University of Minnesota responds to Linux security patch requests

The UMN wants to make peace with the Linux kernel developer community after an annoying Linux code security research blunder.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

If you're just catching up on this story, here's the quick recap: University of Minnesota researchers deliberately submitted patches that would have put the Use-After-Free (UAF) vulnerability into the Linux kernel. When it appeared they were trying once more to put garbage patches into the kernel, Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch, banned UMN developers from submitting to the kernel and pulled existing suspicious UMN patches. The Linux Foundation followed up with a list of requests for the UMN to comply with if they wanted to work with the Linux kernel again. Now, ZDNet has obtained a copy of UMN's response to the Linux community. 

According to Mats Heimdahl, UMN Professor and Department Head of the Department of Computer Science and Engineering, the school appreciates the Linux Foundation's requests and they look forward to reaching "a mutually satisfactory resolution" and that re-engaging with each other "is the way to go."

Specifically, Heimdahl continued: 

We currently are considering your requests, and are moving as quickly as we can to produce a substantive response that addresses them. In particular, the research group is preparing a letter to the Linux community and we are currently attempting to secure consent to release all information about the code submissions from the group. Once we have had an opportunity to look into the remaining issues, we would appreciate the opportunity to meet with you to discuss and move forward.

This is in response to Mike Dolan, the Linux Foundation's senior VP and general manager of projects, top request:

Please provide to the public, in an expedited manner, all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment. The information should include the name of each targeted software, the commit information, purported name of the proposer, email address, date/time, subject, and/or code so that all software developers can quickly identify such proposals and potentially take remedial action for such experiments.

Finding the questionable code and associated documentation is difficult. The UMN researchers did a poor job of tracking their own research. As senior Linux kernel developer, Al Viro, commented: "The lack of data is a part of what's blowing the whole thing out of proportion -- if they bothered to attach the list (or link to such) of SHA1 of commits that had come out of their experiment, or, better yet, maintained and provided the list of message-ids of all submissions, successful and not, this mess with blanket revert requests, etc. would've been far smaller (if happened at all)."

Dolan also asked on behalf of the Linux developer community that the paper coming from this research, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits," be withdrawn because the researchers, Qiushi Wu and Aditya Pakki, and their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department, experimented on Linux kernel maintainers without their permission. Therefore, the paper should be withdrawn "from formal publication and formal presentation all research work based on this or similar research where people appear to have been experimented on without their prior consent. Leaving archival information posted on the Internet is fine, as they are mostly already public, but there should be no research credit for such works."

While Heimdahl didn't address this point, the paper has been withdrawn. In a public note, Wu and Lu, but not Pakki, wrote: "We wish to withdraw our paper "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits" from publication in the 42nd IEEE Symposium on Security and Privacy." The paper had already been accepted by this high-level conference.

They're withdrawing it for two reasons:

First, we made a mistake by not engaging in collaboration with the Linux kernel community before conducting our study. We now understand that it was inappropriate and hurtful to the community to make it a subject of our research and to waste its effort reviewing these patches without its knowledge or permission. Instead, we now realize that the appropriate way to do this sort of work is to engage with community leaders beforehand so that they are aware of the work, approve its goals and methods, and can support the methods and results once the work is completed and published. Therefore, we are withdrawing the paper so that we do not benefit from an improperly conducted study. 

Second, given the flaws in our methods, we do not want this paper to stand as a model for how research can be done in this community. On the contrary, we hope this episode will be a learning moment for our community, and that the resulting discussion and recommendations can serve as a guide for proper research in the future. Therefore, we are withdrawing the paper to prevent our misguided research method from being seen as a model for how to conduct studies in the future. We sincerely apologize for any harm our research group did to the Linux kernel community, to the reputation of the IEEE Symposium on Security and Privacy, our Department and University, and our community as a whole.

Between Heimdahl's note and this public letter, it appears that the UMN has acceded to the Linux Foundation's main requests. There are still fine details to be worked out, but it now appears that the UMN, the Linux Foundation, and the Linux kernel developer community should be able to quickly come to peace with each other. That done, the UMN can get back to doing research and the maintainers can return to doing their real work of improving the kernel rather than chasing down potentially bogus patches.

Related Stories:

Editorial standards