Linux bans University of Minnesota for committing malicious code

brambedkar59

Level 22
Verified
Apr 16, 2017
1,165
In a rare, groundbreaking decision, Linux kernel project maintainers have imposed a ban on the University of Minnesota (UMN) from contributing to the open-source Linux project.

The move comes after a group of UMN researchers were caught submitting a series of malicious code commits, or patches that deliberately introduced security vulnerabilities in the official Linux codebase, as a part of their research activities.

Additionally, the Linux kernel project maintainers have decided to revert any and all code commits that were ever submitted from an @umn.edu email addresses.
University researcher even tried defending this and failed miserably, after which.
To which Greg Kroah-Hartman (major Linux kernel developer) responded that the Linux kernel developer community does not appreciate being experimented on in this manner.

"If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here," said Kroah-Hartman.

"Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems," he continued.

This is bad on so many levels (Ethic, morals, legal)
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,089
My hometown, Minneapolis, Minnesota, sure ain't what it used to be. I studied at that university.

But on a macro level, I wonder how vulnerable and blindly trusting the Linux project has been over the years? Who knows how many hackers and attackers have contributed to the source code of the Linux kernel?
 

Azure

Level 26
Verified
Content Creator
Oct 23, 2014
1,551
I'm just glad to see the LKP discovered it and took immediate, stern action against the UMN researchers. It just goes to show how important it is to vet all code submitted to the Linux codebase.
Unless I understood wrong, the person involved in this research was very open about it and even made papers explaining the research. So, if he hadn’t done that, would this have been discovered?

And would others will much more malicious intention be able to do this without being discovered?
 

wat0114

Level 3
Apr 5, 2021
126
Unless I understood wrong, the person involved in this research was very open about it and even made papers explaining the research. So, if he hadn’t done that, would this have been discovered?

And would others will much more malicious intention be able to do this without being discovered?

That could be, although Linux kernel developer, Greg Kroah-Hartman maintains the submissions were done in bad faith and he didn't like the way he felt they were being "experimented on". UMN did have a pretty good argument, however, for the rational behind their experiment as an effort to test the kernel community's ability to review and discover malicious code.

Trying to draw a comparison, I've heard of really talented IT people getting fired for testing their employer's security perimeters for weaknesses in an honest effort to help improve things, but without prior consent to do so.
 

brambedkar59

Level 22
Verified
Apr 16, 2017
1,165
Unless I understood wrong, the person involved in this research was very open about it and even made papers explaining the research. So, if he hadn’t done that, would this have been discovered?

And would others will much more malicious intention be able to do this without being discovered?

Even if the code was not malicious, they intentionally wasted the time of Linux Kernel developers/maintainers.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,089
Many open source projects have been targeted by attackers. Python was known to contain malicious scripts for years because there is little to no review process. That's the whole point of the research project.

So many falsely believe Linux is safer than Windows or Mac OS. It isn't. If the full force of Windows security researchers were let loose on Linux then there would be hundreds of vulnerabilities discovered in short order. That's on top of whatever malicious code has already been committed to the Linux kernel.
Can't argue with that, but practically speaking, you don't hear home linux users complain that their CPU is maxing out because of bitcoin miners, or that their bank account got cleared out, or that their personal files were ransomed or leaked. No one says their mouse is being controlled by a remote attacker. I have been around on linux forums for years, and I just don't see anyone talking about these things. It is possible that we linux users are all pwned but it doesn't seem to matter.
 

Raiden

Level 19
Verified
Content Creator
May 7, 2018
915
This is a very interesting situation that we have here!

It's interesting from the fact that it actually brings forth a pretty major issue with Linux and opensource in general. That being anyone has the ability to modify/pass along code that could potentially be very damaging and go undetected for years. Now do I agree with what the researchers did?...No, but if their intention was to highlight a major short fall...well they did that.

TBH I am actually shocked that this wasn't caught sooner. Which begs the question, is actually anyone looking/at paying attention to what code is being implemented? This has been one of the biggest issues many security minded people have been saying about opensource for years...the fact that it's opensource doesn't mean it's more secure. It's a false pretence that so many people in the Linux/opensource world beat their chests about. It's only more secure if someone actually takes the time to verify it. Even then, it still doesn't prevent someone from changing it afterwards.

While I do agree what the researchers did wasn't cool, I am of the belief that the kernel developers also share some of the blame, as they let it go unnoticed for a while it seems. I am curious if they implement some sort of "loyalty" verification where by, your first few submissions are closely monitored, after that if you are deemed a "trustworthy" developer, you code just gets implemented with out much oversight...which is as problem IMHO, as someone can randomly submit malicious code if they know their code will be included without much thought. I would be curious to know if they have something like this?:unsure:
 

Kamer

Level 1
Nov 6, 2019
13
While I do agree what the researchers did wasn't cool, I am of the belief that the kernel developers also share some of the blame, as they let it go unnoticed for a while it seems. I am curious if they implement some sort of "loyalty" verification where by, your first few submissions are closely monitored, after that if you are deemed a "trustworthy" developer, you code just gets implemented with out much oversight...which is as problem IMHO, as someone can randomly submit malicious code if they know their code will be included without much thought. I would be curious to know if they have something like this?:unsure:
It's interesting to note that the most popular OS based on Linux, Android, uses an old kernel that is maintained solely by Google. Redhat is another company that basically uses an old Linux kernel that is maintained solely, AFAIK. Business consumers really want to know what's going on in the kernel.
 
