Jump to content

Things that make me smile when using LabVIEW.


ShaunR

Recommended Posts

CVE-2021-42694

Quote

An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software.

CVE-2021-42574

Quote

An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers.

 

Link to comment
17 hours ago, Gribo said:

LabVIEW enjoys security by obscurity right now. I am sure that the entire stack (Run time, Visa, DAQmx, whatever other services NI installs) have tons of holes and exploits.

It's a lot worse than that. It affects all text languages that use a unicode compiler (Python, C++, Delphi et.al) and is undetectable by visual inspection of the source code. It isn't a programmers application with a bug - you can't trust the source code is doing what you think it is doing.

Link to comment
15 hours ago, Gribo said:

There was a page full of evil VIs that played tricks on the poor programmer trying to read them, I don't remember where I saw it.

If it is what I think you are referencing then it is when the VI is run (run when opened), rather than the source code itself. It is also detectable by inspection but double clicking on the VI runs it. This is why most of us place a new, unknown, VI on a diagram or run something like this.

Tags Detect.vi

 

Link to comment
3 hours ago, ShaunR said:

If it is what I think you are referencing then it is when the VI is run (run when opened), rather than the source code itself. It is also detectable by inspection but double clicking on the VI runs it. This is why most of us place a new, unknown, VI on a diagram or run something like this.

Tags Detect.vi 12.61 kB · 3 downloads

 

Why is the "RunOnOpened" PN in the loop and why are persistent tags suspicious?

Link to comment
On 1/1/2022 at 10:11 AM, ShaunR said:

It's a lot worse than that. It affects all text languages that use a unicode compiler (Python, C++, Delphi et.al) and is undetectable by visual inspection of the source code. It isn't a programmers application with a bug - you can't trust the source code is doing what you think it is doing.

VSCode's October update changed it so directional formatting characters are displayed by default.

https://code.visualstudio.com/updates/v1_62

GitHub also added a warning if you are looking at a file with these characters so hopefully more IDEs are being updated to make this vulnerability more obvious.

Link to comment
On 1/3/2022 at 8:50 PM, X___ said:

Why is the "RunOnOpened" PN in the loop

Copyright reasons.

On 1/3/2022 at 8:50 PM, X___ said:

why are persistent tags suspicious?

You can put a lot of stuff in a VI and unpack it when run.

On 1/4/2022 at 5:57 PM, jacobson said:

GitHub also added a warning if you are looking at a file with these characters so hopefully more IDEs are being updated to make this vulnerability more obvious.

I dare say it will be addressed in time. I was just commenting on LabVIEW being one of the few not touched by it-for obvious reasons.

Link to comment
On 1/3/2022 at 12:29 PM, ShaunR said:

If it is what I think you are referencing then it is when the VI is run (run when opened), rather than the source code itself.

By the way LabVIEW 2021 now warn you about VIs that are set to run when opened.  Years ago I made a LabVIEW Tray Launcher that takes over the file extension, and allowed to select what version to open a file in.  I added a feature there that would also open it without running it.  I haven't updated it in a while so no idea if it still works right.

Link to comment
23 hours ago, ShaunR said:

You can put a lot of stuff in a VI and unpack it when run.

That was what the Advanced Plotting Toolkit was doing, storing a minimal Python exe as a string constant and running it as soon as started.

But that was not as a tag, which I still don't see what it can do besides store stuff (not just strings).

Link to comment
2 hours ago, X___ said:

That was what the Advanced Plotting Toolkit was doing, storing a minimal Python exe as a string constant and running it as soon as started.

But that was not as a tag, which I still don't see what it can do besides store stuff (not just strings).

Storing hidden programs is not unusual for you? It's highly suspicious to me.

As separate operations,  Run When Opened isn't common and storing hidden programs even less so. Both together start alarms bells ringing for me.

Link to comment
13 hours ago, ShaunR said:

Storing hidden programs is not unusual for you? It's highly suspicious to me.

As separate operations,  Run When Opened isn't common and storing hidden programs even less so. Both together start alarms bells ringing for me.

I mean it is a programming technique for making code more portable, by including small external dependencies.  But I agree that having embedded programs AND having Run When Open is concerning.  I mean other than the Abort All VIs from AQ, I can't think of a good reason a file downloaded would be set to run when opened.  I did see in a controlled environment, Run When Opened was being used in place of making an EXE.  Operators would just double click the Main.vi shortcut, it would open it in LabVIEW because they had the full IDE, and then it would run.  It wasn't a good practice to have and I advised against it.  But those are the only two cases I can think of where it could be used.

Edit: I do remember embedding a VI as a block diagram constant too.  In my LabVIEW Tray Launcher there is an Abort All VIs, which needs to be saved in the oldest version of LabVIEW supported.  If the VI was a static reference the application builder would resave it, but then I couldn't do an Open VI Reference on other versions of LabVIEW.  So I saved it as a constant, then when needed it would get saved to a temp location and ran.  But again this wasn't a Run When Open situation.

Link to comment
  • 3 weeks later...
On 1/2/2022 at 12:11 AM, ShaunR said:

undetectable by visual inspection of the source code. It isn't a programmers application with a bug - you can't trust the source code is doing what you think it is doing.

Perfectly doable in LabVIEW too!

 

Edited by JKSH
  • Haha 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.