NI Linux Real-Time Discussions

Hey,

This document in the help likely has the comment you're thinking of,

http://zone.ni.com/reference/en-XX/help/370622M-01/lvrtconcepts/rt_rtlinux/

The FTP server is disabled by default, and you cannot use it in safe mode. National Instruments recommends using WebDAV as the file transfer mechanism for improved security.

Once you have WebDAV installed on your target, there is an API you can use in LabVIEW for programmatic WebDAV. Its in the Data Communications > Protocols > WebDAV section.

We should have some other KB documentation on this as well to help guide you.

• http://digital.ni.com/public.nsf/allkb/4EBE45E8A816B19386257B6C0071D025

And last, there is an example project in the LabVIEW Example finder, "WebDAV Data Acquisition.lvproj" which shows how to acquire data from a Host RT Target and uses a WebDAV Sync.vi on the windows system to retrieve data from the target.

Timothy,

Thank you for your quick reply.

With respect to security, could you comment on why NI picked WebDAV?  It appears that quite some time ago it was decided by the security folks that WebDAV is a security concern.  Granted that was primarily because it was the butt of many an exploit on IIS 6, but still it sounds like it's pretty insecure ...

ref links:

    http://www.networkworld.com/article/2202909/network-security/-webdav-is-bad---says-security-research...

    http://dl.packetstormsecurity.net/papers/general/webDAV-exploitation.pdf

Additionally, WebDAV is the primary way that Suxnet propagated so quickly:

    http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

Any chance you could provide some additional information from NI that would put my mind at ease that there was a good justification for picking WebDAV over other technologies for file transfers?  How is WebDAV implemented on the cRIO-9068 device?  Is it using proven, industry code, or is it implemented from scratch from NI?  Is the code open source so it can be reviewed?

Thanks,

-TD

> With respect to security, could you comment on why NI picked WebDAV?

We primarily chose WebDAV because it's an open standard accessible from

virtually all platforms. At minimum, every modern desktop can read files

from NI's RT targets using only a web browser (preferably via HTTPS).

There are also many readily available clients capable of both read and

write operations which users can download.

Security-wise, we chose it to leverage our existing web server

infrastructure that provides HTTPS and the necessary certificate

management tools for proper SSL configuration. A properly configured

HTTPS server (for WebDAV or any other web service) enables

authentication and encryption of in-flight data such that nobody can

eavesdrop communications or impersonate it.

> http://www.networkworld.com/article/2202909/network-security/-webdav-is-bad---sa ys-security-researcher.html

> http://dl.packetstormsecurity.net/papers/general/webDAV-exploitation.pdf

> http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

All of these appear to be problems with Windows WebDAV server and client,

not the WebDAV protocol or HTTP/S. To the best of my knowledge, NI's

implementations of WebDAV server (System Web Server) and client (LabVIEW)

are not vulnerable to these specific issues. However, someone could probably

exploit these issues in Windows using our tools. This is not something

we can address, aside from helping users configure RT security options

or disable WebDAV to curtail access. I can certainly help with that,

if you're interested.

> How is WebDAV implemented on the cRIO-9068 device?

WebDAV is provided by a plug-in module to System Web Server on all NI

RT targets (like cRIO-9068). We use an embedded server called AppWeb to

implement most of the server's logic. It's open source on github. But the

WebDAV plug-in is not.