|
|
Log in / Subscribe / Register

Looking back at the UMN episode

By Jonathan Corbet
September 27, 2021
Maintainers summit
Earlier this year, a bad patch sent by a researcher from the University of Minnesota (UMN) set off a bit of a crisis within the kernel development community when it become known that some (other) patches from UMN were deliberate attempts to insert vulnerabilities into the kernel. Some months after that episode had been resolved, the 2021 Maintainers Summit revisited the issue to see if there are any lessons to be learned from it.

Greg Kroah-Hartman started off by posting a link to a presentation he put together with David Wheeler on the UMN episode. He described the events as "the university sent some crap patches, we caught them". The community, he said, is pretty much over it now. The university apologized, and meanwhile the wider security community, which has been worried about the prospect of Trojan-horse patches for years, was thankful that all of this had come out and gotten people thinking about this kind of problem.

Recently, UMN has reached out to kernel developers, asking how it can restart its involvement with the kernel community; Kroah-Hartman has put them in touch with a kernel developer who will guide them. He is working on writing a document on how research groups should collaborate with the development community; he promised to post a draft over the weekend.

Kees Cook noted that the UMN community is large and has had a number of people moving through it. There were two issues that arose in April: low code quality from UMN in general, and one bad actor. Even that actor was not truly malicious, he said, "just dumb", but nobody in UMN caught his activities in time. Kroah-Hartman said that this episode woke up a lot of people; we were lucky that we caught it. He also offered his apology for yelling at the UMN researchers; he gets to be mad once per year, he said, and this was the time for this year.

Ted Ts'o said that the assembled group should consider more general issues of code quality and how much attention should be paid to security both before and after code is submitted. He mentioned the discovery of a wide set of security problems in the just-merged ksmbd file server, which have evidently been discussed in private for a while before the topic spilled over onto the linux-kernel list. We are continuing to put security bugs into the kernel, and that seems unlikely to change, he said.

Kroah-Hartman then claimed to have written more security bugs than anybody else; in general, core developers are responsible for the most security problems in the kernel. We are all "known good actors who are accidentally malicious", he said. Cook agreed that bug creation was almost entirely "volume based"; the more code a developer writes, the more bugs they create.

Ts'o tried to return the conversation to malicious actors, noting that the UMN developers "weren't smart" about how they tried to add bugs to the kernel. But what if there are malicious actors who are smarter? The only solution, he said, was better tools to try to detect security issues. Kroah-Hartman closed the session by saying that the community has to get better at catching all of the bugs it creates, regardless of whether they are intentional or not.

Index entries for this article
ConferenceKernel Maintainers Summit/2021

to post comments

Looking back at the UMN episode

Posted Sep 28, 2021 6:02 UTC (Tue) by error27 (subscriber, #8346) [Link] (2 responses)

I'm still annoyed at the UMN devs because they blamed me for not catching their "bug" even after I emailed them.

Them: Ha ha. You caught some bugs in our patch but you didn't catch our use after free!
Me: It's not a use after free. The caller is holding a reference.
Them: Well, we still think it was a use after free.

Ah well...

Looking back at the UMN episode

Posted Sep 30, 2021 1:33 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

Academics are used to the idea that they can just get a few smart people in a room, have them look at a technical issue, and the consensus of that group will be The Right Answer, regardless of what anyone else thinks. This is how they write and grade exams, after all.

Looking back at the UMN episode

Posted Oct 2, 2021 8:01 UTC (Sat) by tedd (subscriber, #74183) [Link]

With your and the kernel's experiences, why the hell would you still give UMN any attention at all? I know I won't have any time for the bullshit they pull.

Looking back at the UMN episode

Posted Sep 28, 2021 19:19 UTC (Tue) by olof (guest, #11729) [Link] (1 responses)

Is there a success story to highlight of a university system investing anything like a mini-opensource-office for helping their researchers (and students?) engage with outside opensource communities?

