Hypocrite commits
"On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits"
Attention!
To correct the most critical misinformation online: My research group did not introduce vulnerabilities into the Linux kernel, as confirmed by both Linux in their Linux investigation report and by the UMN investigation.
- 11/21/2020: Paper accepted
- 12/15/2020: Clarifications
- 04/21/2021: The Linux incident happened due to superfluous patches from Aditya Pakki for a new bug-finding project. Aditya was not involved in the "hypocrite-commit" project; his patches were intended to fix bugs and did not introduce vulnerabilities, as confirmed in the Linux report. We've never continued the "hypocrite-commit" project since August 2020, which is also confirmed in the Linux report and pointed out by some major Linux maintainers.
- 04/24/2021: Open letter to Linux: We made a mistake by not finding a way to consult with Linux and obtain permission before running this case study in August 2020. We've learned an important lesson.
- 04/26/2021: Paper withdrawn
- 04/27/2021: Full disclosure of case study
- 04/27/2021: Department response to the Linux Foundation: The three hypocrite patches never were intended to be added to code, and, in fact, were not added.
- 05/05/2021: The Linux Technical Advisory Board report: No malicious or bad-faith code found in the re-reviewed UMN patches.
- 04/2022: As suggested by Linux, we established a review process with a core Linux maintainer. We will not send patches to Linux, until they are reviewed and approved by the maintainer.
- 09/2022: Together with the Linux maintainer, we established a Linux-study group at UMN, with 40+ students enrolled. Its goal is to train new contributors and maintainers for open-source projects.
Promoting ethics in security research
Ethical considerations in computer security research are increasingly critical. Security research has a broad impact---users, whole development communities, and critical infrastructure. Security researchers often assess the security of computer systems by breaking them (a.k.a offensive security research), which raises ethical concerns. For example, in my own work I have made missteps when performing research on open-source security, as mentioned above. Given its criticality, I am strongly motivated to promote "ethical security research" and help other security researchers avoid ethical issues. I have been working on this topic as one of my major research and education goals.
- Developed ethics course modules for CSCI 5271 and CSCI 4061
- 06/10/2022: Established and co-chaired the International Workshop on Ethics in Computer Security (EthiCS 2022)
- 11/17/2022: Led the SaTC (NSF) Town Hall meeting on ethics
- 01/01/2023: Kicked off a three-year NSF-funded (ER2) project on developing a framework for the ethical conduct of research with online communities
- 02/27/2023: Organized workshop EthiCS 2023, co-located with NDSS 2023.
- 03/23/2023: Maintaining learning materials for ethics in computer security research, including ethics principles, guidelines, committees, research papers, and more. Pull requests are welcome: https://github.com/ethics-workshop/references