File integrity check utility?

[Xocet]

I'm creating a basic system whereby an authorized internet user can upload a file through a PHP system and then have that file loaded by labview into memory for use on the webserver (via a web page created by the PHP code). However, as a security measure I want to verify that uploaded file is in fact a good, useable VI.

Is there a command line switch for labview (7.0) or an independent small utility, that will simply return a yes or a no as to whether or not the file is in fact a valid Labview VI? In the current setup the PHP script would use exec() to run the command and return the output.

Also, if anyone has suggestions on a better way to do this, I'm not married to my current method, so feel free to suggest away.

Thanks in advance for any help,

- Xo

[Michael Aivaliotis]

I don't know the answer to your LabVIEW commnd line switch question and I don't know of any other utility to verify VI's.

On the other hand, it sounds like you're an expert at PHP programming so there might be another way. What you can do is build an EXE in LabVIEW that is responsible for handling the launching of your VI's. Then that utility can do a verification by dynamically loading the uploaded VI. If it is invalid or corrupt then you will get an error from the "open Vi reference" function. The utility can then write a flag to a MYSQL database or into a textfile. You can make a PHP script to go and read the result of this file or database entry.

Also, I would be a little concerned about allowing users to upload and launch any VI onto your server. That VI can easily have a "deldir" function ! I'm curious, how are you presenting the results of the VI execution to the user? Is the VI running in a remote panel container?

[Xocet]

Obviously I'm not an expert Labview programmer, but your idea sounds like a good one. I'll give that a shot. I've also noticed that if you text-parse a VI you get a few common tags, so I can get PHP to check those. It's not foolproof, but ought to work as a stop-gap.

As for security, I'm so far handling it on the web-server side of things - PHP calls the VI into memory under a restricted account, so theoretically it shouldn't be able to delete files. However, I'm not 100% sure that I can launch the Labview web server under the restricted account. I need to do some reading on labview and remote VIs (i.e. what is a Remote Panel Container?)

Anyway, this is for a distance-education class, and will be run through the department user authentication system before getting to the PHP upload pages. There will only be a dozen students or so, so if one of them decides to trash my webserver, they'll find themselves in front of a disciplinary committee pretty quickly I would think.

Regardless, I've been working under the assumption that Labview doesn't have the capability of securing a system like this. If there is some sort of inherent security for restricted what a VI can do, then I'm all ears. Whatever the security is though, it can't restrict the VI's ability to access the DAQ card, since all the hardware they're using is on a remote ELVIS board.

Thanks for you help,

-Xo

[evargas]

I thinks that goes along with my idea when I started (but never finished, at least yet) this application I called "VI Background check":

http://www.jyestudio.com/visecurity/tools.shtml

The idea was to check a VI for the possibility of nasty things.

[Rolf Kalbermatter]

Excluding very old LabVIEW versions, you can assume that the first 16 bytes of a VI are always the same. In fact any LabVIEW resource file has the same 16 byte structure with 4 out of those 16 bytes identifying the type of file.

52 53 52 43 RSRC

0D 0A 00 03 <version number> ; this value since about LabVIEW 3

4C 56 49 4E LVIN or LVCC/LVAR

4C 42 56 57 LBVW

Anybody recognizing some resemplance with the Macintosh file type resource here ;-)

[dhuff]

I have heard of people using a custom made check in type utility. Have a program check to execute the VI locally on the users computer, just to see if it runs. Then bundle up the users VI and PHP signature on a document. The system could only accept files that have the signature attached. You could even use the MD5.LLB files on the NI website to give a MD5 checksum for the whole bundle of files.