Seems like it's something the corporate world has figured out the benefit of, but it sometimes takes some sort of engagement failure for them to realize the need to invest there.

Looking back at the UMN episode

Posted Sep 28, 2021 20:37 UTC (Tue) by mathstuf (subscriber, #69389) [Link]

There is a program[1] at my alma mater that worked out pretty well (at least it was when I was there and for years after that, though the main profs behind it have since retired). The associated class had an assignment to engage with an existing project and contribute in some way (I chose Wesnoth and got a few patches in). Later, I went back after graduating to help out with a Linux kernel patch submission and even got one in myself (cleaning up a long-neglected network driver whitespace and `printk` usage pattern updates). I had been doing KDE and Fedora work already by that point, so I wasn't new to it, but I think it helped many at least interact with some communities out there.

I will say that this is by far focused on students rather than researchers, but professors are engaged with the program. I just don't know how relevant it is to their research.

[1]https://rcos.io/

Looking back at the UMN episode

Posted Sep 30, 2021 15:40 UTC (Thu) by deater (subscriber, #11746) [Link] (2 responses)

Current US academia, especially in the computer area, is fairly broken, and I say that as someone deeply involved in it.

Researchers are judged on grant money, with a side focus on high-profile publications, and that's about it. The stakes are high and sadly there's a lot of politics and cheating involved that's often overlooked because the majority of people involved are afraid the whole scheme will collapse if it's investigated too thoroughly.

It turns out doing actual proper Linux or open-source research that involves working closely with upstream is hard. In addition, making slow gradual improvements to existing code is considered "incremental" and will not get publications or funding.

Wheras hiring a few low-level students to grab a 10-year old RHEL kernel, fling some poorly-written benchmarks at it, then write up some over-the-top article about "Linux is terrible" seems to be a winning way to get a top publication. Things are peer-reviewed, but understand it's generally other similar minded professors doing the peer-review (or even their grad students if the big name person is "too busy") rather than knowledgeable people from industry/open-source.

The articles will often propose preposterous "solutions" to the problems they find (as per the original UMN work. Similarly, I've been at PhD defences where O(N^3) algorithms were proposed for the scheduler and none of the experts batted an eye).

They don't like fixing bugs either because their tools look less impressive if they can't claim 1000 bugs found anymore because they fixed things upstream.

There really isn't a good solution to this in the current environment. I've suggested in the past that maybe the Linux Foundation could offer grants, sort of like google-summer-of-code, but for longer (3 year?) terms with strict wording requiring proper contributions back. I've been told this is not the kind of thing the foundation is interested in encouraging.

Looking back at the UMN episode

Posted Sep 30, 2021 16:29 UTC (Thu) by marcH (subscriber, #57642) [Link]

Great summary, unfortunately not specific to the US.

In big corporations the incentives are wrong too: to get promoted you need to produce something that looks "ground-breaking" too whether it actually is or not. Hard and patient work that merely pleases the customers is too difficult to measure and it does not get you very far either HOWEVER it still pays your bills in most places (just avoid the next Theranos).

1% inspiration and 99% perspiration gets you absolutely nowhere in academia, I mean at least not in computer science, I think other fields tend to be better. If you're young and reading this then don't go there ever, that system is broken by design. If you really want to try something outlandish then find some startup instead.

Looking back at the UMN episode

Posted Oct 5, 2021 2:57 UTC (Tue) by pabs (subscriber, #43278) [Link]

> I've been told [contributing to Linux mainline] is not the kind of thing the [Linux] Foundation is interested in encouraging.

Uh, that seems very strange, did they give any reasons for that?

Looking back at the UMN episode

Posted Oct 4, 2021 1:38 UTC (Mon) by ghane (guest, #1805) [Link]

GKH: "...he gets to be mad once per year, he said, and this was the time for this year. "

So I can start sending in my patches? I should be safe till Christmas :-)


Copyright © 2021, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds