
Malicous code written into DNA infects the computer that reads it - listentojohan
https://techcrunch.com/2017/08/09/malicous-code-written-into-dna-infects-the-computer-that-reads-it/
======
kneel
>They cheated a little by introducing a particular vulnerability into the
software themselves.

Wow, incredible work guys. Really a milestone here.

~~~
keerthiko
Can we slow down the hate-train for a second...as a relative security newbie,
isn't this still a big deal? Isn't all malicious code is written to exploit
known (or likely) vulnerabilities in software? Wasn't the point being
demonstrated "you can write interpretable code on DNA that can be run on
computers, which turns out, can be malicious code too"?

I guess if it was already well-established that reading programmable DNA was a
thing, then this is about as innovative as "you can put malicious programs on
flash drives, or as email attachments."

But in that case, what would they have to do that's interesting from a
biotech+compsci perspective to show impressive work? Have DNA that can find
security vulnerabilities on its own? Or somehow create a stack that can use a
program on a DNA strand to then attack some more well-known, real security
vulnerability? That seems about the same as just running code from DNA, which
is what they demonstrated?

But if most people aren't aware of DNA programming, isn't this still cool? Am
I missing something else?

------
emh68
I feel like scientists are intentionally doing things hey know will generate
clickbait headlines. It's probably good for funding.

------
winter_blue
This is (yet) another buffer overflow exploit. Writing your code in _a safe
language_ makes buffer overflows obsolete. This problem was solved a long time
ago. It should have been obsolete by now.

Even with code written in unsafe languages, ASLR and the XD/NX bit makes this
class of exploits almost completely obsolete. I'm assuming the DNA software
they were using had neither turned on.

I'm a bit exhausted of hearing about buffer overflow exploits. There's nothing
smart or clever about them (anymore).

~~~
snakeanus
> Writing your code in a safe language makes buffer overflows obsolete

Most languages can be safe with a safe implementation and most languages can
be unsafe with an unsafe implementation.

Just use a safe implementation next time, or go all-in and formally verify
your programs.

~~~
dreamcompiler
What's a "safe implementation" of C?

~~~
snakeanus
Something like [https://staff.aist.go.jp/y.oiwa/FailSafeC/index-
en.html](https://staff.aist.go.jp/y.oiwa/FailSafeC/index-en.html) or GCC/Clang
with the sanitisers.

------
mediocrejoker
Even though in this case the software vulnerability was introduced by the
researchers, this is still a very innovative proof of concept that combines
techniques from biochemistry and computer security.

------
gruturo
As long as the code is "just" malicious to computers.

I dread (but am already certain it will eventually happen) the day when some
kind of gene therapy cure will be customized to your DNA and will contain some
absolutely nasty bio-DRM (think turbo cancer) if it gets applied to the wrong
person, or past a date, etc.

~~~
nkrisc
"bio-DRM", there's a scary thought. Kind of like replicants.

------
kaffeemitsahne
Not too far-off from the oft-mocked segment in Bones where a computer is
infected by making an MRI scan of a malware fractal pattern embedded in the
bones.

~~~
dpflan
I'd recommend watching this for its entertainment value (perhaps ironic
entertainment value).

> "Bones": _The Crack in the Code_
> [http://www.imdb.com/title/tt2076424/synopsis](http://www.imdb.com/title/tt2076424/synopsis)

------
ccvannorman
Reminds me of Hofstadter's "Given any record player, I guarantee a record can
be made to break it"

------
throwaway2016a
I think the big thing this shows is that "Never trust your input data without
validation" really means "never" even if the data is something seemingly
difficult to tamper with.

------
dboreham
Actual paper:
[http://dnasec.cs.washington.edu/dnasec.pdf](http://dnasec.cs.washington.edu/dnasec.pdf)

~~~
mattkrause
This is silly....

They modified an analysis program so that it uses a fixed-size buffer in a
vulnerable way (no bounds checks, etc). Then, they synthesized some DNA that,
when sequenced and analyzed with this program, overflows that buffer.

To their credit, parts of the paper are very upfront about this, but it's
still very hokey, in my opinion. All the DNA stuff feels like a smokescreen
around a pretty boring buffer overflow exploit that wasn't even present in the
original code.

~~~
dekhn
You don't need to modify existing analysis programs. I worked on a Cloud
Genomics product and we inspected BAM parsers, etc, and they all lack basic
validation, so it's trivial to create malicious inputs that cause them to
crash.

When we filed bugs against the products, the reply was that security was not a
priority, because academics.

These kinds of parsers often run on machines that have a great deal of
valuable intellectual property on them. It's not unreasonable to believe that
somebody might exfiltrate IP from a biotech using malicious DNA sequences.
It's unlikely, but not unreasonable to believe.

~~~
snakeanus
No such thing as "intellectual property". And it's not like the original
program would disappear anyway so I can't see the issue in that specific case.

~~~
dekhn
I worked at a Biotech. many companies store unpatented DNA sequences as secret
intellectual property.

~~~
snakeanus
And this is a bad thing.

~~~
mattkrause
If it makes you feel better, "naturally occurring" DNA sequences are no longer
patentable (AMP v. Myriad) but synthesized cDNA libraries still are.

------
DArcMattr
This is almost the plot of a scifi novel published in 1994, The Deus Machine,
by Pierre Ouellette. The malicious code was placed in introns by nature
itself.

Need to sanitize those inputs!

------
pdimitar
"Ghost in the Shell" reality comes closer and closer.

Especially the part when in the original movie two garbage truck drivers were
remotely hacked and their identities were completely replaced. That could
probably happen by checking out a certain street sign.

Scary.

------
rdiddly
From the title I thought they were going for a metaphor to describe what a
cold or other virus might do. (And you're the computer.)

------
kazinator
If an MP3 playlist can exploit a player, why not any other data. A barcode on
a banana could hide an exploit, so why not DNA.

------
xbmcuser
Remind me of an episode of Bones

------
bigato
never trust input

