University Banned From Contributing To Linux Kernel For Intentionally Inserting Bugs

Tolkem

Well-Known Member
Joined
Jan 6, 2019
Messages
1,589
Reaction score
1,304
Credits
11,681
This is the downside of "everyone" can contribute to open source, fortunately, there are people always on the watch for this kind of stuff. An excerpt:
Stemming from this research paper where researchers from the University of Minnesota intentionally worked to stealthy introduce vulnerabilities into the mainline Linux kernel. They intentionally introduced use-after-free bugs into the kernel covertly for their research paper.
EDIT: I just realized I forgot to add the link to the article. My apologies.
 
Last edited:


I dumped some relevant links here.
 
Well, to the Linux kernel developer community's credit, none of the patches that they submitted actually made it into the mainline kernel. They were all caught during their review.

Many other open source projects review patches before merging them into their code-base.
But for projects with fewer developers, those checks might not be as stringent. If a project has less eyes on the code, then it's possible that buggy/insecure, or even malicious code could be inserted into the codebase.
So to a certain extent, we are at the mercy of the open source communities who produce the software we use and the people in charge of maintaining their code-bases. But I don't think any open source software projects would be dumb enough to deliver deliberately buggy software, or software with malicious functionality. And if they did, it would only be a matter of time before somebody spotted the problem. Because the source code for the software is public!
 
They were all caught during their review.

Indeed, thus my title at the other link.

What baffles me is how this research got approved. It demonstrates something is amiss with their research approval board. It clearly violates academic ethics. What I really want to know is how it got approved. The institution should not just be held accountable, they should be reviewing their process.

Why? This is academia. The institution benefits from the published paper, as do the people involved directly with the research.

(I spent a whole lot of time in an academic environment.)
 
Why? This is academia. The institution benefits from the published paper, as do the people involved directly with the research.

(I spent a whole lot of time in an academic environment.)

Don't get me started. :)
 
Don't get me started.

I've been keeping up with this, following along as more news comes out. So far, nobody has explained how this passed through the IRB.
 
I have a feeling that there will be some scapegoats, and denied degrees due to ethics violations. I expect to see some people resigning and some people being let go if they refuse to resign.
 
Did anybody actually read all of this link?

https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

In the middle of all that, resides the few paragraphs below.

Screenshot from 2021-04-23 05-49-09.png



That statement appears to be quite clear to me.

Their actual intent is not malicious.....quite the opposite in fact.
 
Nobody thinks their intent is malicious. That was never a question. Of course it's not malicious. That'd never have passed the muster and there'd be a lot more turmoil if it had been.
 
They tried to submit holes into the live kernel project. That IS the problem. They tried to submit bugs/code with holes, knowingly and intentionally. Potentially impacting millions and millions of users. Malicious or not, there were legit security implications and legitimately intentional bugs.

Not to mention the very basics of ethics in research. We've insisted on this since, you know, WWII and we have the Nuremberg Codes that have things like requiring consent to be experimented on.

Beyond this, at least one of the researchers out-and-out lied when caught. When people pointed out the paper and the author's contributions, they lied and tried to stop people with threats by calling their comments slander. Not only did they lie, they lied again trying to claim it was output from a debugger - all this when we can actually read the paper they published. Well, it's gonna be retracted now. No reputable journal is gonna touch that paper.

The perpetrators all profited (gained, not necessarily monetarily) from this research.

This is not okay behavior. This violates trust and academic ethics. This is not acceptable. Just because they had 'good intentions' doesn't mean it's okay to submit malicious code.

There will be jobs lost. There will be academic careers ended. Of course they're suspending this line or research. They got caught!
 
Their actual intent is not malicious.....quite the opposite in fact.
It might be so, still and how the article I linked in my first post explains
These new, questionable patches don't appear to have any real value -- for good or bad -- and at the very least are just wasting time by upstream developers.
The most problematic thing I see, unless I read that wrong, is that they played with people's time without their consent, and time is gold as they say.
 
See the first post in this thread:


The only reason it's not 'terrible' is that they got caught.
 
Unfortunately this is how most "Higher Education" works in the USA.
i doubt anything will happen other then perhaps a reassignment to a new position with a promotion.
 
:cool:
 
LOL Honest baby i'll never cheat on you again! Besides i was doing it for you and it was not my fault!
1619384493186.png
 
I expect further fallout. We shall see...

I read another article that indicated they were submitting faulty patches even after the paper was published.
 
I would think a bigger concern is the potential for entities like private sector or govt groups to do this with the intention of undermining linux and/or spying on users.
 

Members online


Top