An Example of Possible Threats in the Invoke Code Activity

Embedding malicious code in text-based containers, such as XML files, is not difficult. To analyze this possibility I tried this morning to embed a threat into the Invoke Code Activity. However, I would still like to explicitly point out that this is possible with all RPA platforms, that store their workflow data on this way. This is not a problem with UiPath and it is not a security risk with the products of UiPath. I would only like to clarify the CISA Insight in a possible approach.

For my experiment I used the EICAR test string. This is completely harmless and should prompt any virus scanner to report it immediately. The European Institute for Computer Antivirus Research (EICAR) has developed that for this purpose.

My code contains only two lines. The first line is the EICAR test string as an array of bytes, to exclude textual detection of the malicious code in advance. And with the second line the code is written in a file, here the virus scanner becomes active when I run the automation workflow.

byte[] EICARTestString = new byte[] { 0x58, 0x35, 0x4F, 0x21, 0x50,
  0x25, 0x40, 0x41, 0x50, 0x5B, 0x34, 0x5C, 0x50, 0x5A, 0x58, 0x35,
  0x34, 0x28, 0x50, 0x5E, 0x29, 0x37, 0x43, 0x43, 0x29, 0x37, 0x7D,
  0x24, 0x45, 0x49, 0x43, 0x41, 0x52, 0x2D, 0x53, 0x54, 0x41, 0x4E,
  0x44, 0x41, 0x52, 0x44, 0x2D, 0x41, 0x4E, 0x54, 0x49, 0x56, 0x49,
  0x52, 0x55, 0x53, 0x2D, 0x54, 0x45, 0x53, 0x54, 0x2D, 0x46, 0x49,
  0x4C, 0x45, 0x21, 0x24, 0x48, 0x2B, 0x48, 0x2A };

File.WriteAllBytes(Directory.GetCurrentDirectory() + 
  @"\Test.txt", EICARTestString);

Windows Security has found a threat.

Serious threat EICAR found.

The following points can help mitigate this risk:

1. Prohibition of the use of obfuscation technique in the code.
2. Use of the four-eyes principle in the development of the automation workflow.

Do you know any more points?

This also results in interesting combinations with the integration scenarios.

Let us talk to look at this perspective more intensively.

GenerateEICARTestFile.xaml (4.7 KB)

Thank You Stefan.
This is a good reminder to all that while RPA can and should be democratized to a wide audience, it is still a form of software development. With any software development, there is a need to govern, review, and test code that is written before it can be implemented into production.

UiPath has invested many resources in the development of Studio governance, Automation Ops, and our Test Suite to help support this. Given that Studio has these rules built-in for free, it is recommended that any one looking to scale RPA development evaluates this feature set to help secure their SDLC.

Separately, I think it is important to mention the CISA article as I believe it needs some revision to truly be understood.

1. Industrial Control Systems do leverage robots, but they are typically not the robots we associate with RPA. These are usually the more traditional robots and they certainly have security risks. As these systems have evolved, they include more and more computer systems embedded in them, often without the capacity for IT security that is afforded with normal computers. There are many other security risks associated with ICS and I hope CISA follows up on this topic more.

2. Not every RPA product or platform is built the same. As RPA has become more popular and additional companies / startups enter the marketplace, there are a wide variety of options customers can choose from. Some of these include features to enable governance and connect into an enterprise security stack, while others are still maturing. Often those that are still maturing are offered for free and thus become an attractive option for customers, particularly government customers. CISA and UiPath agree that customers or any potential user looking to leverage RPA evaluate the products they are looking to use first. Companies such as Gartner and Forrester may be helpful in making such decisions.

Hello Kevin,
thank you for your post. Yes, the frontier between physical robots in manufacturing and software robots is a little bit blurred in the CISA Insight. But I think for us separable enough.
With the democratization of software development through RPA further requirements arise to ensure information and operational security, beside all the great approaches you have already taken. That is evolution. The measures and possibilities we present here are also intended to create security awareness. Exactly as you say, a significant decision aspect.
The collection of many tiny security perspectives here should help. The CISA Insight is an impulse or indicator for that.
Best regards
Stefan