Patches of Discord. What the Technical Advisory Council found

Patches of Discord

A few days ago it was known that two members of the University of Minnesota had been deliberately patching the Linux kernel with security problems This was part of a research project that neither Linus Torvalds nor the Linux Foundation had approved. So when he found out what they were doing, Greg Kroah-Hartman, the prestigious developer in charge of maintaining the Linux kernel for the stable branch, reacted by forbidding not only them, but any developer connected to UMN, to continue contributing.

Immediately, the Advisory Council of the Linux Foundation, made up of the main developers, along with other volunteer collaborators of proven responsibility sand they began to assess the damage. And they already communicated the result.

The patches of discord

Out of a total of 435 contributions made by members of the university, it was found that the vast majority were fine Of the rest, 39 had errors and needed to be corrected; 25 had already been corrected, 12 were already obsolete; 9 had been done before the investigation group existed and one was eliminated at the request of its author.

Those responsible for the malicious contributions used two false identitiess, which goes against the documented requirements for contributing code to the Linux kernel. This could not have been done without institutional collaboration as the university unquestioningly accepted the 'Developer Certificate of Origin', a legal statement about the work being submitted.

Contrary to what the perpetrators, the investigators, Qiushi Wu and Aditya Pakki, and their graduate advisor, Kangjie Lu, assistant professor in the Department of Computer Science and Engineering at UMN, stated, from the Advisory Committee sargued that all deliberately buggy patch submissions were fixed, or ignored, by Linux kernel developers and maintainers. The conclusion was that the review projects worked well.
In fact, the ban on the University of Minnesota may not be permanent. Everything is subject to the institution:

… Designate a pool of experienced in-house developers to review and provide feedback on proposed kernel changes before those changes are released publicly. This hotfix will catch obvious bugs and relieve the community of the need to repeatedly remind developers of some elementary practices such as adherence to coding standards and extensive patch testing. This results in a higher quality patch stream that will encounter fewer problems in the kernel community.

Crime does not pay

Researchers will not benefit from the results of their investigation. The paper they had presented at a security symposium had been accepted. But, I suppose that under the pressure of the community it was withdrawn by the authors themselves who argued:

First of all, we made a mistake by not engaging in collaboration with the Linux kernel community prior to conducting our study. We now understand that it was inappropriate and hurtful for the community to make it a subject of our research and to waste their effort reviewing these patches without their knowledge or permission. Instead, we now realize that the proper way to do this type of work is to engage with community leaders in advance so that they are aware of the work, approve of its goals and methods, and can support the methods and results once the work is completed and published. Therefore, we are withdrawing the document so that we do not benefit from an incorrectly conducted study.

Second, given the flaws in our methods, we do not want this work to stand as a model for how research can be done in this community. Rather, we hope that this episode will be a learning moment for our community, and that the resulting discussion and recommendations can serve as a guide for proper investigation in the future.

Nor does it seem that doing research is very good. The University of Minnesota, in trying to respond to the Linux Foundation's request for reports,nfound that the patch submission creation process was not very well documented.

If I had a child, I would not send him to study at UM


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.