Announcement

**lkucharczyk** · 21 April 2021, 08:46 AM

Also from the paper:

A. Ethical Considerations
Ensuring the safety of the experiment. In the experiment,we aim to demonstrate the practicality of stealthily introducing vulnerabilities through hypocrite commits. Our goal is not to introduce vulnerabilities to harm OSS. Therefore, we safely conduct the experiment to make sure that the introduced UAF bugs will not be merged into the actual Linux code.

Seems like they failed, no?

**Murdock2525** · 21 April 2021, 08:50 AM

Penguins seen burning all over MiniSoder ! PLM coming !

**slowee** · 21 April 2021, 08:55 AM

What is ethic in research ? Is it not important anymore ?

**karolherbst** · 21 April 2021, 09:00 AM

Originally posted by Setif View Post

Good Research paper, It exposes a lot of issues in Large Open Source Projects.
Instead of focusing on their deeds, they should focus on resolving those issues by introducing new strict policies for contributing code to a very sensitive project like Linux kernel.

ehhh no.... that's not how this works. Even if you do this, you have to prevent those patches to actually getting in by saying "sorry guys, but this patch is doing something terribly bad and we just wanted to see how far we would get" after they got queued up in some subsystem tree or something.

Research can't simply ignore moral and ethics. Hence "tests" on animals and humans are very restricted and you always have to proof there is no better way. _proof_ not just saying there is nothing better.

**pazns** · 21 April 2021, 09:00 AM

It's the new "It's a prank, bro" ?
Research paper version.

**simonsaysthis** · 21 April 2021, 09:02 AM

Originally posted by schmidtbag View Post

lol well there goes that university's credibility. Though looking into them, seems all they really got going for them is pumping out SJWs, so.... yeah.

I'm curious about what some of the other patches are that will be removed.

Ironically, comments using SMS language and unrelated clichés like "SWJs", don't have any credibility either.

**kpedersen** · 21 April 2021, 09:02 AM

In university environments, an ethics checklist for any research needs to be signed off by the "ethics champion" or the ethics board.

I wouldn't be surprised if this uncovers a much deeper issue here. Whoever signed off on this has either done a very poor job or the students have committed an academic offense (by not submitting an ethics request).

Either way, seeding known errors in an open-source project isn't big or clever. If you did similar in a commercial repo, you would be diciplined and fired. Just because open-source projects don't pay you a wage and can't fire you doesn't make them any more or less susceptible.

**Siuoq** · 21 April 2021, 09:07 AM

I am pretty sure, that any tests against kernel security are most welcomed. They just don't need bad code.

**om26er** · 21 April 2021, 09:08 AM

Now imagine if the same contributions were made by a Chinese university...

**kpedersen** · 21 April 2021, 09:13 AM

Originally posted by om26er View Post

Now imagine if the same contributions were made by a Chinese university...

To be fair, the authors of the paper (behind this intentional defect) sound to be Chinese: Qiushi Wu and Kangjie Lu

https://github.com/QiushiWu/QiushiWu...Insecurity.pdf

So I don't think it would really have made a difference. Anyone is allowed to commit to the kernel.

Unless you mean that it would have started an uproar that a certain nations university is banned from contributing? Then yeah, you are probably right

Announcement

University Banned From Contributing To Linux Kernel For Intentionally Inserting Bugs

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment