.twitter.com/QE9rrAyyMX
— UMNComputerScience (@UMNComputerSci) April 21, 2021
While the researchers claimed they intended to highlight the potential loopholes within the submission, review, approval, and inclusion process, their clarification appears dubious. This is because one of the researchers reportedly submitted a few patches through random Gmail addresses. Additionally, the researcher even added that a tool helped created faulty code.
The decision to pull any and all patches submitted by the members of the University of Minnesota may seem harsh. Experts argue that the reaction may reintroduce bugs that legitimate patches, originating from the university, had fixed. However, Kroah-Hartman has clarified that the community will re-review the code and re-submit them if found valid.