STE WILLIAMS

Scientists from the University of Washington have created synthetic DNA that produced malware of a sort.

Detailed in a paper titled “Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More”, the authors explain that they decided to “synthesize DNA strands that, after sequencing and post-processing, generated a file; when used as input into a vulnerable program, this file yielded an open socket for remote control.”

To make it work, the authors got their hands on the source code of open-source DNA compressor fqzcomp and “inserted a vulnerability into version 4.6 of its source code; a function that processes and compresses DNA reads individually, using a fixed-size buffer to store the compressed data.”

“This modification lets us perform a buffer overflow with a longer than expected DNA read in order to hijack control flow.”

Readers may at this point think that it’s pretty easy to break software when you feed it data that you know in advance will cause it problems. The researchers recognise this, writing that they know their crocked code is “in many ways the ‘best possible’ environment for an adversary.”

But they also not that the vulnerability they created already exists, as “fqzcomp already contains over two dozen static buffers. Our modifications added 54 lines of C++ code and deleted 127 lines from fqzcomp.” The Register imagines that kind of modification could go un-noticed in many-a-lab.

But the paper also points out that synthesising any DNA, never mind stuff designed to disrupt bioinformatics software, is hard and prone to error. Even if you can do the job, you need to get the right sample into the right lab, and need to know what software that lab is running. Or get mal-formed software into that lab.

All of which is hard. But so was getting Stuxnet across an air-gap into an Iranian centrifuge.

The authors’ main recommendation is that bioinformatics software just hasn’t been written with this kind of attack in mind, but seeing as DNA is information encoded in chemicals the authors of such software should wise up to the risks they’ve demonstrated.

You can find the paper here [PDF] and the University’s explainer and FAQ here. The second document tries hard to point out that this is all theoretical. “We have no evidence to believe that the security of DNA sequencing or DNA data in general is currently under attack,” the primer says. “Instead, we view these results as a first step toward thinking about computer security in the DNA sequencing ecosystem.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/11/malware_in_dna/