Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 23 Apr 2021 01:46:15 +0800
From: r00t4dm <r00t4dm@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Malicious commits to Linux kernel as part of
 university study

Hello,

This case demonstrates that the possibility of a supply chain attack is
very high.
If the supply chain attack is sophisticated enough, this case may succeed.
e.g:

One day I committed some code, This code is a normal function.
After Five days, I committed some code, This code also is a normal function.

...

After three month, I committed it dozens of times,  But These committed
code together to form a vulnerability.
I don't know how to better guard against this kind of attack method,  Just
only rely on Human code review?

r00t4dm

Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department


Ariadne Conill <ariadne@...eferenced.org> 于2021年4月23日周五 上午1:23写道：

> Hello,
>
> On Thu, 22 Apr 2021, David A. Wheeler wrote:
>
> > Peter Bex:
> >> The university of Minnesota has been banned from making any commits to
> >> the Linux kernel after it was found out they'd been submitting bogus
> >> patches to the LKML to knowingly introduce security issues:
> >> https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/
> >
> > I support research, but I personally think this work goes way beyond any
> ethical boundaries.
> > While I don’t know if it’s *illegal* (I’m not a lawyer!), it seems clear
> to me that these
> > U of MN researchers were conducting experiments on people without their
> prior consent.
> > In the US, experiments on people without their consent is generally
> forbidden.
> > These researchers did their experiment *before* even consulting their
> Institutional Review Board (IRB),
> > a *huge* no-no, and then their IRB approved the non-consensual
> experiment anyway (!!!).
> >
> > GregKH’s response to this attack from the U of MN here:
> > https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/
> > which reads in part:
> >> Our community welcomes developers who wish to help and enhance Linux.
> >> That is NOT what you are attempting to do here...
> >> Our community does not appreciate being experimented on...
> >
> > More discussion: https://news.ycombinator.com/item?id=26887670
> >
> > Peter Bex:
> >> I don't know the scope of this research, but it could involve other OSS
> >> projects, now or in the future, as well.  Hence this e-mail.  If you
> feel
> >> it's spam or needless drama, feel free to ignore.
> >
> > Since the researchers failed to get prior consent from the people
> > being experimented on, I don’t think we can presume ethical behavior.
> > I have no faith that these researchers limited their attacks.
> > I hope they did, but I think we can take more proactive measures.
> >
> > I used the following shell command to search for potentially-concerning
> commits in git:
> >
> > git shortlog --summary --numbered --email | grep -E '(wu000273|kjlu|@
> umn.edu)'
> >
> > I recommend other OSS projects do something similar, just in case, unless
> > we can have better verification that no other OSS projects were attacked.
> > I welcome improved methods to find concerning proposals or patches;
> > this is just a quick attempt to detect potential damage.
>
> The paper says that they used throwaway Gmail accounts to submit the
> patches.  Frustratingly, they have not identified which patches they
> succeeded in landing in that paper.
>
> However, the paper also claims that they generated these "hypocrite"
> commits using an LLVM-based static analysis tool.
>
> Which means the work introduced by Aditya is likely directly related to
> this experiment, since it has the same "feel" to it.
>
> By mining the LKML archive, it may be possible to find the original set of
> patch submissions by searching for similar keywords as the messages from
> Aditya.  If somebody can do that, then we would be able to determine at
> least some of the emails likely to have originated the patches.
>
> Ariadne

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.