A group of researchers from the University of Minnesota, whose changes were recently blocked by Greg Kroah-Hartman, published an open letter apologizing and explaining their motives. Recall that the group was engaged in the study of weaknesses in the review of incoming patches and the assessment of the possibility of moving changes with hidden vulnerabilities into the core. After a dubious patch with a meaningless fix from one of the group members, it was assumed that the researchers were again trying to experiment on the kernel developers. Since such experiments potentially pose a security risk and take up time for committers, it was decided to block the acceptance of changes and send all previously accepted patches for re-review.
In their open letter, the group members stated that their activities were motivated solely by good intentions and a desire to improve the process of reviewing changes by identifying and eliminating weaknesses. The group has been studying the processes that lead to vulnerabilities for many years and is actively working to identify and fix vulnerabilities in the Linux kernel. It is claimed that all of the 190 patches submitted for re-review are legitimate, fix existing problems and do not contain deliberate errors or hidden vulnerabilities.
A feared study to promote hidden vulnerabilities was conducted last August and was limited to sending three bug patches, none of which made it into the kernel codebase. The activity associated with these patches was limited to discussion, and the progress of the patches was stopped at the stage before the changes were added to Git. The code for the three problematic patches has not yet been shown, as this will reveal the faces of those who conducted the initial review (information will be disclosed after obtaining consent from the developers who did not recognize the errors).
The main source of research was not our own patches, but the analysis of other people's patches ever added to the kernel, due to which vulnerabilities subsequently surfaced. The University of Minnesota team has nothing to do with adding these patches. A total of 138 problematic bug patches were studied, and by the time the research results were published, all related bugs had been fixed, including with the participation of the research team.
The researchers regret that they used an inappropriate method of conducting the experiment. It was a mistake that the study was carried out without obtaining permission and without notifying the community. The motive for the hidden activity was the desire to achieve the purity of the experiment, since the notification could draw separate attention to the patches and their evaluation on a non-common basis. While the goal was to improve kernel security, researchers now realized that using the community as a guinea pig was incorrect and unethical. At the same time, the researchers assure that they would never intentionally harm the community and would not allow new vulnerabilities to be introduced into the working kernel code.
As for the pointless patch that catalyzed the ban, it has nothing to do with the previous research and is related to a new project aimed at creating a toolkit for automated detection of bugs resulting from the addition of other patches.
The members of the group are now trying to find ways to get back into development, and intend to forge their relationship with the Linux Foundation and the developer community by proving their worth in improving kernel security and by expressing a desire to work hard for the common good and regaining trust.
Source: opennet.ru