Researchers from the University of Minnesota, whose school had been banned by Linux for submitting malicious code last week, apologized to the maintainers of Linux Kernel Project for their actions.
They admitted they intentionally sent code updated with vulnerabilities. As a result, the University had been banned from contributing to the open-source project in the future.
“While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission,” assistant professor Kangjie Lu said in an email.
Researchers explained they did that because they knew the maintainers of Linux would not have granted them permission.
Following the incident, the university’s Department of Computer Science and Engineering said it was investigating the incident and looking into the “research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues.”
The research in question dealt with what’s called “hypocrite commits.” It was published earlier this February. The researchers showed they could deliberately add use-after-free vulnerabilities to the Linux kernel apparently in an attempt to highlight flaws in the approval process.
Academics subsequently explained in a clarification document posted on December 15, 2020, that the university’s Institutional Review Board (IRB) had determined it was not human research. “Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns.”
The researchers initially claimed they “did not introduce or intend to introduce any bug or vulnerability in OSS,” but later, evidence to the contrary emerged showing the research risked the kernel’s security and was conducted without due oversight.
The University had been banned to perform code submissions from a “umn.edu” email address. And all past code submitted by the university researchers had been invalidated.
“Our community does not appreciate being experimented on, and being ‘tested’ by submitting known patches that are (sic) either do nothing on purpose or introduce bugs on purpose,” Linux kernel maintainer Greg Kroah-Hartman said.