back to article 'Adversarial DNA' breeds buffer overflow bugs in PCs

Scientists from the University of Washington have created synthetic DNA that produced malware of a sort. Detailed in a paper titled “Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More”, the authors explain that they decided to “synthesize DNA strands that, after …

  1. Nolveys

    Well CRISPR my MEATPISTOL, if this isn't the weirdest thing I've heard in a while.

    Maybe we can look forward to a Trojan horse that is actually a horse (except for the spider parts that were added as a joke).

    1. davidp231

      We could build this giant wooden badger...

      1. jake Silver badge

        We don' need no ...

        ... steenkeen badgers.

        1. Swarthy
          Go

          Re: We don' need no ...

          badger, badger, badger, badger

          Musroom, Mushroom

  2. Notas Badoff

    Oh, letdown on the article title

    I thought you had a clever title subtly referring to the "Gene editing used to eliminate viruses in live pigs". Instead, this was pen-testing of a different strain.

  3. Bronek Kozicki
    Coat

    Next stop

    Hacking own DNA to hack sequencing machine when you are swabbed

    Surely there is nothing to worry about. Mine is the one with 3 sleeves, thank you

  4. John Smith 19 Gold badge
    Pint

    Sounded like another "buffer overflow" error attack* but then.....

    The program processes DNA sequences so the notion is to craft a DNA sequence (presumably in some bacteria or virus) that when detected, analyzed and fed through the software triggers a BO fail.

    DNA synthesis machines (and DNAaaS companies exist) have been around for decades, although reinserting the product into an organism is tricky.

    You'd probably want it to have it marked "do not read" by the host organism as what that sequence coded for inside an organism could be anything. Also genes are not read quit the way most people think they are. They are usually in multiple segments and often sub sets of the full set can generate specific proteins as well

    So the attack vector is DNA --> Analyser--> V. big file --> file compressor -->Pwd PC running file compressor.

    Worst case scenario. The malware writer inadvertently creates something that is a viable structure in the host organism and it's highly dangerous.

    I guess it's what you'd do if you were the NSA and you suspected a nation state was running a covert BW programme you wanted to get a window into.

    This is real Greg Bear territory ("Vitals" comes to mind), although I think William Gibson did a short story ("New Rose Hotel"? ) that loosely hinges around this idea.

    Beer as it's Friday and y'know, yeast.

    *My second thought was someone had used genetic algorithm techniques to "breed" more efficient BO code, which would be clever but not be that interesting (I'm not familiar with the subject but I'd be astonished if that hadn't been done several times by now).

    1. albegadeep
      Mushroom

      "New Rose Hotel"

      Exactly what came to mind for me. Gibson's short story included (if I recall correctly) a hacked gene sequencer located in a rival company reprogrammed to quietly crank out a deadly virus...

  5. John Smith 19 Gold badge
    Coat

    Has to be said

    Fortunately there are no known instances of this exploit seen in the wild.

  6. frank ly

    Picture Caption

    A DNA researcher is called Lee Organick :)

    1. MiguelC Silver badge

      Re: Picture Caption

      One is Organick, the second is Koscher!

      Ney?

    2. John Smith 19 Gold badge
      IT Angle

      "A DNA researcher is called Lee Organick :)"

      I wondered if they are related to "Mutician" Elliott Organick ?

  7. jkbonfield

    PR stunt

    Their modification of fqzcomp means that not only does their custom DNA string cause it to break (in an exploitable way), but *all* DNA strings from the same sequencing run would cause it to fail too - likely in a crash. It's therefore an unrealistic attack as no one would deploy such a tool.

    This is a shame because there *are* weaknesses in many tools (fqzcomp included - it has no check for ntok reaching MAX_TOK for example) that can be exploited if you control the *file* contents, but not if you control the *physical DNA* sample. The sequencing instrument is a great leveller here - it turns DNA into well-formed valid output files, which existing software then copes with just fine. The real problems are web sites that permit upload of data files - so cloud analysis sites etc rather than sequencing-as-a-service.

