Phillip Brooks Posted January 31, 2009 Report Share Posted January 31, 2009 Ex-Fannie Mae worker charged with planting computer virus Original Criminal Complaint (contains details, .pdf format) QUOTE The malicious code was hidden after a blank page, and “it was only by chance” that the senior engineer scrolled down and found the virus. With LabVIEW, it's as simple as placing the malicious code under a structure, or "off in the buckwheat" (far off from the active code portion of the block diagram). You have to do the same thing as the guy who found this; look carefully at the scroll bars or run the code through a beautifier. If you need to justify an upgrade to 8.6 and work in a secure computing environment, 'clean up block diagram' and VI Analyzer are good reasons. Just remember you have to use them (Whether 'clean up block diagram' actually 'beautifies' your code is another story. Beauty is in the eyes of the beholder...) Quote Link to comment
crelf Posted January 31, 2009 Report Share Posted January 31, 2009 QUOTE (Phillip Brooks @ Jan 30 2009, 08:55 AM) You have to do the same thing as the guy who found this; look carefully at the scroll bars or run the code through a beautifier. If you need to justify an upgrade to 8.6 and work in a secure computing environment, 'clean up block diagram' and VI Analyzer are good reasons. Just remember you have to use them Then you need to be able to determine the difference between malicious code and code that, well, just doesn't do what it's supposed to do. While the suggestions above are good ones, they're all related to code reviewing, and you should never rely on just a code review to give you any sense of functionality security - you should use unit testing to verify the unit meets the requirements. If rogue code isn't found by a person doing some extra scrolling, then what? Maybe it doesn't matter because the situations that the unit is going to be used in will never fire that dormant code (assuming your unit test plan was written correctly, this means that the code does more than it needs to, per the requirements). In any case, it's important to know just how much of the code is executed during the unit tests. Ask yourself - do our unit tests actually cover all the cases we will use the unit in? If not (and there are valid reasons for this) then are we actually exercising all of the code during or unit tests? If not, then there's something hiding - most of the time it'll be something innocent (the coder thought that a case would fire but coded it wrong, or some legacy code that has been left in there but will never be used) but sometimes ther might be something malicious in there (I've seen both intentional malicious code and code where someone put something in there to try to be funny - IMHO I put both of those situations in the malicious category because neither of them are there to meet the formal requirements). Code reviews, while very important, are only one part of the verification process. Wouldn't it be great if there was a tool built right into the LabVIEW project that could help us with our unit testing and code coverage needs? Quote Link to comment
PaulG. Posted January 31, 2009 Report Share Posted January 31, 2009 I was curious, tried it and it works ... created a subvi, cleared the icon and placed it on my block diagram. Invisible code! You could ruin a team member's day with something like that. "Beauty is in the eye of the beerholder." Quote Link to comment
Phillip Brooks Posted January 31, 2009 Author Report Share Posted January 31, 2009 QUOTE (PaulG. @ Jan 30 2009, 10:35 AM) I was curious, tried it and it works ... created a subvi, cleared the icon and placed it on my block diagram. Invisible code! You could ruin a team member's day with something like that. Ah, this reminded me of this http://forums.lavag.org/Small-icons-t6689.html' target="_blank">Small Icons thread... Quote Link to comment
Dan DeFriese Posted January 31, 2009 Report Share Posted January 31, 2009 QUOTE (PaulG. @ Jan 30 2009, 09:35 AM) I was curious, tried it and it works ... created a subvi, cleared the icon and placed it on my block diagram. Invisible code! You could ruin a team member's day with something like that. "Beauty is in the eye of the beerholder." That just killed 15 minutes with my cube mate... :laugh: Thanks Quote Link to comment
Aristos Queue Posted January 31, 2009 Report Share Posted January 31, 2009 QUOTE (PaulG. @ Jan 30 2009, 09:35 AM) I was curious, tried it and it works ... created a subvi, cleared the icon and placed it on my block diagram. Invisible code! You could ruin a team member's day with something like that. Try checking the VI Hierarchy window. If you reeeeeealllly want to hide code, you need to make the icon blank AND mark the VI as a system VI so it hides in the hierarchy window. Quote Link to comment
crelf Posted January 31, 2009 Report Share Posted January 31, 2009 QUOTE (Aristos Queue @ Jan 30 2009, 07:37 PM) If you reeeeeealllly want to hide code, you need to make the icon blank AND mark the VI as a system VI so it hides in the hierarchy window. *sigh* Well, you've just increased the future business of those consultant engineers that roam the country helping fix code that someone else has done and then left the company. Let's just hope they employ a time and materials contract. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.