1. 1

  2. 6

    Paper pdf: http://dnasec.cs.washington.edu/dnasec.pdf

    Relevant part of their summary:

    To assess whether this is theoretically possible, we included a known security vulnerability in a DNA processing program that is similar to what we found in our earlier security analysis. We then designed and created a synthetic DNA strand that contained malicious computer code encoded in the bases of the DNA strand. When this physical strand was sequenced and processed by the vulnerable program it gave remote control of the computer doing the processing. That is, we were able to remotely exploit and gain full control over a computer using adversarial synthetic DNA.

    The relevant part of the paper is:

    The FASTQ compression utility, fqzcomp, is designed to compress DNA sequences. For experimental purposes, we inserted a vulnerability into this utility. To do so, we first copied fqzcomp from https://sourceforge. net/projects/fqzcomp/ and inserted a vulnerability into version 4.6 of its source code; a function that processes and compresses DNA reads individually, using a fixed-size buffer to store the compressed data. This modification lets us perform a buffer overflow with a longer than expected DNA read in order to hijack control flow. While the use of such a fixed-size buffer is an obvious vulnerability, we note that fqzcomp already contains over two dozen static buffers. Our modifications added 54 lines of C++ code and deleted 127 lines from fqzcomp.

    Frankly speaking, this is academic click bait.

    The technology of DNA editing is spectacular and holds a lot of promise, but we shouldn’t be handing out cookies just because people use them. In the infosec world is it news that I can add a vulnerability to a program?

    This is a strategic juxtaposition of two hot topics (DNA editing and computer security) tortuously contrived to get a headline.

    Frankly speaking the excel gene name scandal is a more worthy topic to be informed about.

    1. 1

      Thanks for this. May help it cool some heads at my lab.

      1. 1

        The Technology Review article is certainly too sensationalist, but the paper makes it obvious in the abstract that this was not a real vulnerability in fqzcomp. Anyway, if nothing else, at least it’s a cool attack vector.