University Banned From Contributing To Linux Kernel For Intentionally Inserting Bugs

Tolkem

Well-Known Member
Credits
5,451
This is the downside of "everyone" can contribute to open source, fortunately, there are people always on the watch for this kind of stuff. An excerpt:
Stemming from this research paper where researchers from the University of Minnesota intentionally worked to stealthy introduce vulnerabilities into the mainline Linux kernel. They intentionally introduced use-after-free bugs into the kernel covertly for their research paper.
EDIT: I just realized I forgot to add the link to the article. My apologies.
 
Last edited:


JasKinasis

Well-Known Member
Credits
6,316
Well, to the Linux kernel developer community's credit, none of the patches that they submitted actually made it into the mainline kernel. They were all caught during their review.

Many other open source projects review patches before merging them into their code-base.
But for projects with fewer developers, those checks might not be as stringent. If a project has less eyes on the code, then it's possible that buggy/insecure, or even malicious code could be inserted into the codebase.
So to a certain extent, we are at the mercy of the open source communities who produce the software we use and the people in charge of maintaining their code-bases. But I don't think any open source software projects would be dumb enough to deliver deliberately buggy software, or software with malicious functionality. And if they did, it would only be a matter of time before somebody spotted the problem. Because the source code for the software is public!
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
15,897
They were all caught during their review.
Indeed, thus my title at the other link.

What baffles me is how this research got approved. It demonstrates something is amiss with their research approval board. It clearly violates academic ethics. What I really want to know is how it got approved. The institution should not just be held accountable, they should be reviewing their process.

Why? This is academia. The institution benefits from the published paper, as do the people involved directly with the research.

(I spent a whole lot of time in an academic environment.)
 

Condobloke

Well-Known Member
Credits
9,941

Condobloke

Well-Known Member
Credits
9,941

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
15,897
They tried to submit holes into the live kernel project. That IS the problem. They tried to submit bugs/code with holes, knowingly and intentionally. Potentially impacting millions and millions of users. Malicious or not, there were legit security implications and legitimately intentional bugs.

Not to mention the very basics of ethics in research. We've insisted on this since, you know, WWII and we have the Nuremberg Codes that have things like requiring consent to be experimented on.

Beyond this, at least one of the researchers out-and-out lied when caught. When people pointed out the paper and the author's contributions, they lied and tried to stop people with threats by calling their comments slander. Not only did they lie, they lied again trying to claim it was output from a debugger - all this when we can actually read the paper they published. Well, it's gonna be retracted now. No reputable journal is gonna touch that paper.

The perpetrators all profited (gained, not necessarily monetarily) from this research.

This is not okay behavior. This violates trust and academic ethics. This is not acceptable. Just because they had 'good intentions' doesn't mean it's okay to submit malicious code.

There will be jobs lost. There will be academic careers ended. Of course they're suspending this line or research. They got caught!
 

Tolkem

Well-Known Member
Credits
5,451
Their actual intent is not malicious.....quite the opposite in fact.
It might be so, still and how the article I linked in my first post explains
These new, questionable patches don't appear to have any real value -- for good or bad -- and at the very least are just wasting time by upstream developers.
The most problematic thing I see, unless I read that wrong, is that they played with people's time without their consent, and time is gold as they say.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
15,897
See the first post in this thread:


The only reason it's not 'terrible' is that they got caught.
 

Hillbilly H

Member
Credits
468
Unfortunately this is how most "Higher Education" works in the USA.
i doubt anything will happen other then perhaps a reassignment to a new position with a promotion.
 

Condobloke

Well-Known Member
Credits
9,941
:cool:
 

Hillbilly H

Member
Credits
468
LOL Honest baby i'll never cheat on you again! Besides i was doing it for you and it was not my fault!
1619384493186.png
 

SeanK

Member
Credits
172
I would think a bigger concern is the potential for entities like private sector or govt groups to do this with the intention of undermining linux and/or spying on users.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Latest posts

Top