University was banned from contributing to the Linux kernel for deliberately inserting vulnerabilities

The maintainer of the Linux kernel project Greg Kroah-Hartman decided to prohibit the University of Minnesota (UMN) from contributing to the open-source Linux project. The reason is that researchers at the University of Minnesota were found to have submitted a series of malicious code or deliberately introduced patches with security vulnerabilities in the official Linux code base as part of their research activities.

For the above reasons, Greg decided to revert all code submissions from @umn.edu email addresses. Researchers from the University of Minnesota deliberately introduced vulnerabilities in the mainline of the Linux kernel and based on this, published a paper describing “open-source insecurity” in February 2021. The focus of this research is to deliberately introduce known security vulnerabilities into the Linux kernel by submitting malicious or insecure code patches.

remote denial of server

However, even after this paper, researchers at the University of Minnesota introduced a new round of patches, which claim to come from “a new static analyzer”, but in fact, the patch has no real value. For better or worse, it is at least wasting the time of upstream developers, and this ultimately led to Greg’s decision to ban them from trying to contribute to the Linux kernel in the future.

Greg wrote this morning on the kernel mailing list, “[These new patches] obviously were _NOT_ created by a static analysis tool that is of any intelligence, as they all are the result of totally different patterns, and all of which are obviously not even fixing anything at all. So what am I supposed to think here, other than that you and your group are continuing to experiment on the kernel community developers by sending such nonsense patches?…A few minutes with anyone with the semblance of knowledge of C can see that your submissions do NOT do anything at all, so to think that a tool created them, and then that you thought they were a valid “fix” is totally negligent on your part, not ours. You are the one at fault, it is not our job to be the test subjects of a tool you create…Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

The College of Science and Engineering at the University of Minnesota responded to this matter with the following response:

Leadership in the University of Minnesota Department of Computer Science & Engineering learned today about the details of research being conducted by one of its faculty members and graduate students into the security of the Linux Kernel. The research method used raised serious concerns in the Linux Kernel community and, as of today, this has resulted in the University being banned from contributing to the Linux Kernel.

We take this situation extremely seriously. We have immediately suspended this line of research. We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues, if needed. We will report our findings back to the community as soon as practical.