* Posts by jkbonfield

2 publicly visible posts • joined 11 Aug 2017

'Adversarial DNA' breeds buffer overflow bugs in PCs

jkbonfield

Re: Storage admins - abandon all hope

When sequencing gets that quick and easy, there comes a point where the intermediate files (like FASTQ or even BAM) get labelled purely as temporary / transitional, with the final output (one of the variant call formats) being the only thing to store.

We're not there yet,but it won't be too long before it's cheaper to resequence than it is to store.

jkbonfield

PR stunt

Their modification of fqzcomp means that not only does their custom DNA string cause it to break (in an exploitable way), but *all* DNA strings from the same sequencing run would cause it to fail too - likely in a crash. It's therefore an unrealistic attack as no one would deploy such a tool.

This is a shame because there *are* weaknesses in many tools (fqzcomp included - it has no check for ntok reaching MAX_TOK for example) that can be exploited if you control the *file* contents, but not if you control the *physical DNA* sample. The sequencing instrument is a great leveller here - it turns DNA into well-formed valid output files, which existing software then copes with just fine. The real problems are web sites that permit upload of data files - so cloud analysis sites etc rather than sequencing-as-a-service.

That said, why would anyone be using fqzcomp for real? It was a royal hack, mostly done at ungodly hours of the morning, as an academic exercise and entry to a competition. It even claims it's "experimental" in the README file. If anyone really cares, use https://sourceforge.net/projects/slimfastq/ instead which was a rewrite of fqzcomp (by a storage company) to be more stable. :-)