Apr 27, 2021

At least according to the researcher’s letter[1], the UMN IRB did look at the study after the fact and determined approval wasn’t needed.

> The IRB of UMN reviewed the study and determined that this is not human research (a formal IRB exempt letter was obtained).

[1] https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 27, 2021

So kinda a quick summary given the available information that I've seen.

Back in August 2020 some research was performed looking at introducing vulnerabilities into the Linux Kernel.[0] The paper indicates that three patches were submitted via anonymous gmail accounts to the mailing list and were never committed. The reviewers were provided a proper patch upon accepting the vulnerable one and received explicit confirmation that the maintainers would not move forward with the vulnerable patch.

I'm not sure when exactly questions started being raised about that research. Though I first became aware of it in December. The discussion was mostly around the human involvement and led to the prepublication of the paper being removed and clarifications being issued.[1]

Fast-forward to April 2021. The patch seems to have kicked things off[2]. This was called out as being an impossible situation, and as being a "known-invalid patch" by Greg KH [3].

It appears that at least three patches by this same author introduced vulnerabilities[4] according to Leon Romanovsky. Though I don't have links to the specific patches.

Leading to U.Mn's ban from contributing to the kernel by Greg KH[5]

---------

What is in my opinion unclear at least to me is whether these more recent patches are actually in bad faith or just simply bad. The prevailing theory is that they are part of more research into introducing vulnerabilities. As already stated though, that research and its paper were done in August of 2020. The more recent commits, the official story from Kangjie Lu, Qiushi Wu, and Aditya Pakki[6] are that they are part of "a new project that aims to automatically identify bugs introduced by other patches". This does somewhat align with statements[7] made indicating that the commits were from a static analysis tool being researched which was made prior to this blowing up. Though I will note that the author of that patch was _not_ one of the authors of the apology letter, so may genuinely be unrelated.

This tool story was not believed by Greg KH[8].

And his take is the one that has gained a lot of adoption. That these patches were intentionally made in bad faith for another paper.

I will state that the newer patches that caused problems did _not_ follow the methodology that the original research followed to try to prevent vulnerabilities from actually being introduced into the repo. The original paper, while certainly had issues with methodology and experimenting on people inappropriately, did take steps to prevent any actual vulnerabilities from being committed, whereas the ones in question did not, and even made it to stable branches.

If the official story from U.Mn is true the commits should also have been noted as having been found by a tool, and followed the proper procedure for that, which they did not do. Though it does appear that the vast majority of the patches that were reverted were legitimate patches.[9] Atleast spot checking replies on that mailing list.

I mean on a whole the original research was questionable, but I kind of want to be more charitable in my interpretation of the more recent events but honestly that original patch that kicked things off is pretty bad.

[0] https://github.com/QiushiWu/QiushiWu.github.io/blob/main/pap...

[1] https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

[2] https://lore.kernel.org/linux-nfs/20210407001658.2208535-1-p...

[3] https://lore.kernel.org/linux-nfs/YH5%2Fi7OvsjSmqADv@kroah.c...

[4] https://lore.kernel.org/linux-nfs/YH+zwQgBBGUJdiVK@unreal/

[5] https://lore.kernel.org/linux-nfs/YH+7ZydHv4+Y1hlx@kroah.com...

[6] https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJL...

[7] https://lore.kernel.org/lkml/CAAa=b7dnrz5Pz5hMUc29VHJb9ucFkW...

[8] https://lore.kernel.org/lkml/YH%2FfM%2FTsbmcZzwnX@kroah.com/

[9] https://lore.kernel.org/lkml/202104221451.292A6ED4@keescook/

Apr 24, 2021

I asked Kangjie Lu to explain the original complain. Here is his reply from Wednesday:

—-

Thanks for sharing.

The statements in the link are wrong. I will make some clarifications.

1. We have never intentionally introduced any bugs in Linux. 2. The project that investigated the issues with OSS patching process was done in November 2020. We did get an IRB letter for the research. The purpose of the research is to improve the security of the OSS patching process. 3. One of my students is working on a different project which has nothing to do with the project mentioned in 2. The student aims to fix problems in Linux instead of introducing problems.

If you are interested in the project mentioned in 2, please find more details here: https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

I hope these clarify the misunderstandings.

Kangjie Lu Assistant Professor Department of Computer Science and Engineering University of Minnesota https://www-users.cs.umn.edu/~kjlu

—-

Apr 24, 2021

The guy is still putting the blame on the Kernel project for not having a "don't submit bugs" clause.[1]

And insists it was not human research. [1]

How can this type of people be professors?

[1] https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

Interesting, looks like the 2nd time they're doing the same thing, and 2nd time they're in hot water for it. They even apologized the first time by pleading naivete: https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.... .

First time they initially skipped IRB review for sending malicious patches to the mailing list, which people do install. (So IRB exemption should not apply.) A top security conference allowed a paper with a broken IRB process, and UMN IRB, when a later IRB exempt request was filed, explicitly allowed this. Bad, bad, and bad.

