I am trusting what they put in their paper. So..... :) I do think this kind of research needs to be done, I just don't know how to do it in an ethical way, not wasting the time of the developers. I also think the kernel maintainers are the ones most likely to find such submissions. If a supply-chain attack was to be done against "linux" doing it somewhere else, on a smaller project would be the most productive. A single maintainer/smaller team would be more likely, IMO, to be overwhelmed and just accept patches with much less review. As opposed to kernel maintainers who are probably being paid to do that.
Getting a job at Dell or HP to write device drivers would be a far better place to get the access to do something malicious to many, many servers out there. Kent On Sat, Apr 24, 2021 at 1:10 PM John F. Eldredge <[email protected]> wrote: > Well, the news report I read said the bugs were submitted and accepted. > > On Sat, Apr 24, 2021, 11:12 AM Kent Perrier <[email protected]> > wrote: > >> That isn't true (flaws now in use on production systems). If you read >> their paper >> <https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf>, >> once the maintainer said "ok, looks good" they told the maintainer of the >> issue with the code and not to use it. (Section VI A "Ethical >> Considerations"). >> >> Now that may be going through ALL of the code submissions from UMN and >> ripping it all out and replacing it, but in *this* case security issues >> were not introduced into the kernel. >> >> >> >> >> On Sat, Apr 24, 2021 at 9:07 AM John F. Eldredge <[email protected]> >> wrote: >> >>> Two researchers at the University of Minnesota have admitted they >>> deliberately introduced security flaws into the Linux kernel, in order to >>> determine how effective the review process is. As a result, all code >>> changes originating from the university have been rolled back and are being >>> re-reviewed, and no one using a University of Minnesota email address will >>> be allowed to submit kernel changes. Apparently the flaws the researchers >>> introduced are now in use on production systems worldwide. >>> >>> -- >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/nlug-talk?hl=en >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/nlug-talk/CAJfAAY%2BFfNnoW8OJnf_ypyoXPfj-RPaJo-495EqY7cXYCsaQtw%40mail.gmail.com >>> <https://groups.google.com/d/msgid/nlug-talk/CAJfAAY%2BFfNnoW8OJnf_ypyoXPfj-RPaJo-495EqY7cXYCsaQtw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nlug-talk/CA%2B6_KC-PmYdPPuReM3tyG-Ga7OXJsiRGbKEhVgVCWch6649uLQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/nlug-talk/CA%2B6_KC-PmYdPPuReM3tyG-Ga7OXJsiRGbKEhVgVCWch6649uLQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/nlug-talk/CAJfAAYJxZV7xN51uW-UbJVLAFVueCtm8F_jkhE%2BaritEALp7cw%40mail.gmail.com > <https://groups.google.com/d/msgid/nlug-talk/CAJfAAYJxZV7xN51uW-UbJVLAFVueCtm8F_jkhE%2BaritEALp7cw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CA%2B6_KC9cwdAH4XET4m1XKWfdc-1%3D7KYwY7jmLJ3bP-0q99tmgA%40mail.gmail.com.
