"Full disclosure" from the University of Minnesota
"Full disclosure" from the University of Minnesota
Posted Apr 29, 2021 14:04 UTC (Thu) by nedu (guest, #50951)In reply to: "Full disclosure" from the University of Minnesota by mpg
Parent article: "Full disclosure" from the University of Minnesota
It is my understanding that on or about Nov 21, 2020, Kangjie Lu posted a tweet announcing acceptance of the paper for the upcoming IEEE S&P symposium. In that tweet, he published a screenshot of the first page of that paper.[1][2]
It is also my understanding that on or before Nov 22, 2020, Kangjie Lu deleted that tweet, with a statement that, "it created many confusions".[3]
I have seen what has been represented to me as a copy of that screenshot, in which an abstract of the paper is reproduced.[4]
In that version of the abstract, I read the sentence, "As a proof of concept, we successfully introduce multiple exploitable use-after-free in the latest linux kernel (in a safe way)."[2]
Do also note, that besides the withdrawal of the tweet, that original sentence in the abstract was revised in a currently available version of the now-withdrawn paper.[5][6]
[1] https://pbs.twimg.com/media/End-XVOUUAA7gZ-?format=png&...
[2] https://pbs.twimg.com/media/End-YlwVoAADi1r?format=png&...
[2(a)] https://web.archive.org/web/20210429134044/https://pbs.tw...
[3] https://archive.is/SBpHn
[4] https://archive.is/iUdX0
[5] https://web.archive.org/web/20210427031705/https://raw.gi...
[6] https://web.archive.org/web/20210427062206/https://www-us...
In discussion: again, you asked for "any evidence to the contrary".
And, I would concede that the original statement in the accepted abstract may have been puffery. It may have been confusion. It may have required further explanation.
But I also have to think "the latest linux kernel" may easily and naturally be read as referring to software running on other people's computers. And I can read that sentence as a cold, factual claim of an accomplished deed.
Posted Apr 29, 2021 22:28 UTC (Thu)
by mpg (subscriber, #70797)
[Link] (1 responses)
*I'll note that if we scroll down a bit on [3] they already tried to clarify that the malicious commits never got into the kernel, and in [4] the commenter already notes the contradiction.
Still, considering the full set of data we have today, I don't think it's justified to state that "they were deliberately trying to put bugs into production code", as the recent comment I was replying to did.
They did several things they shouldn't have done, such as experimenting on human subjects without their consent, making a paper with IMO weak methodology and relatively poor execution (I think we can hardly draw useful conclusions from their experiment) and communicating poorly about it (which again, would have been less of a problem if they had sought informed consent beforehand), but I don't think "deliberately trying to put bugs into production code" was one of them.
Posted Apr 30, 2021 21:56 UTC (Fri)
by rgmoore (✭ supporter ✭, #75)
[Link]
Not exactly. They say they never intended for their bugs to make it into a released kernel, but they said that only after the whole thing blew up and they were in damage control mode. We don't know what their true intent was. Maybe they intended to stop the bugs from ever being released. Maybe they thought it would be good to get one into a released version and then stealthily patch it in the next version, and that would be safe because it would be fixed by the time they told the world what they had done. We simply can't know what they would have done in the hypothetical world in which one of their patches had made it into the mainline kernel. We have only their word for it, and honestly their word isn't very good with a lot of people right now.
"Full disclosure" from the University of Minnesota
"Full disclosure" from the University of Minnesota
I quickly learned that they tried to make sure the commits didn't get into the kernel.