Jump to content

How to hide dangerous code


Recommended Posts

Ex-Fannie Mae worker charged with planting computer virus

Original Criminal Complaint (contains details, .pdf format)

QUOTE

The malicious code was hidden after a blank page, and “it was only by chance” that the senior engineer scrolled down and found the virus.

With LabVIEW, it's as simple as placing the malicious code under a structure, or "off in the buckwheat" (far off from the active code portion of the block diagram).

You have to do the same thing as the guy who found this; look carefully at the scroll bars or run the code through a beautifier. If you need to justify an upgrade to 8.6 and work in a secure computing environment, 'clean up block diagram' and VI Analyzer are good reasons. Just remember you have to use them :P

(Whether 'clean up block diagram' actually 'beautifies' your code is another story. Beauty is in the eyes of the beholder...)

Link to comment

QUOTE (Phillip Brooks @ Jan 30 2009, 08:55 AM)

You have to do the same thing as the guy who found this; look carefully at the scroll bars or run the code through a beautifier. If you need to justify an upgrade to 8.6 and work in a secure computing environment, 'clean up block diagram' and VI Analyzer are good reasons. Just remember you have to use them :P

Then you need to be able to determine the difference between malicious code and code that, well, just doesn't do what it's supposed to do. While the suggestions above are good ones, they're all related to code reviewing, and you should never rely on just a code review to give you any sense of functionality security - you should use unit testing to verify the unit meets the requirements.

If rogue code isn't found by a person doing some extra scrolling, then what? Maybe it doesn't matter because the situations that the unit is going to be used in will never fire that dormant code (assuming your unit test plan was written correctly, this means that the code does more than it needs to, per the requirements). In any case, it's important to know just how much of the code is executed during the unit tests. Ask yourself - do our unit tests actually cover all the cases we will use the unit in? If not (and there are valid reasons for this) then are we actually exercising all of the code during or unit tests? If not, then there's something hiding - most of the time it'll be something innocent (the coder thought that a case would fire but coded it wrong, or some legacy code that has been left in there but will never be used) but sometimes ther might be something malicious in there (I've seen both intentional malicious code and code where someone put something in there to try to be funny - IMHO I put both of those situations in the malicious category because neither of them are there to meet the formal requirements).

Code reviews, while very important, are only one part of the verification process. Wouldn't it be great if there was a tool built right into the LabVIEW project that could help us with our unit testing and code coverage needs? :shifty:

Link to comment

QUOTE (PaulG. @ Jan 30 2009, 09:35 AM)

I was curious, tried it and it works ... created a subvi, cleared the icon and placed it on my block diagram. Invisible code! You could ruin a team member's day with something like that. :shifty:

"Beauty is in the eye of the beerholder."

That just killed 15 minutes with my cube mate... :laugh:

Thanks

Link to comment

QUOTE (PaulG. @ Jan 30 2009, 09:35 AM)

I was curious, tried it and it works ... created a subvi, cleared the icon and placed it on my block diagram. Invisible code! You could ruin a team member's day with something like that. :shifty:
Try checking the VI Hierarchy window.

If you reeeeeealllly want to hide code, you need to make the icon blank AND mark the VI as a system VI so it hides in the hierarchy window.

Link to comment

QUOTE (Aristos Queue @ Jan 30 2009, 07:37 PM)

If you reeeeeealllly want to hide code, you need to make the icon blank AND mark the VI as a system VI so it hides in the hierarchy window.

*sigh* Well, you've just increased the future business of those consultant engineers that roam the country helping fix code that someone else has done and then left the company. Let's just hope they employ a time and materials contract. :rolleyes:

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.