University of Minnesota Linux code security issues; banned and to be removed

[hans]

You guys are funny

The offending patches have not been submitted form the university's domain, but from throwaway gmail accounts. It's all described in the paper, but of course no one who has an opinion about the paper has actually read it, as usual.

The patches were never meant to damage anything, they say they informed the maintainers about the experiment as soon as the malicious patches received approval on the mailing list and suggested correct fixes.

Unfortunately we won't get to see the details of those exchanges without some extensive digging, because they have been redacted from the paper to protect the guilty maintainers. That was indeed done to calm down the ethics review guys.

That still doesn't change the situation for the better. You can prove that personal information won't be gathered from your test subjects, however, that is par of the course in any scientific experiments regarding test subjects (maintainers in this case).

The thing that disgusts me the most is that the test subjects did not agree to be experimented on; there is no mutual consent; which is quite clearly described by unethical human experiments and very clearly in human subject rights.

Certainly I'm citing documents for medical tests that may involve needles or new medicines. However, I don't really see why engineering should be an exception to that rule. It's just not common practice in our field to worry about these things..

Like I said.. you can only do these kinds of experiments in controlled environments on toy projects.

OTOH, the paper is perhaps not very useful and the solutions they propose are either "no shit Sherlock" or plain dumb. But I would say it may still be worth it for the publicity stunt alone Perhaps a lesson has been learned, do such things anonymously and don't brag about them under your real name later.

Yep... I still really don't understand what novelty the paper is trying to show . Review processes are not airtight processes, because they are controlled by humans. This happens in academia, will happen in code reviews, and probably also just as often in budget approvals within companies.
I'm too lazy to look it up rn, but I'm pretty sure that psychology, (engineering) philosophy and/or behavioural science has done research on controlling review processes and associated cognitive biases.

Even student supervisors or (direct) colleagues can't always catch fraudulent entities. This happens plenty of times in academia, unfortunately. Some students or profs are feeling they're on their back foot in terms of research progress, number of publications, their time frame, etc. Some may also feel they deserve more recognition and thereby force the results. And it's a very trivial thing to do... Being impartial e.g. cherry picking hypotheses that fits the curve is just as bad as making stuff up.

[bd139]

All this is academic. Excuse the pun.

Are you aware of any real adversaries who have an ethical experimentation framework? Nope!

This has exposed a huge vulnerability in the process which was an extremely valuable activity. And people are  complaining at the university here. Where is the vitriol for the kernel team? Our entire society is built on their work and they fucked up monumentally.

[Ed.Kloonk]

All this is academic. Excuse the pun.

Are you aware of any real adversaries who have an ethical experimentation framework? Nope!

This has exposed a huge vulnerability in the process which was an extremely valuable activity. And people are  complaining at the university here. Where is the vitriol for the kernel team? Our entire society is built on their work and they fucked up monumentally.

Nar.

It gets back to my original point. Don't fuck with the kernel devs.

There are many more peeps reviewing the code than there are those risking excommunication by serving up a shit show.

Go watch Meet the Fockers. Embrace the concept of circle of trust.

 

[DrG]

You guys are funny

The offending patches have not been submitted form the university's domain, but from throwaway gmail accounts. It's all described in the paper, but of course no one who has an opinion about the paper has actually read it, as usual.

The patches were never meant to damage anything, they say they informed the maintainers about the experiment as soon as the malicious patches received approval on the mailing list and suggested correct fixes.

Unfortunately we won't get to see the details of those exchanges without some extensive digging, because they have been redacted from the paper to protect the guilty maintainers. That was indeed done to calm down the ethics review guys.

They passed ethics review by insisting that no personal information will be collected or published and they only test "the development process" as such.


Finally, all the patches nuked by Greg were patches from random students looking for issues or playing with static analyzers. Most appear to have been accepted, a few have been found suboptimal, a few were rejected because they don't work.

I'm disappointed that Greg hasn't followed up with the obvious and requested a review of patches submitted from other students around world (and from random strangers with gmail accounts). Like they should be doing in the first place


OTOH, the paper is perhaps not very useful and the solutions they propose are either "no shit Sherlock" or plain dumb. But I would say it may still be worth it for the publicity stunt alone Perhaps a lesson has been learned, do such things anonymously and don't brag about them under your real name later.

As the song goes...lotta people funny - now you funny too.

I did read the original paper and no I did not try to study it intently and yes, you and a kazillion other nerds know much more about Linux than I. I thought the ban was against .edu and maybe I am wrong...probably I am wrong even.