    That said, why would anyone be using fqzcomp for real? It was a royal hack, mostly done at ungodly hours of the morning, as an academic exercise and entry to a competition. It even claims it's "experimental" in the README file. If anyone really cares, use https://sourceforge.net/projects/slimfastq/ instead which was a rewrite of fqzcomp (by a storage company) to be more stable. :-)

    1. John Smith 19 Gold badge
      Unhappy

      "hat said, why would anyone be using fqzcomp for real? It was a royal hack, "

      Because no one uses botched, stitched together software in their production environments, right?

      I'd guess they used it because it because a)They wrote it b)It's actually in common use around the country (or even the world) c)They have a copy in their DNA lab.

      TL;DR. RTF report.

  8. Stevie

    Bah!

    So scientists manipulated data into a vuln. No actual DNA took part other than peripherally.

    A bit different than suggested by your clickbait headline, Mr Journalist.

    1. Bronek Kozicki

      Re: Bah!

      Wrong. They created synthetic DNA which, when sequenced, produced dataset, which in turn allowed them to pwn the computer doing the processing. Admittedly it was due to a bug they inserted into software themselves - so more like a backdoor, to which actual strand of DNA was a key.

      1. Doctor Syntax Silver badge

        Re: Bah!

        "They created synthetic DNA which, when sequenced, produced dataset"

        Which is an unnecessarily long winded way to produce a dataset.

      2. John Smith 19 Gold badge
        Unhappy

        "Admittedly it was due to a bug they inserted into software themselves "

        True, and they stated as much in the report.

        However they also stated they done a source code analysis that showed the program did use the same sort of unsafe coding practices.

        Rather than release a sequence that could crash an unmod'd copy of the program they created a deliberately compromised version that could be crashed by their sequence.

        Which demonstrates this can really happen but not exactly how to do it.

        I guess that's "responsible disclosure" in this field

  9. J.G.Harston Silver badge

    "unnoticed in many-a-lab"

    many-a-lab? What you mean is many a lab. many-a-lab is a prepositional adjective, what you need there is a postpositional descriptive phrase. Guardian journalist infestation again?

  10. samzeman
    Joke

    ACTGTCATGCTG'); DROP TABLE dna_sequenced;--

    1. Doctor Syntax Silver badge

      Is that you Bobby?

      1. Fatman
        Joke

        RE: Is that you Bobby?

        Is one very bad boy.

        </snark>

  11. This post has been deleted by its author

  12. Milo Tsukroff
    Holmes

    From their FAQ: "Many of these are written in languages like C and C++ that are known to contain security vulnerabilities unless programs are carefully written. In this case the programs did not follow computer security best practices. For example, most had little input sanitization and used insecure functions. Others had static buffers that could overflow."

    So what's new? If you don't code in COBOL, your code is going to be insecure. Coding in C / C++ reminds me of a builder who put a house together, then was astonished that his customer wanted DOORS in every doorway. He was absolutely astounded that even more than that, the customer wanted LOCKS in ever door! What's with that? he wondered. The building works just fine without them!! 'Nuff said.

  13. Anonymous Coward
    Anonymous Coward

    I met several types of DNA...

    ... who could create havoc in any system they touched not because of their skills, but plain ignorance and arrogance. The worst part, they've been able to reproduce, also.

  14. Korev Silver badge
    Childcatcher

    Storage admins - abandon all hope

    But is it possible that natural human DNA could also accidentally take down a biological research computer system someday?

    I've been told that a PromethION sequencer will output 500MB/s*, so that'd probably take down many networks and storage systems.

    *yes that capitalisation is correct

    1. Korev Silver badge
      Boffin

      Re: Storage admins - abandon all hope

      Actually... Make that 1.44GB/s!

      1. jkbonfield

        Re: Storage admins - abandon all hope

        When sequencing gets that quick and easy, there comes a point where the intermediate files (like FASTQ or even BAM) get labelled purely as temporary / transitional, with the final output (one of the variant call formats) being the only thing to store.

        We're not there yet,but it won't be too long before it's cheaper to resequence than it is to store.

  15. Anonymous Coward
    Anonymous Coward

    Old Dr Who story.

    "The Wolves of Fenric"

    Anybody?

    Spoiler alert.

    Mad Cold War plan to encourage Russians to steal British crypto machine without anyone knowing it's gone. Machine is too large and complex to take apart without breaking so they will not discover the poison gas canister hidden inside to be triggered on receipt of a hard coded message.

    But things are not quite that simple.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like