Security of LabVIEW VI Password Protection vs. Removing VI Block Diagrams
Primary Software Version: 1.0
Primary Software Fixed Version: N/A
Secondary Software: N/A
LabVIEW VI password protection is a feature intended to allow users to:
In order for LabVIEW to be able to recompile a VI, it must be able to read the VI’s block diagram. Given the above requirement that LabVIEW must be able to do so without prompting the user for the VI password, LabVIEW cannot use any strong encryption to protect the VI’s block diagram.
Instead, the current VI password protection mechanism relies on a set of hashes derived from the VI password and additional salt (data used as input to the hash function) embedded at different locations inside the VI. The password itself never gets stored inside the VI. This mechanism ensures that LabVIEW still has access to the block diagram, without prompting for the password, should it need to recompile the VI but, at the same time, users will be prompted for the VI password should they try to view or edit the VI’s block diagram. LabVIEW then compares the computed set of hashes for the entered password with the hashes stored in the VI, before letting the user access the VI’s block diagram. As a result of this approach and the design decision not to encrypt the VI’s block diagram, it is possible for an attacker to either replace the password hashes with his own, should he either be able to:
If you require greater security than that provided by VI password protection to prevent viewing a VI’s block diagram or editing the VI, we recommend that you instead remove the VI’s block diagram. See the LabVIEW Help: Removing Block Diagrams from VIs topic to learn how to remove VI block diagrams. To the best of our knowledge, once you have removed the VI’s block diagram, recovering the original block diagram from the VI is quite difficult, comparable to recovering the source of a text program given only the executable application containing the machine instructions generated by the text language compiler. Having removed a VI’s block diagram, LabVIEW will allow running the VI on the same LabVIEW version and platform for which the VI was compiled and saved. However, future LabVIEW versions or other platforms will not be able to recompile the VI. Therefore, you will need to provide a separate VI for each combination of LabVIEW version and platform you wish to support.
Avoiding this VI distribution burden that accompanies removing VI block diagrams is the reason we created and continue to provide the VI password protection feature, even though it is less secure than removing VI block diagrams.
LabVIEW Help: Removing Block Diagrams from VIs
Report Date: 10/31/2011
Last Updated: 10/31/2011
Document ID: 5QU9ELMW