Scientists perform exploit through malware in DNAd

Scientists at the American University of Washington have managed to exploit a DNA analysis program. To do that, they encoded code into a DNA sample, triggering a buffer overflow.

The scientists describe their work on a specially designed website and in an accompanying paper. There they explain that their experiment assumed the best conditions for a potential attacker. They chose the so-called fqzcomp software as their target, which serves to compress DNA sequences. By downloading the open source code, the scientists were able to build in a vulnerability in the form of a static buffer. They note that the program already contained many of these buffers. Protection functions such as aslr were turned off.

They then encoded a DNA sample with malicious code, which after reading by a sequencer would be executed on the vulnerable system. The scientists explain that they always linked 2bit pairs to nucleotides: 00 to A, 01 to C, 10 to G and 11 to T. A first attempt to introduce an exploit failed, partly because the smallest shell code was too large. to put into a DNA sequence. Finally, they managed to create a 43-byte exploit that allowed the target system to connect to the shortest possible domain name and retrieve malware that enabled remote code execution.

Successful and failed exploit

With their research, the researchers want to demonstrate that it is possible to eventually achieve remote code execution via DNA. In doing so, they want to draw attention to the fact that DNA sequencing machines do not always follow security best practices. They caution that their findings are not cause for concern, as no similar current threats exist. The researchers therefore see their work as a first step and an incentive to think about security in the world of DNA sequencing. Their research found that the code used in the accompanying software often contains vulnerabilities. They will present their research at the Usenix conference in Vancouver next week.