LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-22-2021, 06:39 AM   #16
floppy_stuttgart
Member
 
Registered: Nov 2010
Location: EU mainland
Distribution: Debian like
Posts: 911
Blog Entries: 4

Rep: Reputation: 87

If the research has followed ethical and secure procedures then thats fine. Everybody can become better (except me who is already perfect haha).
However, for making anybody better, the best way is not to say "you are a fool" with a lot of publicity but "I found something, please do it better", then after some time make it public if they dont react. Except a company is making advertissment "the most secure SW in the world" and demonstrating to them they are fool is just demonstrating they are using the misleading advertissement to get customers and make more "wrong capitalist" money.
 
Old 04-22-2021, 08:09 AM   #17
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,063

Original Poster
Rep: Reputation: Disabled
There's been some interesting developments on the LKML regarding this incident.

Jiri Kosina CC'd the assistant professor responsible for the original project, Kangjie Lu (link to the paper can be found in previous posts in this thread) asking for clarification, and apparently Dr. Lu responded somewhat apologetically directly to the poster. During the ensuing back-and-forth, his responses were copied to the list.

The TL;DR is that Dr. Lu (who has indeed contributed useful patches to the Linux kernel in the past) claims they followed strict procedures to ensure that no harmful patches ever made it into the actual kernel. He was immediately called out on this, as one of the nefarious patches that demonstrably did make it into Stable was authored by none other than Dr. Lu himself. So far, he has not responded to this.

Also, even though the project was supposedly finished in November 2020 (as the paper has been written and published), weird patches that seemingly did nothing but create possible security issues were still being submitted to the LKML by persons with .umn.edu e-mail addresses as late as early April. Dr. Lu claims that this is a "new project that finds bugs in patches" (archived, just in case) run by the submitter of these patches, Aditya Pakki.

There's now a thread on the LKML dedicated to reverting all patches from the University of Minnesota. Interestingly, upon re-review most of the patches have turned out to be genuine and will either not be reverted, or will be rewritten for non security-related reasons.

It would seem that very few questionable patches were actually missed in the initial reviews, and those that were missed had potential security implications, not bugs that were readily exploitable.

It's worth noting that the original research paper stated that all the "hypocrite commits" would be submitted by anonymous e-mail accounts. This is obviously not what they did, as evidenced by the fact that problematic patches can be found by searching for posts from the University of Minnesota.
 
Old 04-22-2021, 09:32 AM   #18
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora 33
Posts: 3,575

Rep: Reputation: 1006Reputation: 1006Reputation: 1006Reputation: 1006Reputation: 1006Reputation: 1006Reputation: 1006Reputation: 1006
It's interesting that they singled out open source. They could have taken a job or internship at MicroSoft or Apple and seen if the review process were any more stringent. Having submitted code in both I can say that the Linux kernel review was at least as thorough as the corporate environment.

I suspect they were worried about the legal repercussions if they had succeeded.
 
Old 04-22-2021, 10:40 AM   #19
Jan K.
Member
 
Registered: Apr 2019
Location: Esbjerg
Distribution: slackware...
Posts: 258

Rep: Reputation: 176Reputation: 176
The premise of the report was to prove open source software by nature is insecure...

From my "research" I've not been able to find evidence that the long-standing commit/review procedure has let any malicious code through to the kernel tree?

But as I expected (from mailing list):

"It might be worthwhile to have a discussion at the upcoming maintainers
summit on how to handle contributions from untrusted sources in the
future, and how to identify trusted contributors. Quite obviously the
paradigm has finally changed from "assume the contribution is
well-intended" to "assume the contribution is malicious". I guess that
was prone to happen, but it is sad to experience it anyway.

For my part, congratulations (in a negative sense): You made me much less
inclined to accept minor bug fixes from people I don't know in the future.

Guenter
"


There may or may not however originally only have been three "test" commits, that already should have been cancelled (as seen in excerpts p. 1), but I've seen some "test" commits, that certainly made it into the tree...

What a horrific mess to clean up...
 
1 members found this post helpful.
Old 04-22-2021, 10:46 AM   #20
Jan K.
Member
 
Registered: Apr 2019
Location: Esbjerg
Distribution: slackware...
Posts: 258

Rep: Reputation: 176Reputation: 176
Red face

Quote:
Originally Posted by smallpond View Post
It's interesting that they singled out open source. They could have taken a job or internship at MicroSoft or Apple and seen if the review process were any more stringent. Having submitted code in both I can say that the Linux kernel review was at least as thorough as the corporate environment.

I suspect they were worried about the legal repercussions if they had succeeded.
The whole premise of the report:

"On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"

We all know closed-source software is safe and well...
 
1 members found this post helpful.
Old 04-22-2021, 10:59 AM   #21
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,802

Rep: Reputation: 1728Reputation: 1728Reputation: 1728Reputation: 1728Reputation: 1728Reputation: 1728Reputation: 1728Reputation: 1728Reputation: 1728Reputation: 1728Reputation: 1728
One important takeaway from this is that the bad behavior WAS detected and is being dealt with.
It still worries me.
Had they formed a group and spun off the kernel a time or two for this "experiment" it woould be different, but this was an actual attack on the trust foundation of the community. I find that entirely disgusting and indefensible!
 
2 members found this post helpful.
Old 04-23-2021, 02:31 AM   #22
floppy_stuttgart
Member
 
Registered: Nov 2010
Location: EU mainland
Distribution: Debian like
Posts: 911
Blog Entries: 4

Rep: Reputation: 87
Quote:
Originally Posted by Jan K. View Post
The whole premise of the report:

"On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"

We all know closed-source software is safe and well...
"On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"

is for me

"How to prove my neigbour is an idiot and that the tiger underwear he is wearing are stupid and an aggression against my visual well being" and make it public ok?

No.

I go to him secretly and say to him after we drank one beer together..
a) your car door is 50% of the time open. I observed this. So, please close it and perhaps a thief will have issue to take your car
b) when you are working in your entrance, everybody can see your "builder bom" and see your tiger underwear. Thats fine for me, I still have not a tiger underwear and will probably never buy one. But when people who dont know you (you are a good funny boy) see this from the street, they could think this is exhibition and an offence. So, please cover your "builder bom" and tiger underwear when you work outside of the house.

You understand the difference?

Its called ethic.Behaviour. Sensitive approach. positive approach. social binding approach. human caring approach.
 
1 members found this post helpful.
  


Reply

Tags
kernel, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Sir please help me ... please reply quickly sir Dharma Linux - Newbie 10 02-18-2020 06:22 AM
LXer: Sir, You Are Being Hunted FPS Stealth Game Hits The Big Release For Linux LXer Syndicated Linux News 0 05-04-2014 08:20 PM
LXer: Adobe: Thank you sir. May I have another? LXer Syndicated Linux News 0 06-15-2011 04:20 PM
LXer: Twenty Bucks Thank You Sir May I Have Another LXer Syndicated Linux News 0 12-03-2009 08:00 PM
LXer: Sir Bill and Sir Tim: A Tale of Two Knights LXer Syndicated Linux News 0 07-02-2008 12:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 11:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration