Kroah-Hartman blew up after the group submitted patches to the kernel which were known to be buggy.
He said in a post addressed to Aditya Pakki at the university that he, and his group, had sent the buggy patches to see how the kernel community would react, and put out a paper based on that.
The university has now reacted by saying that it has suspended this line of research.
Linux kernel developers do not like being experimented on, we have enough real work to do: https://t.co/vWvtxjt7A5
— Greg K-H (@gregkh) April 21, 2021
The university's Qiushi Wu and Kangjie Lu published the paper in question, which is titled "On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits".
|
|
In one email addressed to Pakki, who had made several claims about a patch he had sent, Kroah-Hartman responded: "Please stop submitting known-invalid patches. Your professor is playing around with the review process in order to achieve a paper in some strange and bizarre way.
This is worse than just being experimented upon; this is like saying you’re a “safety researcher” by going to a grocery store and cutting the brake lines on all the cars to see how many people crash when they leave. Enormously unethical; I hope @UMNews has an IRB that takes note!
— Jered Floyd (@jeredfloyd) April 21, 2021
"This is not ok, it is wasting our time, and we will have to report this, AGAIN, to your university..."
Another kernel developer, Leon Romanovsky, pointed out that the commits sent by Pakki were part of some research.
"They introduce kernel bugs on purpose. Yesterday [20 April], I took a look on 4 accepted patches from Aditya and 3 of them added various severity security 'holes'," he added.
I filed an ethics complaint with IEEE regarding the publication and asking it to be revoked. Anybody can submit one, you don't have to be a member. (Not saying you should Greg, but others here who have the time can). https://t.co/fT5Ddom9cV
— Christopher Clai (Syntax Bearror) ?? (@ChrisClai) April 21, 2021
Pakki attempted to whitewash his attempts to send patches with known vulnerabilities, writing to Kroah-Hartman: "These patches were sent as part of a new static analyser that I wrote and it's sensitivity is obviously not great. I sent patches on the hopes to get feedback. We are not experts in the Linux kernel and repeatedly making these statements is disgusting to hear.
"Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of doubt.
"I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and non experts."
But Kroah-Hartman was not buying this and did not mince his words when he responded. "When submitting patches created by a tool, everyone who does so submits them with wording like 'found by tool XXX, we are not sure if this is correct or not, please advise." which is NOT what you did here at all," he wrote.
Leadership in the University of Minnesota Department of Computer Science & Engineering learned today about the details of research being conducted by one of its faculty members and graduate students into the security of the Linux Kernel. pic.twitter.com/QE9rrAyyMX
— UMNComputerScience (@UMNComputerSci) April 21, 2021
"You were not asking for help, you were claiming that these were legitimate fixes, which you KNEW to be incorrect.
"A few minutes with anyone with the semblance of knowledge of C can see that your submissions do NOT do anything at all, so to think that a tool created them, and then that you thought they were a valid 'fix' is totally negligent on your part, not ours. You are the one at fault, it is not our job to be the test subjects of a tool you create."
And he added, in conclusion: "Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems."
Incredibly interesting research on how easy it was to introduce vulnerabilities to the supply chain via the Linux kernel.
— Katie Moussouris (she/her) is 1/2 vaccinated (@k8em0) April 21, 2021
Emotional overreaction IMO of reverting & banning all commits from the university that did the research.
This is valuable to know for national/global security https://t.co/RlQ39otU4G