The latest Linux incident seems like a repeat by the same CS dept, advisor, student, & presumably, UMN IRB. No naivete excuse anymore, this is now business as usual.

The bigger fail to me is the UMN dept head + IRB, and the security conference review process around IRB norms. Especially damning that it's a repeat of the same IRB mess. IRB exemption matters a lot for practicing scientists, and leadership tolerating this stuff is what will get it taken away for everyone else.

Fool me once..

Apr 21, 2021

The prof overseeing the paper clarified that they initially did not seek IRB approval, and then received an IRB exemption [0]. I'd want to ask the IRB why they approved that, for starters. Maybe because they'd already done the research and hoped it would blow over, vs. the controversy of rejecting it when they'd already done the work?

0: https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

background for those unfamiliar with this: https://news.itsfoss.com/hypocrite-commits/

and Kangjie Lu's response: https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

Interesting tidbit from the prof's CV where he lists the paper, interpret from it what you will[1]:

> On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits

> Qiushi Wu, and Kangjie Lu.

> To appear in Proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland'21). Virtual conference, May 2021.

> Note: The experiment did not introduce any bug or bug-introducing commit into OSS. It demonstrated weaknesses in the patching process in a safe way. No user was affected, and IRB exempt was issued. The experiment actually fixed three real bugs. Please see the clarifications[2].

1: https://www-users.cs.umn.edu/~kjlu/

2: https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

> The IRB of University of Minnesota reviewed the procedures of the experiment and determined that this is not human research.

I'm not sure how it affects things, but I think it's important to clarify that they did not obtain the IRB-exempt letter in advance of doing the research, but after the ethically questionable actions had already been taken:

The IRB of UMN reviewed the study and determined that this is not human research (a formal IRB exempt letter was obtained). Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. ... We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

In a follow-up [1], the author suggests: OSS projects would be suggested to update the code of conduct, something like “By submitting the patch, I agree to not intend to introduce bugs”

How can one be so short-sighted?...

[1] https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

They did not secretly introduce exploitable bugs:

Once any maintainer of the community responds to the email,indicating “looks good”,we immediately point out the introduced bug and request them to not go ahead to apply the patch. At the same time, we point out the correct fixing of the bug and provide our proper patch. In all the three cases, maintainers explicitly acknowledged and confirmed to not move forward with the incorrect patches. This way, we ensure that the incorrect patches will not be adopted or committed into the Git tree of Linux.

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

> If it quacks like a duck and waddles like a duck, then it is a duck.

A lot of horrible things have happened on the Internet by following that philosophy. I think it's imperative to learn the rigorous facts and different interpretations of them, or we will continue to great harm and be easily manipulated.

Apr 21, 2021

In their "clarifications" [1], they say:

"In the past several years, we devote most of our time to improving the Linux kernel, and we have found and fixed more than one thousand kernel bugs"

But someone upthread posted that this group has a total of about 280 commits in the kernel tree. That doesn't seem like anywhere near enough to fix more than a thousand bugs.

Also, the clarification then says:

"the extensive bug finding and fixing experience also allowed us to observe issues with the patching process and motivated us to improve it"

And the way you do that is to tell the Linux kernel maintainers about the issues you observed and discuss with them ways to fix them. But of course that's not at all what this group did. So no, I don't agree that this research was done "properly". It shouldn't have been done at all the way it was done.

[1] https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

To help clarify for purposes of continuing the discussion the original research did address the issue of minimizing the time of the reviewers [1] [2]. Seems the maintainers were OK with that as no actions were taken other than an implied request to stop that kind of research.

Now a different researcher from UMN, Aditya Pakki, has submitted a patch which contains bugs that seems to be attempting to do the same type of pen testing although the PhD student denied it.

1. Section IV.A of the paper, as pointed out by user MzxgckZtNqX5i in this comment: https://news.ycombinator.com/item?id=26890872

> Honoring maintainer efforts. The OSS communities are understaffed, and maintainers are mainly volunteers. We respect OSS volunteers and honor their efforts. Unfortunately, this experiment will take certain time of maintainers in reviewing the patches. To minimize the efforts, (1) we make the minor patches as simple as possible (all of the three patches are less than 5 lines of code changes); (2) we find three real minor issues (i.e., missing an error message, a memory leak, and a refcount bug), and our patches will ultimately contribute to fixing them.

2. Clarifications on the “hypocrite commit” work (FAQ)

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

"* Does this project waste certain efforts of maintainers? Unfortunately, yes. We would like to sincerely apologize to the maintainers involved in the corresponding patch review process; this work indeed wasted their precious time. We had carefully considered this issue, but could not figure out a better solution in this study. However, to minimize the wasted time, (1) we made the minor patches as simple as possible (all of the three patches are less than 5 lines of code changes); (2) we tried hard to find three real bugs, and the patches ultimately contributed to fixing them."

