University of Minnesota researchers attempt to push patch with purposeful vulnerabilities. Get's caught and banned from future patch commits

https://lore.kernel.org/linux-nfs/YH+zwQgBBGUJdiVK@unreal/

Researchers from the US University of Minnesota were doing a research paper about the ability to submit patches to open source projects that contain hidden security vulnerabilities in order to scientifically measure the probability of such patches being accepted and merged. Which could make the open source projects vulnerable to various attacks.

They used the Linux kernel as one of their main experiments, due to its well-known reputation and adaptation around the world.

AKA. Task failed successfully.

6 Likes

Heh I’m glad this failed on the kernel!

However, open source is much more than the Linux kernel and I do see some potential for malicious contributions in many places including distribution package maintainers. (I guess this is similar in all distributions and the weaknesses are well known and accepted, not sure we should discuss them in public in detail though.)

We shouldn’t let our guards down just because the kernel is heavily guarded. The enemy will know, thanks to this research, that the biggest door (in impact) is probably not their best bet for entry and they’ll look for other ways to get in.