Security News > 2021 > April > Minnesota University Apologizes for Contributing Malicious Code to the Linux Project
Researchers from the University of Minnesota apologized to the maintainers of Linux Kernel Project on Saturday for intentionally including vulnerabilities in the project's code, which led to the school being banned from contributing to the open-source project in the future.
The project aimed to deliberately add use-after-free vulnerabilities to the Linux kernel in the name of security research, apparently in an attempt to highlight how potentially malicious code could sneak past the approval process, and as a consequence, suggest ways to improve the security of the patching process.
A clarification document previously shared by the academics on December 15, 2020 stated the university's Institutional Review Board had reviewed the study and determined that it was not human research, only to backtrack, adding "Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns."
While the researchers claimed "We did not introduce or intend to introduce any bug or vulnerability in OSS," the fact that evidence to the contrary emerged - implying the research was conducted without adequate oversight - and risked the kernel's security led to a unilateral ban of code submissions from anyone using a "Umn.edu" email address, in addition to invalidating all past code submitted by the university researchers.
Following the incident, the university's Department of Computer Science and Engineering said it was investigating the incident, adding it was looking into the "Research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues."
In the meantime, all patches submitted to the codebase by the university researchers and faculty are expected to be reverted and re-reviewed to verify if they are valid fixes.