In your indictment about funny people above, "The patches were never meant to damage anything, they say they informed the maintainers about the experiment as soon as the malicious patches received approval on the mailing list and suggested correct fixes." and

"Finally, all the patches nuked by Greg were patches from random students looking for issues or playing with static analyzers. Most appear to have been accepted, a few have been found suboptimal, a few were rejected because they don't work."

So, I just read this: https://lore.kernel.org/linux-nfs/YH%2F8jcoC1ffuksrf@kroah.com/

"> > > They introduce kernel bugs on purpose. Yesterday, I took a look on 4
> > > accepted patches from Aditya and 3 of them added various severity security
> > > "holes".
> >
> > All contributions by this group of people need to be reverted, if they
> > have not been done so already, as what they are doing is intentional
> > malicious behavior and is not acceptable and totally unethical.  I'll
> > look at it after lunch unless someone else wants to do it..."

Yes, there are snips and so on and it is hard to follow the thread, but it does not look like these are all from random students, as you said. It looks like these are from a known and small group of students. [edit: the ones that really pissed people off]

There also appear to have been two rounds of this and "the paper" is distinct from the "analyzer" round. Even though you mentioned the analyzer, you don't seem to appreciate that difference when you suggest "it's all in the paper'.

It is difficult to unravel all the facts and I have repeatedly stated that I want to understand clearly what was done and why is it wrong...so even as I continue to get details wrong, I am not that funny.

[DrG]

From: Kangjie Lu <kjlu@umn.edu>
To: open list <linux-kernel@vger.kernel.org>
Cc: Qiushi Wu <wu000273@umn.edu>, Aditya Pakki <pakki001@umn.edu>
Subject: An open letter to the Linux community
Date: Sat, 24 Apr 2021 17:30:50 -0500

An apology, posted yesterday....https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/

[SilverSolder]

From: Kangjie Lu <kjlu@umn.edu>
To: open list <linux-kernel@vger.kernel.org>
Cc: Qiushi Wu <wu000273@umn.edu>, Aditya Pakki <pakki001@umn.edu>
Subject: An open letter to the Linux community
Date: Sat, 24 Apr 2021 17:30:50 -0500

An apology, posted yesterday....https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/

@Dr. G,   if you were to post that you had been mugged yesterday, you would get one or two comments defending the mugger...   on the Internet, there is always someone taking the opposite view, that's how debate works! 

[ataradov]

This has exposed a huge vulnerability in the process which was an extremely valuable activity.

It exposed absolutely nothing. We do this experiment every single day. Commits with issues that have to be reverted appear in the kernel all the time. So it it obvious you can get one though intentionally.

If anything, you can call it a conversation starter. But it is like starting a conversation on how to feeds kids in Africa. There are no practical short term solutions, so the whole effort is pointless.

Also, why kernel? Go bother Apache people, for example. There are a ton of projects that are susceptible to the same exact issue.

Or go further, and show that not only OSS is susceptible, figure out a way to infiltrate a closed source company.

They did absolute minimal and lamest amount of work. And then blown it up to the article size. This is now a lot of modern "research" goes.

[ataradov]

An apology, posted yesterday....

As I said, in the spirit of that apology, they should not benefit from the article. So remove it from the IEEE conference.

As of now, they are saying they are sorry, yet going forward with all if their plans.

[DrG]

From: Kangjie Lu <kjlu@umn.edu>
To: open list <linux-kernel@vger.kernel.org>
Cc: Qiushi Wu <wu000273@umn.edu>, Aditya Pakki <pakki001@umn.edu>
Subject: An open letter to the Linux community
Date: Sat, 24 Apr 2021 17:30:50 -0500

An apology, posted yesterday....https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/

@Dr. G,   if you were to post that you had been mugged yesterday, you would get one or two comments defending the mugger... 

Nahh, if I posted that I got mugged, I would probably get a ton of "likes" 

More seriously, I admit that I am fascinated by the dynamics of these situations....I try to come up with the principles in play as they unfold.

We see the dynamics almost everyday in the media...someone screws up...they apologize...does it stick or do they get cancelled?

IMO, this fellow is throwing himself at the mercy of the court, so to speak. It is one step in the process....does he get cancelled or does this blow over and he can continue, hopefully, smarter and more humble?

In my view, Community Opinion, much like Reality itself, can be a harsh mistress and one should not try to f**k with either.

[SilverSolder]

From: Kangjie Lu <kjlu@umn.edu>
To: open list <linux-kernel@vger.kernel.org>
Cc: Qiushi Wu <wu000273@umn.edu>, Aditya Pakki <pakki001@umn.edu>
Subject: An open letter to the Linux community
Date: Sat, 24 Apr 2021 17:30:50 -0500

An apology, posted yesterday....https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/

@Dr. G,   if you were to post that you had been mugged yesterday, you would get one or two comments defending the mugger... 

Nahh, if I posted that I got mugged, I would probably get a ton of "likes" 

More seriously, I admit that I am fascinated by the dynamics of these situations....I try to come up with the principles in play as they unfold.

We see the dynamics almost everyday in the media...someone screws up...they apologize...does it stick or do they get cancelled?

IMO, this fellow is throwing himself at the mercy of the court, so to speak. It is one step in the process....does he get cancelled or does this blow over and he can continue, hopefully, smarter and more humble?

In my view, Community Opinion, much like Reality itself, can be a harsh mistress and one should not try to f**k with either.

I think the algorithm that most people go by is this:

IF <AnotherPerson> DID <something I would not be ashamed of doing myself> THEN
  Defend;
ELSE
  Condemn;

[ataradov]

IF <AnotherPerson> DID <something I would not be ashamed of doing myself> THEN
  Defend;
ELSE
  Condemn;

This is not a bad algorithm. After all, all societal norms are what majority of people in the society see as acceptable. For better or worse.

And percentage of defending of condemning show how much of a grey area the behaviour is.

[DrG]

IF <AnotherPerson> DID <something I would not be ashamed of doing myself> THEN
  Defend;
ELSE
  Condemn;

This is not a bad algorithm. After all, all societal norms are what majority of people in the society see as acceptable. For better or worse.
...

Note that there is a difference between not being ashamed of doing something and not being ashamed of getting caught doing something that you are not ashamed of doing....just ask a sociopath

[SilverSolder]

IF <AnotherPerson> DID <something I would not be ashamed of doing myself> THEN
  Defend;
ELSE
  Condemn;

This is not a bad algorithm. After all, all societal norms are what majority of people in the society see as acceptable. For better or worse.

And percentage of defending of condemning show how much of a grey area the behaviour is.

Where that algorithm falls down is that what makes you ashamed is defined by your upbringing and culture, as much as (or more than) what you are actually doing...

The same person can be ashamed of something as a teenager that they then routinely do later in life, and vice versa.

It is also possible to be "incorrectly ashamed" of something that is actually natural.

Basically, the feeling of being ashamed of something is not really a sound basis for condemning others?

[ataradov]

The same person can be ashamed of something as a teenager that they then routinely do later in life, and vice versa.

Sure, but you can make finer subdivisions of the society and apply the same algorithm.

It is also possible to be "incorrectly ashamed" of something that is actually natural.

For sure, and that would represent societal flaw. Those happen too in real life and societies need to work on fixing those.

Basically, the feeling of being ashamed of something is not really a sound basis for condemning others?

May be not, but it is one of the factors.

I personally would be more supportive of the researches if they research was actually novel or proposed a real path to a solution of the exposed problem. It is neither in this case.

I would draw parallel with HeartBleed vulnerability discovery. It opened the flood gate of similar speculation and cache-timing attacks. It caused short term havoc. But it also had concrete path to fixing the issue, even if it was hard and required redesign of a lot of silicon, and potentially losing some performance.

[hans]

Well, if all research must find an even balance between the number of problems they find and solve, we wouldn't get anywhere. It's almost cliche, but: “We can’t solve problems by using the same kind of thinking we used when we created them.”

Nonetheless, I do think that this work and actions is basically firing a shotgun at point blank range and pointing at the huge exit wound it created. No shit sherlock. That's why we have huge collections of static analysis tools, formal verification tools unit test frameworks and heuristics to combat bugs and regressions. But in virtually any equation, humans will be the limiting factor in how well we do.

[bjbb]

18USC1030(a)(5) and (b)
 
I am just a simple-minded engineer, but I can read. My (legally worthless) opinion is that this Lu person could be prosecuted as part of a conspiracy to intentionaly commit a felony described by the above statute. That said, this law is bad because it is, by design, overly broad code intended to cast a wide net such that the feds can easily go after any hacker that pisses them off.

There is only way that is both ethical and enables actual research. Inform a senior officer of the organization that you want to submit bad stuff, explain your research process, and request permission. This is the defacto process for many penetration research projects.

The 'research' students lied about about the nature of the submitted kernel patches, thus expulsion is an academic (IRB) requirement; to wit, the kernel people accused the linux kernel people of "making wild accusations that are bordering on slander" in writing. This alone casts the doubt on any an all computer science 'research' programs at that school. The chain of messages indicates other lies and misrepresentations after the kernel people called them out. And There are other messages in the list that claim no changes made it to stable, but at least one did.

I have been criticized in this venue per my comments on the generally poor performance of academia, and I sincerely do not intend to insult educators. But wrong is wrong, and disingenuous actions are not mitigated by 'good' intentions. 

[DrG]

....We take this situation extremely seriously. We have immediately suspended this line of research. We will investigate the research method & the process by which this research method was approved, determine appropriate remedial action, & safeguard against future issues, if needed....


From the University's 'official' response (4 days ago in case you missed it) https://twitter.com/UMNComputerSci/status/1384948683821694976

[ataradov]

They can apologize all they want. They say nothing about retracting the article, especially from IEEE conference. The authors should not benefit from this, otherwise it just legitimizes the approach of doing something and then apologizing later. You know, Silicon Valley approach of moving fast and breaking things.

For the same reason as illegally obtained evidence is not admisible in the court. They don't say "this was bad, but since we've got it, lets use it". No, they just reject it without questions to not encourage more of the same behaviour.

[magic]

"Finally, all the patches nuked by Greg were patches from random students looking for issues or playing with static analyzers. Most appear to have been accepted, a few have been found suboptimal, a few were rejected because they don't work."

So, I just read this: https://lore.kernel.org/linux-nfs/YH%2F8jcoC1ffuksrf@kroah.com/

...

It is difficult to unravel all the facts and I have repeatedly stated that I want to understand clearly what was done and why is it wrong...so even as I continue to get details wrong, I am not that funny.

Yes, you are very boring, trying to understand stuff instead of getting triggered

This thread does make the ban look more reasonable, but the nature of Aditya Pakki's patches is still unclear. He/she is not one of the authors of the "hypocrite commits" paper and those didn't post from their .edu addresses. It's not clear how Leon Romanovsky made the connection, save for the obvious similarity in the technical quality of said patches.

Here Greg quotes from appears to be the AP's answer to the shitshow, the archive doesn't contain the original email for some reason.
https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/

On Wed, Apr 21, 2021 at 02:56:27AM -0500, Aditya Pakki wrote:
> Greg,
>
> I respectfully ask you to cease and desist from making wild accusations
> that are bordering on slander.
>
> These patches were sent as part of a new static analyzer that I wrote and
> it's sensitivity is obviously not great. I sent patches on the hopes to get
> feedback. We are not experts in the linux kernel and repeatedly making
> these statements is disgusting to hear.
>
> Obviously, it is a wrong step but your preconceived biases are so strong
> that you make allegations without merit nor give us any benefit of doubt.
>
> I will not be sending any more patches due to the attitude that is not only
> unwelcome but also intimidating to newbies and non experts.

So either their ethics review board greenlighted a next level project which includes working in the open and lying blatantly, or perhaps it really is another group this time, principally honest but perhaps not as competent as they considered themselves to be

Hence my remark, why stop at one university, just review everything that gets submitted, you never know what's there

I wonder if Theo de Raadt has posted anything. On one hand, he would probably enjoy taking the piss at Linux security. On the other, it could nivite attention...

[magic]

https://lore.kernel.org/linux-nfs/20210423214850.GI10457@fieldses.org/

Just as expected

[Ed.Kloonk]

https://lore.kernel.org/linux-nfs/20210423214850.GI10457@fieldses.org/

Just as expected

Can you explain what is amusing for those of us playing along at home?

[ataradov]

There may be some legit patches. Or may be not. Once the trust is broken, it is safer to assume the whole organization to be malicious.

It is reasonable to remove all code from them until it is reviewed.  And if all they did was post static code analysis patches, then not a whole lot of value would be lost of they are removed forever. Static code checker patches are always the lowest grade.

There are a ton of people running static code checkers on the kernel, there is nothing particularly interesting about that work.

[magic]

https://lore.kernel.org/linux-nfs/20210423214850.GI10457@fieldses.org/

Just as expected

Can you explain what is amusing for those of us playing along at home?

The guy wrote some tools looking for bugs in Linux and submitted fixes for what he found, wrote a paper about it, all under his real name.
Some fixes were dumb and got rejected, some were subtly wrong but the devs took them anyway.
Some other guy went "what the heck, let's look what happens if we send them rubbish deliberately from throwaway gmail accounts".
Now the kernel tries to put all blame on Project Rubbish and pretends that everything that they accepted that wasn't correct must have originated from there

[SilverSolder]

Never waste a good crisis!

[bd139]

Loudest ego wins in 2021 and that appears to be the kernel team.

I retract the latter part of my previous comment 

What I am learning from this is that we're in the hands of asshats.