Apr 21, 2021

My understanding in this case is not that the IRB declined to review the study plan, but that (quoting the study authors) "The IRB of UMN reviewed the study and determined that this is not human research (a formal IRB exempt letter was obtained)." (more information here: https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....)

Do you think that the IRB was correct to make the determination they did? It does sound like a bit of a grey area

Apr 21, 2021

Clarification from their work that was posted on the professor's website:

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

posted some clarifications around this, worth a read

Apr 21, 2021

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Seemed to have posted some clarifications around this. worth a read

Apr 21, 2021

Here's a clarification from the Researchers over at UMN[1].

They claim that none of the Bogus patches were merged to the Stable code line :

>Once any maintainer of the community responds to the email,indicating “looks good”,we immediately point out the introduced bug and request them to not go ahead to apply the patch. At the same time, we point out the correct fixing of the bug and provide our proper patch. In all the three cases, maintainers explicitly acknowledged and confirmed to not move forward with the incorrect patches. This way, we ensure that the incorrect patches will not be adopted or committed into the Git tree of Linux.

I haven't been able to find out what the 3 patches which the reference are, but the discussions on Greg's UMN Revert patch [2] does indicate that some of the fixes have indeed been merged to Stable and are actually Bogus.

[1] : https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

[2] : https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh...

Apr 21, 2021

Some clarifications since they are unclear in the original report.

- Aditya Pakki (the author who sent the new round of seemingly bogus patches) is not involved in the S&P 2021 research. This means Aditya is likely to have nothing to do with the prior round of patching attempts that led to the S&P 2021 paper.

- According to the authors' clarification [1], the S&P 2021 paper did not introduce any bugs into Linux kernel. The three attempts did not even become Git commits.

Greg has all reasons to be unhappy since they were unknowingly experimented on and used as lab rats. However, the round of patches that triggered his anger *are very likely* to have nothing to do with the three intentionally incorrect patch attempts leading to the paper. Many people on HN do not seem to know this.

[1] https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

This is not what happened according to them:

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

> (4). Once any maintainer of the community responds to the email, indicating “looks good”, we immediately point out the introduced bug and request them to not go ahead to apply the patch. At the same time, we point out the correct fixing of the bug and provide our proper patch. In all the three cases, maintainers explicitly acknowledged and confirmed to not move forward with the incorrect patches. This way, we ensure that the incorrect patches will not be adopted or committed into the Git tree of Linux.

Apr 21, 2021

It didn't. Rather, it didn't until after it had been conduct.

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

From the researchers:

> In the past several years, we devote most of our time to improving the Linux kernel, and we have found and fixed more than one thousand kernel bugs; the extensive bug finding and fixing experience also allowed us to observe issues with the patching process and motivated us to improve it. Thus, we consider ourselves security researchers as well as OSS contributors. We respect OSS volunteers and honor their efforts.

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

It feels to me you have jumped to an untenable conclusion without even considering their point of view.

Apr 21, 2021

I hope USENIX et al ban this student / professor / school / university associated with this work from submitting anything to any of their conferences for 10 years.

This was his clarification https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

...in which they have the nerve to say that this is not considered "human research". It most definitely is, given that their attack vector is the same one many people would be keen on using for submitting legitimate requests for getting involved.

If anything, this "research" highlights the notion that coding is but a small proportion of programming and delivery of a product, feature, or bugfix from start-to-finish is a much bigger job than many people like to admit to themselves or others.

Apr 21, 2021

No bugs were introduced and they didn't intend to introduce any bugs. infact, they have resolved over 1000+ bugs in the linux kernel.

>> https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.... "We did not introduce or intend to introduce any bug or vulnerability in the Linux kernel. All the bug-introducing patches stayed only in the email exchanges, without being adopted or merged into any Linux branch, which was explicitly confirmed by maintainers. Therefore, the bug-introducing patches in the email did not even become a Git commit in any Linux branch. None of the Linux users would be affected. The following shows the specific procedure of the experiment"

Apr 21, 2021

>> https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

"We did not introduce or intend to introduce any bug or vulnerability in the Linux kernel. All the bug-introducing patches stayed only in the email exchanges, without being adopted or merged into any Linux branch, which was explicitly confirmed by maintainers. Therefore, the bug-introducing patches in the email did not even become a Git commit in any Linux branch. None of the Linux users would be affected."

Apr 21, 2021

They apparently made a tool to find vulnerabilities that could later lead to bugs is a different patch was introduced.

And for some insane reason, they decided to test if these kinds of bugs would be caught by inventing some and just submitting the patches, without informing anyone beforehand.

https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

Apr 21, 2021

I don't think there have been any recent comments from anyone at U.Mn. So, back when the original research (happened last year) the following clarification was offered by Qiushi Wu and Kangjie Lu which atleast paints their research in somewhat better light: https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc....

That said the current incident seems to have gone beyond the limits of that one and is a new incident. I just thought it would be fair to include their "side"