Even with code written in unsafe languages, ASLR and the XD/NX bit makes this class of exploits almost completely obsolete. I'm assuming the DNA software they were using had neither turned on.
I'm a bit exhausted of hearing about buffer overflow exploits. There's nothing smart or clever about them (anymore).
Most languages can be safe with a safe implementation and most languages can be unsafe with an unsafe implementation.
Just use a safe implementation next time, or go all-in and formally verify your programs.
I don't think -- an example off the top of my head, don't nitpick please -- that Clojure and Erlang/Elixir are that easily exploited with buffer overflows. I'd even say they are immune but I am not a security researcher.
They modified an analysis program so that it uses a fixed-size buffer in a vulnerable way (no bounds checks, etc). Then, they synthesized some DNA that, when sequenced and analyzed with this program, overflows that buffer.
To their credit, parts of the paper are very upfront about this, but it's still very hokey, in my opinion. All the DNA stuff feels like a smokescreen around a pretty boring buffer overflow exploit that wasn't even present in the original code.
When we filed bugs against the products, the reply was that security was not a priority, because academics.
These kinds of parsers often run on machines that have a great deal of valuable intellectual property on them. It's not unreasonable to believe that somebody might exfiltrate IP from a biotech using malicious DNA sequences. It's unlikely, but not unreasonable to believe.
To computer scientists, it's pretty obvious that DNA used as input to a program could be maliciously crafted.
Wow, incredible work guys. Really a milestone here.
I guess if it was already well-established that reading programmable DNA was a thing, then this is about as innovative as "you can put malicious programs on flash drives, or as email attachments."
But in that case, what would they have to do that's interesting from a biotech+compsci perspective to show impressive work? Have DNA that can find security vulnerabilities on its own? Or somehow create a stack that can use a program on a DNA strand to then attack some more well-known, real security vulnerability? That seems about the same as just running code from DNA, which is what they demonstrated?
But if most people aren't aware of DNA programming, isn't this still cool? Am I missing something else?
I dread (but am already certain it will eventually happen) the day when some kind of gene therapy cure will be customized to your DNA and will contain some absolutely nasty bio-DRM (think turbo cancer) if it gets applied to the wrong person, or past a date, etc.
> "Bones": The Crack in the Code http://www.imdb.com/title/tt2076424/synopsis
Need to sanitize those inputs!
Especially the part when in the original movie two garbage truck drivers were remotely hacked and their identities were completely replaced. That could probably happen by checking out a certain street sign.
Scary.
