|
|
Subscribe / Log in / New account

"Full disclosure" from the University of Minnesota

"Full disclosure" from the University of Minnesota

Posted Apr 29, 2021 11:23 UTC (Thu) by ledow (guest, #11753)
In reply to: "Full disclosure" from the University of Minnesota by error27
Parent article: "Full disclosure" from the University of Minnesota

My entire objection would focus not on how successful they were, but on the fact that they were deliberately trying to put bugs into production code (security or not).

They could have done anything from crashing systems to trashing filesystems to corrupting data to damaging hardware, and they were TRYING to put those bugs in, it's not like it was an unfortunate accident.

I have to agree with GregKH that this can't be tolerated.

If they want to do this, co-operate with higher-level maintainers to make sure they know exactly what patches are trying to do this, so they can make sure they don't hit production kernels, and they are then just a test of how far things can get through the process while having such bugs.


to post comments

"Full disclosure" from the University of Minnesota

Posted Apr 29, 2021 12:47 UTC (Thu) by mpg (subscriber, #70797) [Link] (4 responses)

> they were deliberately trying to put bugs into production code (security or not).

I'm surprised to read that. My understanding is that they only tried to see if the bugs would be accepted, but then withdrew each bug before it was merged. That is, they never had any intention of putting bugs in production code. If you have any evidence to the contrary, could you please quote a precise source for that?

"Full disclosure" from the University of Minnesota

Posted Apr 29, 2021 14:04 UTC (Thu) by nedu (guest, #50951) [Link] (2 responses)

A precise source for "any evidence to the contrary". Emphasis on "any":

It is my understanding that on or about Nov 21, 2020, Kangjie Lu posted a tweet announcing acceptance of the paper for the upcoming IEEE S&P symposium. In that tweet, he published a screenshot of the first page of that paper.[1][2]

It is also my understanding that on or before Nov 22, 2020, Kangjie Lu deleted that tweet, with a statement that, "it created many confusions".[3]

I have seen what has been represented to me as a copy of that screenshot, in which an abstract of the paper is reproduced.[4]

In that version of the abstract, I read the sentence, "As a proof of concept, we successfully introduce multiple exploitable use-after-free in the latest linux kernel (in a safe way)."[2]

Do also note, that besides the withdrawal of the tweet, that original sentence in the abstract was revised in a currently available version of the now-withdrawn paper.[5][6]

[1] https://pbs.twimg.com/media/End-XVOUUAA7gZ-?format=png&...
[2] https://pbs.twimg.com/media/End-YlwVoAADi1r?format=png&...
[2(a)] https://web.archive.org/web/20210429134044/https://pbs.tw...
[3] https://archive.is/SBpHn
[4] https://archive.is/iUdX0
[5] https://web.archive.org/web/20210427031705/https://raw.gi...
[6] https://web.archive.org/web/20210427062206/https://www-us...

In discussion: again, you asked for "any evidence to the contrary".

And, I would concede that the original statement in the accepted abstract may have been puffery. It may have been confusion. It may have required further explanation.

But I also have to think "the latest linux kernel" may easily and naturally be read as referring to software running on other people's computers. And I can read that sentence as a cold, factual claim of an accomplished deed.

"Full disclosure" from the University of Minnesota

Posted Apr 29, 2021 22:28 UTC (Thu) by mpg (subscriber, #70797) [Link] (1 responses)

Thank you for providing precise references. Looking at it in chronological context, I think it helps me understand some the reactions better. The first things I read about the topic were the paper and the LWN article, and from the paper I quickly learned that they tried to make sure the commits didn't get into the kernel. (Also, a few days later they disclosed the full details, so I didn't have to go for months wondering about what really happened.) So I probably got a very different experience than people reading scary/unclear/contraditory* fragments on twitter and then having to wait a long time for the details. Thank you for helping me see that perspective.

*I'll note that if we scroll down a bit on [3] they already tried to clarify that the malicious commits never got into the kernel, and in [4] the commenter already notes the contradiction.

Still, considering the full set of data we have today, I don't think it's justified to state that "they were deliberately trying to put bugs into production code", as the recent comment I was replying to did.

They did several things they shouldn't have done, such as experimenting on human subjects without their consent, making a paper with IMO weak methodology and relatively poor execution (I think we can hardly draw useful conclusions from their experiment) and communicating poorly about it (which again, would have been less of a problem if they had sought informed consent beforehand), but I don't think "deliberately trying to put bugs into production code" was one of them.

"Full disclosure" from the University of Minnesota

Posted Apr 30, 2021 21:56 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link]

I quickly learned that they tried to make sure the commits didn't get into the kernel.

Not exactly. They say they never intended for their bugs to make it into a released kernel, but they said that only after the whole thing blew up and they were in damage control mode. We don't know what their true intent was. Maybe they intended to stop the bugs from ever being released. Maybe they thought it would be good to get one into a released version and then stealthily patch it in the next version, and that would be safe because it would be fixed by the time they told the world what they had done. We simply can't know what they would have done in the hypothetical world in which one of their patches had made it into the mainline kernel. We have only their word for it, and honestly their word isn't very good with a lot of people right now.

"Full disclosure" from the University of Minnesota

Posted Apr 29, 2021 17:35 UTC (Thu) by HenrikH (subscriber, #31152) [Link]

Well that is impossible to know since all their tries where caught and rejected so we will never know how they would have reacted if one of their patches would have been accepted. Withdrawing the patch would mean that they would have exposed their intentions with the first bug and where they really prepared to do that?


Copyright © 2024, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds