News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Linux banned University of Minnesota for sending buggy patches

    Home Forums AskWoody support Non-Windows operating systems Linux – all distros Linux banned University of Minnesota for sending buggy patches

    Viewing 7 reply threads
    • Author
      Posts
      • #2360363
        Alex5723
        AskWoody Plus

        The University of Minnesota submitted buggy patch to Linux kernel as part of research paper

        Linux has banned UMN from submitting Linux updates.

        Greg KH on Tweeter

        All contributions by this group of people need to be reverted, if they
        > > have not been done so already, as what they are doing is intentional
        > > malicious behavior and is not acceptable and totally unethical. I’ll
        > > look at it after lunch unless someone else wants to do it…
        >
        > A lot of these have already reached the stable trees. I can send you
        > revert patches for stable by the end of today (if your scripts have
        > not already done it).

        You, and your group, have publicly admitted to sending known-buggy
        patches to see how the kernel community would react to them, and
        published a paper based on that work.

        Now you submit a new series of obviously-incorrect patches again, so
        what am I supposed to think of such a thing?…

        UMN have send an apology letter :

        April 24, 2021
        An open letter to the Linux community

        Dear Community Members:

        We sincerely apologize for any harm our research group did to the
        Linux kernel community. Our goal was to identify issues with the
        patching process and ways to address them, and we are very sorry that
        the method used in the “hypocrite commits” paper was inappropriate. As
        many observers have pointed out to us, we made a mistake by not
        finding a way to consult with the community and obtain permission
        before running this study; we did that because we knew we could not
        ask the maintainers of Linux for permission, or they would be on the
        lookout for the hypocrite patches. While our goal was to improve the
        security of Linux, we now understand that it was hurtful to the
        community to make it a subject of our research, and to waste its
        effort reviewing these patches without its knowledge or permission.

        We just want you to know that we would never intentionally hurt the
        Linux kernel community and never introduce security vulnerabilities.
        Our work was conducted with the best of intentions and is all about
        finding and fixing security vulnerabilities….

        • This topic was modified 1 month, 4 weeks ago by Alex5723.
        • This topic was modified 1 month, 4 weeks ago by Alex5723.
        5 users thanked author for this post.
      • #2360427
        OscarCP
        AskWoody Plus

        If what happened is exactly as described in that tweet, then it is unbelievably irresponsible. I wonder if they did that a UMN for the usual bad academic reason: to have one more paper published to list in their CVs.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

      • #2360546
        Bill C.
        AskWoody Plus

        That is a typical non-apology apology by an organization that clearly believes it was right in what it did. I am glad they are banned.

        1 user thanked author for this post.
      • #2360581
        Alex5723
        AskWoody Plus

        what happened is exactly as described in that tweet

        What has happened is exactly as described in that tweet and UMN’s apology verifies that.
        There were 190 such bogus patches. All have been reverted by now.

      • #2360713
        Charlie
        AskWoody Plus

        Does anyone know the timeline these buggy patches were issued?  Recently or some time ago?

        Edit:  Have these buggy patches been dealt with and corrections made or whatever?

        • This reply was modified 1 month, 3 weeks ago by Charlie.
      • #2360882
        doriel
        AskWoody Lounger

        Very invasive method for research paper, but the outcome seems clear to me – you cannot inject malicious code into open-source software. At least not into such large open-source community as Linux kernel is. Thats the real power of the open-source 🙂 their ban from this project is adequate.

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        1 user thanked author for this post.
        • #2360886
          OscarCP
          AskWoody Plus

          Here, in more detail, is what happened, and it was definitely pretty bad:

          The UMN group sent “test” patches that converted three potential kernel vulnerabilities into actual ones, infecting the actual stable releases, then warned the kernel team about it once that was done, offering good patches to fix the bad ones and also eliminate the vulnerabilities. Then they presented these results at a conference and had the paper published in their proceedings (more on this, further down the page.)

          In other words, they did not follow the usual procedure of: alerting first the developers of the software of potential or actual serious vulnerabilities they had discovered in it, and then leave that for the developer’s to take care of. A “proof of concept” could be made as well, infecting a copy of the software in question with the buggy patches, in this case a copy at UMN, not the “master” at the developers’, as this group did.

          Now the Linux kernel team has rejected the UMN group’s apology:

          https://arstechnica.com/gadgets/2021/04/linux-kernel-team-rejects-university-of-minnesota-researchers-apology/

          As to what the UMN miscreants (or fools, or both) did, in more detail, here is an excerpt from the Ars Technica article:

          The trio’s scheme involved first finding three easy-to-fix, low-priority bugs in the Linux kernel and then fixing them—but fixing them in such a way as to complete what the UMN researchers called an “immature vulnerability”:

          We employ a static-analysis tool to identify three “immature vulnerabilities” in Linux, and correspondingly detect three real minor bugs that are supposed to be fixed. The “immature vulnerabilities” are not real vulnerabilities because one condition (such as a use of a freed object) is still missing […] We construct three incorrect or incomplete minor patches to fix the three bugs. These minor patches however introduce the missing conditions of the “immature vulnerabilities.”

          The three researchers would then email their Trojan-horse patches to Linux kernel maintainers to see if the maintainers detected the more serious problem the researchers had introduced in the course of fixing a minor bug. Once the maintainers responded to the submitted patch, the UMN researchers pointed out the bug introduced by their patch and offered a “proper” patch—one that did not introduce a newly exploitable condition—in its place.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

          3 users thanked author for this post.
      • #2361160
        anonymous
        Guest

        Although these two authors didn’t introduce anything, their hypocrite commits never left the emails submitted for review, see Section VI, Intro and VI A. Ethical Considerations, they should be removed from UMN for attempting to disguise a prank as legitimate research.

        They mentioned concern with taking advantage of the volunteer nature of the consumer Linux community and other “We don’t want to hurt anyone” stuff, then did it anyway.  Not sure who approved this project, if anyone, but all it generated was some one-off and largely useless graph of the success of different subterfuges in a community that already was known to be vulnerable.

        “Hey Linux developers, we pranked you.”

        “You spent how much of your time and wasted how much of our time “proving” something we don’t have resources to prevent?”  “Here’s your honorary Masters of the Obvious diploma.”

        “BTW, last straw, your university got hit with the ban hammer.  It seriously needs something to do, maybe a nine figure grant will change our minds.”

        Not sure if this or all those stupid literature searches used to develop correlations of groups of previous correlations to make nutty nonreproducible conclusions are worse.

      • #2363143
        Alex5723
        AskWoody Plus

        Linux Advisory Board’s ruling : Report on University of Minnesota Breach-of-Trust Incident

        Report on University of Minnesota Breach-of-Trust Incident

        or

        “An emergency re-review of kernel commits authored by members of the
        University of Minnesota, due to the Hypocrite Commits research paper.”

        May 5, 2021

        Prepared by the Linux Foundation’s Technical Advisory Board…

        It is a very detailed long report. I don’t think that this won’t happen again.

        To avoid this friction, to prevent incidents like the one described here
        from happening again, and to encourage better interaction between the two
        communities in general, the TAB will be working with researchers (to be
        named soon) to develop a document describing a set of best practices
        for researchers to follow when working with the kernel community. This
        will be a living document, maintained in the kernel documentation tree
        and evolved over time as needed. Any researchers who would like to
        participate in this effort are encouraged to contact the TAB to express
        their interest.

        1 user thanked author for this post.
    Viewing 7 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Linux banned University of Minnesota for sending buggy patches

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.