Academic Company Events Community Support Solutions Products & Services Contact NI MyNI
9 ratings:
 4.88 out of 5     Rate this Document

Security of LabVIEW VI Password Protection vs. Removing VI Block Diagrams

Primary Software:
Primary Software Version: 1.0
Primary Software Fixed Version: N/A
Secondary Software: N/A

Problem:
LabVIEW VI password protection is a feature intended to allow users to:
  1. Prevent viewing a VI’s block diagram or editing the VI without prompting for the password -and-
  2. Allow running the VI without prompting for the password
    • Both on the same LabVIEW version and platform (combination of operating system and processor architecture) for which the VI was compiled and saved -and-
    • On future LabVIEW versions or other platforms, requiring recompilation of the VI
This feature allows producers of password-protected VIs to distribute these VIs to others for use on multiple LabVIEW versions and platforms without providing them the password that would allow them to view the VI’s block diagram or edit the VI.

In order for LabVIEW to be able to recompile a VI, it must be able to read the VI’s block diagram. Given the above requirement that LabVIEW must be able to do so without prompting the user for the VI password, LabVIEW cannot use any strong encryption to protect the VI’s block diagram.

Instead, the current VI password protection mechanism relies on a set of hashes derived from the VI password and additional salt (data used as input to the hash function) embedded at different locations inside the VI. The password itself never gets stored inside the VI. This mechanism ensures that LabVIEW still has access to the block diagram, without prompting for the password, should it need to recompile the VI but, at the same time, users will be prompted for the VI password should they try to view or edit the VI’s block diagram. LabVIEW then compares the computed set of hashes for the entered password with the hashes stored in the VI, before letting the user access the VI’s block diagram. As a result of this approach and the design decision not to encrypt the VI’s block diagram, it is possible for an attacker to either replace the password hashes with his own, should he either be able to: 
  1. Determine the salt, as well as the exact locations of the hashes inside the VI file -or-
  2. Modify the hash comparison routines of the LabVIEW process, e.g. using a memory debugger
While we believe it to be rare to date, it is possible for an attacker to create a program that can crack a VI’s password protection, replacing its password with another of the attacker’s choosing.

Solution:
If you require greater security than that provided by VI password protection to prevent viewing a VI’s block diagram or editing the VI, we recommend that you instead remove the VI’s block diagram. See the LabVIEW Help: Removing Block Diagrams from VIs topic to learn how to remove VI block diagrams. To the best of our knowledge, once you have removed the VI’s block diagram, recovering the original block diagram from the VI is quite difficult, comparable to recovering the source of a text program given only the executable application containing the machine instructions generated by the text language compiler. Having removed a VI’s block diagram, LabVIEW will allow running the VI on the same LabVIEW version and platform for which the VI was compiled and saved. However, future LabVIEW versions or other platforms will not be able to recompile the VI. Therefore, you will need to provide a separate VI for each combination of LabVIEW version and platform you wish to support.

Avoiding this VI distribution burden that accompanies removing VI block diagrams is the reason we created and continue to provide the VI password protection feature, even though it is less secure than removing VI block diagrams.

Related Links:
LabVIEW Help: Removing Block Diagrams from VIs

Attachments:





Report Date: 10/31/2011
Last Updated: 10/31/2011
Document ID: 5QU9ELMW

Your Feedback! poor Poor  |  Excellent excellent   Yes No
 Document Quality? 
 Answered Your Question? 
  1 2 3 4 5
Please Contact NI for all product and support inquiries.submit