Researchers from the University of Minnesota apologized to the maintainers of Linux Kernel Project on Saturday for intentionally including vulnerabilities in the project’s code, which led to the school being banned from contributing to the open-source project in the future.
“While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission,” assistant professor Kangjie Lu, along with graduate students Qiushi Wu and Aditya Pakki, said in an email.
“We did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches,” they added.
The apology comes over a study into what’s called “hypocrite commits,” which was published earlier this February. The project aimed to deliberately add use-after-free vulnerabilities to the Linux kernel in the name of security research, apparently in an attempt to highlight how potentially malicious code could sneak past the approval process, and as a consequence, suggest ways to improve the security of the patching process.
A clarification document previously shared by the academics on December 15, 2020 stated the university’s Institutional Review Board (IRB) had reviewed the study and determined that it was not human research, only to backtrack, adding “throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns.”
While the researchers claimed “we did not introduce or intend to introduce any bug or vulnerability in OSS,” the fact that evidence to the contrary emerged — implying the research was conducted without adequate oversight — and risked the kernel’s security led to a unilateral ban of code submissions from anyone using a “umn.edu” email address, in addition to invalidating all past code submitted by the university researchers.
“Our community does not appreciate being experimented on, and being ‘tested’ by submitting known patches that are (sic) either do nothing on purpose or introduce bugs on purpose,” Linux kernel maintainer Greg Kroah-Hartman said in one of the exchanges last week.
Following the incident, the university’s Department of Computer Science and Engineering said it was investigating the incident, adding it was looking into the “research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues.”
“This is worse than just being experimented upon; this is like saying you’re a ‘safety researcher’ by going to a grocery store and cutting the brake lines on all the cars to see how many people crash when they leave. Enormously unethical,” tweeted Jered Floyd.
In the meantime, all patches submitted to the codebase by the university researchers and faculty are expected to be reverted and re-reviewed to verify if they are valid fixes.