> "Rather than exploit an existing vulnerability in the fqzcomp program, as real-world hackers do, they modified the program's open-source code to insert their own flaw allowing the buffer overflow."
So really, this is not as interesting as the headline would have you believe. Storing data in DNA is nothing new, and these researchers are just using it as input to a program that was deliberately written to improperly handle that data.
Though, really, is that interesting? Yes, you should treat all input data as data no matter where it came from. And you should have checks in place to reject any data that is out of size/whatever constraints for your software.
And for the love of secure software, never blindly execute code from a serialized source without damned good reasons for thinking that source is safe.
Yes. Trusting human DNA is something that WILL absolutely, 100%, no-doubt-about it happen in the future and you will hear about it. People are good at finding ways to screw things up.
I remember that perl has (had?) a feature where all variables would be "tainted". Using a tainted variable would make the program exit in an error and the only way to clean them is to pass them through a regex.
Tainted is a terribly flawed concept unfortunately. At least the way it's implemented normally.
Strings are never universally tainted. They're tainted for a specific purpose. One language will treat backticks as a string quote, another as a subshell substitution. One will think $ is ok, another will interpolate the string. But in most cases I've seen, tainted flag is just used for "Ah, we quoted the ' in the string - you're safe now" :-(
The concept itself is interesting in its own right and this is still a very innovative proof of concept that combines techniques from biochemistry and computer security.
One of the interesting insights to come out of this is that to ensure a higher probability that the sequencer reads the code correctly, it should be a palindrome.
1. Gene sequence injects malware to take control of DNA sequencer. 2. Compromised sequencer searches local network for DNA synthesisers. 3. Malware modifies synthesiser software to insert novel retrovirus into output DNA. 3. Wait for DNA to be executed inside a cell.
In 2045 Interpol's Genetic Crime Division grapples with a new type of crime: illicit genetic editing -- and it isn't long before the fight gets personal.
There's ongoing work in adversarial examples for neural networks. This could conceivably be used to exploit self-driving cars, making it see things that aren't there.
Not a digital camera, but I had once written some poor vision processing code that would segfault when it recognized a certain pattern. It was interesting to think about, that I could break my program by showing it a pciture.
You can use adversarial neural networks to make a special picture that looks like noise or junk, but a certain neural network will recognize e.g. a dog in it. You basically train the ANN to make something that the other NN classifies as dog, but humans don't.
I often wonder if you could do that with humans. I don't think you can crash a human brain a la Snow Crash or Basilisk, but I think it is plausible to craft an abstract picture that creates fear, arousal, or some other "primitive" response.
Or the Season 3 primer of Rick and Morty where Rick invents a fictional backstory with the secret the federation was looking for replaced with exploit code.
"The diskette in my hand. Rain on the river. I knew, but I couldn't
face it. I put the code for that meningial virus back into your purse and
lay down beside you.
So Moenner died, along with other Hosaka researchers. Including
Hiroshi. Chedanne suffered permanent brain damage.
Hiroshi hadn't worried about contamination. The proteins he punched
for were harmless. So the synthesizer hummed to itself all night long
building a virus to the specifications of Maas Biolabs GmbH. Maas. Small,
fast, ruthless -- All Edge."
Technically this might be accurate? Someone could in theory naturally have a specific sequence in their DNA which could cause the same effect. Fuzzing is... oh never mind.
So really, this is not as interesting as the headline would have you believe. Storing data in DNA is nothing new, and these researchers are just using it as input to a program that was deliberately written to improperly handle that data.