A group of researchers from the University of Minnesota, whose acceptance of changes was recently blocked by Greg Kroah-Hartman, posted an open letter of apology and explains the reasons for their activities.
The blockage was due to the group was investigating weaknesses when reviewing incoming patchess and evaluate the possibility of going to the core of the changes with hidden vulnerabilities. After receiving a questionable patch from one of the group members with a nonsensical solution, it was assumed that researchers are again trying to experiment with kernel developers.
Since such experiments potentially pose a security risk and take time for committers, it was decided to block acceptance of changes and submit all previously accepted patches for review.
In your open letter, group members stated that their activities were motivated exclusively out of good intentions and a desire to improve the review process of changes identifying and eliminating weaknesses.
The group has been studying the processes that lead to the emergence of vulnerabilities for many years and is actively working to identify and eliminate vulnerabilities in the Linux kernel. The 190 patches submitted for a new review are said to be legitimate, fix existing issues, and contain no deliberate bugs or hidden vulnerabilities.
The alarming research to promote hidden vulnerabilities took place in August last year and limited itself to shipping three bug patches, none of which made it to the kernel codebase.
Activity related to these patches was limited to discussion only, and patch promotion was stopped at one stage before the changes were added to Git.
The code for the three problematic patches has yet to be provided, as this will reveal the faces of those who did the initial review (the information will be revealed after obtaining the consent of the developers who did not acknowledge the bugs).
The main source of research was not our own patches, but analysis of other people's patches that were once added to the kernel, due to vulnerabilities subsequently emerging. The University of Minnesota team has nothing to do with adding these patches.
A total of 138 bug-giving problem patches were studied, and when the study results were published, all related bugs had been fixed, even with the involvement of the research team.
Los investigadores regret having used an inappropriate method to carry out the experiment. The mistake was that the investigation was carried out without permission and without notifying the community. The reason for the hidden activity was the desire to achieve the purity of the experiment, since the notification could draw attention separately to the patches and their evaluation, not in a general way.
While the goal was to improve basic security, Researchers now realized that using the community as a guinea pig was wrong and unethical. At the same time, the researchers assure that they would never intentionally harm the community and would not allow the introduction of new vulnerabilities in the working kernel code.
As for the nonsensical patch that served as a catalyst for the crash, it is unrelated to previous research and is related to a new project aimed at creating tools for automated detection of bugs that appear as a result of adding other patches.
The group is now trying to find ways to get back into development and intends to forge its relationship with the Linux Foundation and the developer community, proving its value in improving kernel security and expressing a desire to work harder for the better. common and regain confidence.
Greg Kroah-Hartman replied that the technical council of the Linux Foundation sent a letter to the University of Minnesota on Friday describing the specific actions to take to restore trust in the group. Until these actions are completed, there is nothing to discuss yet.