  • Like
Reactions: venustus and Nevi

wat0114

Level 3
Apr 5, 2021
126
No. They won't figure it out. That was the vulnerability that was revealed by the researchers.

* Did the authors introduce or intend to introduce a bug or vulnerability? No. As a part of the work, we had an experiment to demonstrate the practicality of bug-introducing patches.This is actually the major source of the raised concerns. In fact, this experiment was done safely. We did not introduce or intend to introduce any bugor vulnerability in the Linux kernel

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf
 

Raiden

Level 19
Verified
Content Creator
May 7, 2018
915
It's interesting to note that the most popular OS based on Linux, Android, uses an old kernel that is maintained solely by Google. Redhat is another company that basically uses an old Linux kernel that is maintained solely, AFAIK. Business consumers really want to know what's going on in the kernel.
There are many companies (ie: Google) that have based their product(s) on Linux, have made a number of changes to suit their needs. Which to some may consider it not "Linux" anymore, but I think that's just being sensational IMHO. I think we have to assume that when we talk about Linux, most people are referring to desktop and servers and not so much about a product based of Linux (ie: Android).

I think the biggest lesson in all of this is that they have proven (intentionally, or not) that someone can easily submit code to be included in any opensource project...which has the ability to affect millions of users/businesses. They can blame the researchers as much as they want, but the fact remains is they allowed this code to be implemented, hence proving that opensource isn't anymore secure than close source. If anything it could potentially be weaker, because too many people in the opensource/Linux community "assume" it's more secure because it's opensource.
 

Raiden

Level 19
Verified
Content Creator
May 7, 2018
915
Please see the .pdf link in post #16. No bugs were introduced into the kernel.
I am aware that no bugs were introduced into the kernel. I am just highlighting the fact that a hacker could do the same thing with the potential of it not being caught...or rather caught right away. Open source is great and all, but the fact remains that too many people in the open source world make assumptions that all open source projects are being vetted/reviewed by security researchers, when in-fact there is no guarantee that is taking place. Whether bugs were introduced, or not, the researchers did prove that code can be submitted in general...with the potential of it actually being malicious and not being caught. That is the moral of the story here...:):emoji_beer:
 

wat0114

Level 3
Apr 5, 2021
126
I am aware that no bugs were introduced into the kernel. I am just highlighting the fact that a hacker could do the same thing with the potential of it not being caught...or rather caught right away.
Fair enough. I was just trying to put some perspective on the story, as the tone of this thread would seem to imply the kernel was directly compromised with bugs.

@simalinga

those attacks are against forgotten about and poorly maintained servers. No surprise then that those would be compromised.

EDIT

at least that's what I infer from the Science Techniz article.
 
Last edited:
  • Like
Reactions: venustus and Nevi

SpiderWeb

Level 5
Aug 21, 2020
205
I could totally believe that there are institutions and "NGOs" who get paid a good amount from spy agencies to submit malicious/backdoored code. smh
Hope the ban is forever. Zero tolerance for this.
 
  • Like
Reactions: venustus and Nevi

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,955
The Android platform is notorious for vulnerabilities, but even then, because users cannot control their download habits, the attackers don't have to try very hard.
Android and iOS are most secure systems.
Desktop systems (except MacOS) are broken and lack important security features like full verified boot.
Only latest AMD surface devices are provide such but lack other important features like rollback protection
 
  • Like
Reactions: venustus and Nevi

wat0114

Level 3
Apr 5, 2021
126
What Linux servers do you think were attacked and compromised in the recent spate of ecommerce platforms, in the Target heist, in the Home Depot heist, in just about every single server hack out there - including banking servers - are Linux servers.

It's a lie to promote the notion that only old, unmaintained Linux servers are attacked.

Well if you're referring to the Home Depot 2014 data breach, 3rd-party vendor login credentials were stolen to gain access to the network, and as for the 2013 Target breach, login credentials were stolen from a HVAC company to gain access to the network. That certainly would make things a whole lot easier for the attackers. BTW, to clarify, I did not promote the notion of old and unmaintained Linux servers; I took it from the article.

It seems to be it's more a case of sloppy IT security than just buggy Linux servers. There is good evidence of just that in this article:

https://arxiv.org/pdf/1701.04940.pdf
 
  • Like
Reactions: venustus and Nevi
Top