Right, this stuff can make your head spin 'round for sure
My only question, since you raised it as a possibility, has been; is it possible to infect an ISO (in writable drive) while booted from it (in use). This would present a serious security threat that would need to be addressed. Your proof of concept involved a tool (eicfg removal tool) which "works by toggling the deletion bit in the UDF file table
, eliminating the need for unpacking and rebuilding the ISO". Since it is equally possible to do this with CD-R media, it seems your point was moot.
It is still my assertion that booting from an ISO is safe (even on writable drive) since attempting to mount, re-write and save the (now infected) ISO would result in crashing the OS your running from. Even if the image completely resides in RAM, you would still be attempting to re-write the image your working from and why bother? If it's possible to write a virus to RAM, then you don't need an ISO image to infect, just write the virus in RAM to infect the system on reboot, something I always believed to be impossible since RAM is cleared on reboot. Writing to the BIOS chip would be more likely but is outside the discussion here since it has nothing to do with ISOs vs CD-Rs.
I can (just barely) imagine a scenario where, while your working from an image in RAM, the virus secretly mounts and rewrites the inactive ISO residing on writable UFD/HDD; this might bypass the usual checks against writing to the drive directly but then this could only affect the system on a subsequent boot of the (now infected) ISO. I seriously doubt any lowlife virus writer could possess this degree of delayed gratification but even so, a quick hash check should root out this possibility before next boot (something I might actually implement).
I think the real discussion should be writable media vs read-only (the ISO is neither here nor there) and there
, I agree, better to use RO media like a UFD with RO switch or at least scan it after every use, good idea anyway.