University of Minnesota banned from Linux kernel contributions in fallout over buggy commits experiment

UPDATED Computer scientists who submitted supposed security patches that actually added security vulnerabilities to the Linux kernel have been placed under investigation by their university.

Qiushi Wu and Kangjie Lu ran the experiment with so-called ‘hypocrite commits’ to establish that they could act a vector for stealthily introducing vulnerabilities in open source software.

More specifically, the University of Minnesota duo successfully offered use-after-free vulnerabilities that were accepted as seemingly beneficial commits to the Linux kernel.

The researchers argued the exercise offered evidence that the Linux patch-review process is flawed.

Kernel developers ain’t no lab rats

The research attracted criticism back in December while the work was still ongoing, although the drama only escalated over recent days with the publication of the research (PDF).

According to the researchers, all of the “bug-introducing patches stayed only in the email exchanges, without being adopted or merged into any Linux branch”, so no harm to users resulted from the exercise.


RECOMMENDED When vulnerability disclosure goes sour: Researchers document the legal threats and risks faced by ethical hackers


On the contrary, the researchers were able to develop tools for patch testing and verifications, as well as a revised code of conduct as a result of the exercise, they said (PDF).

Open source developers, however, have cried foul over the exercise, which they complain was both a nuisance and a waste of time.

“Linux kernel developers do not like being experimented on, we have enough real work to do,” Linux kernel maintainer Greg Kroah-Hartman of the Linux Foundation responded on Twitter.

‘Bad faith’

Kroah-Hartman followed up in a post on a mailing list on Wednesday by denouncing the research as an attempt to try to test the kernel community's ability to review “known malicious” changes, adding that the exercise was carried out in “bad faith”.

Future contributions from the University of Minnesota to the Linux kernel have been banned as a result of the incident, a sanction criticized as an overreaction on social media by some observers.


Read more of the latest infosec research news


The university itself has launched an investigation into the incident, as confirmed in an official statement:

We take this situation extremely seriously. We have immediately suspended this line of research.

We will investigate the research method & the process by which this research method was approved, determine appropriate remedial action, & safeguard against future issues, if needed.

We will report our findings back to the community as soon as practical.

The Daily Swig invited both researchers to comment on the unfolding controversy. No word back as yet, but we’ll update this story as and when more information comes to hand.

Kroah-Hartman of the Linux Foundation told The Daily Swig that since he hadn’t as yet heard from the university, he had nothing at present to add beyond his comments on the mailing list.

A paper on the research, ‘Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits’, was published at the 42nd IEEE Symposium on Security and Privacy.

'Deception'

In a thread of Twitter, Sarah Jamie Lewis noted that she and other researchers had expressed concerns about the controversial study right from its inception.

These concerns were based on a draft abstract and first page of the paper dating from December. Implicit criticisms of the research have only grown sharper with the publication of the completed research.

"Despite what their paper says they didn't get an IRB-exemption until *after* they posted about their IEEESP paper acceptance and a group of researchers (inc myself) expressed concern," Lewis writes.

There was no system in place for prior informed consent or debriefing of findings from the research, according to Lewis, who added that the study amounted to nothing beyond a "deception study on human subjects".


This story was updated to add comment from Sarah Jamie Lewis


INTERVIEW ‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market