Linux kernel project maintainers have banned the University of Minnesota (UMN) from contributing to the Linux project after two students intentionally submitted faulty code for research purposes.
In February, two graduate students at the University of Minnesota published a paper titled "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits,” which was focused on deliberately introducing known security vulnerabilities in the Linux kernel, by submitting malicious or insecure code patches. As part of the research the authors of the paper intentionally introduced use-after-free bugs into the Linux kernel.
However, even after this paper was published the researchers submitted a new round of “obviously-incorrect patches” that claim to come from "a new static analyzer" that “obviously not even fixing anything at all.” This irked Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, to such extent that he has decided to ban all future contributions from UMN.
Due to the public criticism, Aditya Pakki, a Ph.D. student of Computer Science and Engineering at UMN, tried to blame kernel maintainer’s attitude.
“These patches were sent as part of a new static analyzer that I wrote and it's sensitivity is obviously not great. I sent patches on the hopes to get feedback. We are not experts in the linux kernel and repeatedly making these statements is disgusting to hear.
Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt. I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts,” Aditya Pakki wrote.
To which Kroah-Hartman responded:
“You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.
Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?
When submitting patches created by a tool, everyone who does so submits them with wording like "found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all. You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.”
“Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.
Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems,” he continued.
In a statement regarding the situation UMN officials said that “We take this situation extremely seriously. We have immediately suspended this line of research. We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues, if needed. We will report our findings back to the community as soon as practical.”