01-05-2021 | | By Robin Mitchell
Recently, two researchers from the University of Minnesota and fellow graduates could upload intentionally buggy code and junk code into the Linux Kernel and accepted by the community. Why did the researchers do this, how did the Linux community react, and what does this demonstrate about open source software?
Recently, a paper was released by the University of Minnesota written by Qiushi Wu and Kanhjie Lu titled “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits”. The paper describes how the two researchers could generate code that claims to fix one bug in the Linux kernel while intentionally introducing other bugs. The Linux kernel is open-source, and as such, can be accessed by the wider community, and anyone can suggest changes to the code via submissions.
According to the research paper, the various code submissions were able to pass the approval process and integrated into the final kernel distributions. The goal of the research paper was to demonstrate vulnerabilities in open-source software, and how the approval process may need to be reconsidered. In the paper, the researchers identify multiple problems that open source projects such as the Linux kernel faces including the complexity of the source and the inability of maintainers to understand the system.
In the paper's release, the Linux Foundation took little time to announce an outright ban on the University of Minnesota from submitting changes and updates to the project. To be specific, the Linux Foundation has banned the email domain used by the University, and as such all developers of the project have been asked to reject code from the University.
Furthermore, the Linux Foundation has now instructed its members and participants to go through all the University of Minnesota changes to look for the stealth vulnerabilities. One piece of code was found to do nothing what so ever, and only essential contributions are being kept (i.e. those that fix major bugs).
The lead maintainer of the stable Linux distribution, Greg Kroah-Hartman, stated that “Linux kernel developers do not like being experimented on. We have enough real work to do”. However, after more research into the code submission from the University of Minnesota, it was concluded that a third of those users had submitted junk code that does nothing.
Undoubtedly, the Linux community has absolutely lost their minds over the situation and are demanding blood (figuratively). From demanding that the University set up an ethics board to the outright rejection of their contributions, the wider community appears to miss the point of the research paper; open-source software is vulnerable.
Firstly, it was unethical for the researchers to submit code that introduces bugs as many software systems ranging from IoT to data centres rely on the Linux kernel. While the researchers may have believed the bugs to be minor, this does not mean that the bugs were so. As such, the researchers put systems at potential risk that could have costed major financial damage via hacking of accounts, the release of private data, or control of devices.
However, for all of their wrongdoing, the researchers have perfectly demonstrated the biggest problem that open-source software faces; community submission. Open-source software is great for developers and the industry when creating systems that work together with no need for licenses or royalties. The open source concept has led to the development of the many distributions of Linux that power IoT devices and servers, the development of the Arduino project, and now the RISC-V processor.
But, when the source code to a project is totally open, it is also open to those with malicious intent, and as such can study the code to look for vulnerabilities. The vulnerabilities are further worsened when an open-source project accepts public code submissions. As such, the research team demonstrated how accepting such code could be used by malicious parties to create entry points.
Therefore, the research paper demonstrates that simply trusting project maintainers and code submitters cannot be relied upon. Furthermore, the ability to add malicious code unknowingly to the open-source community should be a warning to engineers who want to rely on open-source simply because it’s free and has large libraries.
Of course, some would claim that open-source projects provide better security with an example comparing Windows and Linux. However, Windows has far more attacks and vulnerabilities due to its popularity while Linux barely makes up 5% of desktop operating systems. As such, hackers will target the largest platform to maximise their gains and time spent.
No matter how much you may hate the University of Minnesota for messing around with the Linux Foundation, understand that they have demonstrated that no system is perfect. That open-source can, and have most likely, been attacked already.