22 April 2021

University of Minnesota banned from Linux development for submitting buggy patches


University of Minnesota banned from Linux development for submitting buggy patches

Linux kernel project maintainers have banned the University of Minnesota (UMN) from contributing to the Linux project after two students intentionally submitted faulty code for research purposes.

In February, two graduate students at the University of Minnesota published a paper titled "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits,” which was focused on deliberately introducing known security vulnerabilities in the Linux kernel, by submitting malicious or insecure code patches. As part of the research the authors of the paper intentionally introduced use-after-free bugs into the Linux kernel.

However, even after this paper was published the researchers submitted a new round of “obviously-incorrect patches” that claim to come from "a new static analyzer" that “obviously not even fixing anything at all.” This irked Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, to such extent that he has decided to ban all future contributions from UMN.

Due to the public criticism, Aditya Pakki, a Ph.D. student of Computer Science and Engineering at UMN, tried to blame kernel maintainer’s attitude.

“These patches were sent as part of a new static analyzer that I wrote and it's sensitivity is obviously not great. I sent patches on the hopes to get feedback. We are not experts in the linux kernel and repeatedly making these statements is disgusting to hear.

Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt. I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts,” Aditya Pakki wrote.

To which Kroah-Hartman responded:

“You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.

Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?

When submitting patches created by a tool, everyone who does so submits them with wording like "found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all. You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.”

“Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems,” he continued.

In a statement regarding the situation UMN officials said that “We take this situation extremely seriously. We have immediately suspended this line of research. We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues, if needed. We will report our findings back to the community as soon as practical.”

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024