PCode obfuscation cracked - alternatives?

180 vues (au cours des 30 derniers jours)
gius
gius le 8 Mai 2013
Réponse apportée : David Leffingwell le 12 Juin 2023
Hello, I'm asking this question since a quick google search revealed software able to de-obfuscate p files to m files almost perfectly.
is there any way safer (wrt reverse engineering) than pcode to protect matlab code to be used by matlab (i.e. no stand alone executable)? In particular, the code to be protected calls and is called by functions/m files that cannot be obfuscated/protected (they are part of another library that cannot be modified).
we are currently using R2012b on production systems,
Thank you,
------------EDIT--------------
Just to be clear... I'm not talking about information leaking from running code, debugging or anything requiring programming skills.
I'm talking about decompilation of a p file to a human readable and (very likely) executable m file, by a simple command line statement. A search in google brought up software that seems able to do just that.
Assuming that works (and it sure looks that way), is there a second line of defense to prevent proprietary algorithms being disassembled by a simple one-click operation, while mantaining compatibility/executability in the matlaab environment?
e.g.:Once upon a time, i recall m files could be compiled to mex, but it seems this is not the case anymore (or at least it seems requiring multiple steps and lots of headaches).
  4 commentaires
Afficher 2 commentaires plus anciens
Walter Roberson
Walter Roberson le 14 Mai 2013
Philip works for Mathworks. You could email him the information.
(Note: I do not work for Mathworks. However, if Mathworks would like me to investigate or give opinions on matters, I am good at keeping to NDAs.)
Jan
Jan le 14 Mai 2013
Modifié(e) : Jan le 14 Mai 2013
@Walter: NDAs are funny, when you find the code freely downloadable in the net. Obviously others did not care about surely existing NDAs already. If the encryption is such weak, an NDA is not the limiting factor for telling my opinions, but the fact, that rudeness is not accepted in this forum.
@guis: Thanks for mentioning this interesting detail. Understanding Matlab's parsing methods is useful for some legal applications.

Connectez-vous pour commenter.

Connectez-vous pour répondre à cette question.

Réponses (4)

Philip Borghesani
Philip Borghesani le 8 Mai 2013
What leads you to the conclusion that pcoded files can easily be de-obfuscated? I am aware of the numerous ways that information can leak from a pcoded file and there are some defenses that have been posted in other answers and downloads on this site. I believe that it is simple to defend p-code from the only credible software I found to inspect pcoded files. I believe this software is capitalizing on an already posted weakness of pcoded files.
I expect this software can be defeated by any function that checks the datatypes of inputs and errors on unexpected types.
  3 commentaires
Afficher 1 commentaire plus ancien
Philip Borghesani
Philip Borghesani le 8 Mai 2013
Yes that is what I found and I drew the same conclusions.
gius
gius le 9 Mai 2013
As i wrote in the question, I'm affirming pfiles can be deobfuscated because i found software that seems to do just that.
I edited the question to make it clear.
the software was found by a simple google search: I saw pfiles being recommended as a relatively safe ip protection strategy, and checked on google just to be sure.

Connectez-vous pour commenter.

Jan
Jan le 13 Mai 2013
Modifié(e) : Jan le 3 Mai 2014
P-coding removes all comments and the help section securely. When the names of the internally used variables are obfustcated also, e.g. 'a', 'b', 'Omega13', understanding the code might be more expensive than paying you sufficiently for the source code. I've seen such obfuscated M-file in the FileExchange. Inspite of an excellent demonstration of advanced obfuscation techniques, the comments and rating have not been positive.
You can apply AES encryption to strings, which are EVAL'ed. Unfortunately the US laws forbid to post the 2 lines of Java code or the corresponding M-code for a strong AES encryption. I'm convinced that this law is counter-productive, so it is up to the US citizens to influence the politics to remove it.
But even then the standard problem remains: How can an encryption key stored securely? You could start a C-mex thread, which pokes into the memory of a Matlab variable with a specified timing. Then the debugger is not able to determine the key reliably. But I remember, that there has not been any 100% secure method in the history of modern computing. If you invent one, M- and P-files will not be your profession anymore.
  4 commentaires
Afficher 2 commentaires plus anciens
Jan
Jan le 13 Mai 2013
Modifié(e) : Jan le 13 Mai 2013
A new quote: "If a man has earned enough money, it is time to sit down and take a nap."
Matlab code and and a secure obfuscation are a contradiction by design. It is the purpose of M-code to be compatible with different Matlab versions and environments and therefore dynamic overloading is a fundamental brick of the design. This is a great benefit for interpreted languages.
Hiding details in compiled stand-alone applications is not secure, or if it is, it is not flexible anymore.
I'm going to make some experiments in the evening.
Peng Xu
Peng Xu le 29 Avr 2014
Pretty sure name that used internally is not obfuscated, because there is something called workspace in MATLAB, and the p-code generator has nothing to predict what is going to be in your workspace in runtime.

Connectez-vous pour commenter.

Peng Xu
Peng Xu le 25 Avr 2014
It is never secure to ship the code or even resulting binary to end-user and hope some kind of key is able to protect it. My suggestion is to put a crucial part of code away from end-user, e.g. on a company server. And in MATLAB, communicate to this server to do that crucial part. This may be the only way you can achieve a level of security that you can control.
  1 commentaire
Jan
Jan le 3 Mai 2014
Modifié(e) : Jan le 3 Mai 2014
And this has the disadvantage that the customers will hate it, when the software they have payed for does not work, when the internet connection is down temporarily. We all know the annoying troubles with online activations and such stuff.
And as we know from e.g. the heart bleed problem, even data on a company server are not under a perfect control.

Connectez-vous pour commenter.

David Leffingwell
David Leffingwell le 12 Juin 2023

Catégories

En savoir plus sur MATLAB Compiler dans Help Center et File Exchange

Tags

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by