PCode obfuscation cracked - alternatives?

177 visualizzazioni (ultimi 30 giorni)
gius
gius il 8 Mag 2013
Risposto: David Leffingwell il 12 Giu 2023
Hello, I'm asking this question since a quick google search revealed software able to de-obfuscate p files to m files almost perfectly.
is there any way safer (wrt reverse engineering) than pcode to protect matlab code to be used by matlab (i.e. no stand alone executable)? In particular, the code to be protected calls and is called by functions/m files that cannot be obfuscated/protected (they are part of another library that cannot be modified).
we are currently using R2012b on production systems,
Thank you,
------------EDIT--------------
Just to be clear... I'm not talking about information leaking from running code, debugging or anything requiring programming skills.
I'm talking about decompilation of a p file to a human readable and (very likely) executable m file, by a simple command line statement. A search in google brought up software that seems able to do just that.
Assuming that works (and it sure looks that way), is there a second line of defense to prevent proprietary algorithms being disassembled by a simple one-click operation, while mantaining compatibility/executability in the matlaab environment?
e.g.:Once upon a time, i recall m files could be compiled to mex, but it seems this is not the case anymore (or at least it seems requiring multiple steps and lots of headaches).
  4 Commenti
Walter Roberson
Walter Roberson il 14 Mag 2013
Philip works for Mathworks. You could email him the information.
(Note: I do not work for Mathworks. However, if Mathworks would like me to investigate or give opinions on matters, I am good at keeping to NDAs.)
Jan
Jan il 14 Mag 2013
Modificato: Jan il 14 Mag 2013
@Walter: NDAs are funny, when you find the code freely downloadable in the net. Obviously others did not care about surely existing NDAs already. If the encryption is such weak, an NDA is not the limiting factor for telling my opinions, but the fact, that rudeness is not accepted in this forum.
@guis: Thanks for mentioning this interesting detail. Understanding Matlab's parsing methods is useful for some legal applications.

Accedi per commentare.

Risposte (4)

Philip Borghesani
Philip Borghesani il 8 Mag 2013
What leads you to the conclusion that pcoded files can easily be de-obfuscated? I am aware of the numerous ways that information can leak from a pcoded file and there are some defenses that have been posted in other answers and downloads on this site. I believe that it is simple to defend p-code from the only credible software I found to inspect pcoded files. I believe this software is capitalizing on an already posted weakness of pcoded files.
I expect this software can be defeated by any function that checks the datatypes of inputs and errors on unexpected types.
  3 Commenti
Philip Borghesani
Philip Borghesani il 8 Mag 2013
Yes that is what I found and I drew the same conclusions.
gius
gius il 9 Mag 2013
As i wrote in the question, I'm affirming pfiles can be deobfuscated because i found software that seems to do just that.
I edited the question to make it clear.
the software was found by a simple google search: I saw pfiles being recommended as a relatively safe ip protection strategy, and checked on google just to be sure.

Accedi per commentare.


Jan
Jan il 13 Mag 2013
Modificato: Jan il 3 Mag 2014
P-coding removes all comments and the help section securely. When the names of the internally used variables are obfustcated also, e.g. 'a', 'b', 'Omega13', understanding the code might be more expensive than paying you sufficiently for the source code. I've seen such obfuscated M-file in the FileExchange. Inspite of an excellent demonstration of advanced obfuscation techniques, the comments and rating have not been positive.
You can apply AES encryption to strings, which are EVAL'ed. Unfortunately the US laws forbid to post the 2 lines of Java code or the corresponding M-code for a strong AES encryption. I'm convinced that this law is counter-productive, so it is up to the US citizens to influence the politics to remove it.
But even then the standard problem remains: How can an encryption key stored securely? You could start a C-mex thread, which pokes into the memory of a Matlab variable with a specified timing. Then the debugger is not able to determine the key reliably. But I remember, that there has not been any 100% secure method in the history of modern computing. If you invent one, M- and P-files will not be your profession anymore.
  4 Commenti
Jan
Jan il 13 Mag 2013
Modificato: Jan il 13 Mag 2013
A new quote: "If a man has earned enough money, it is time to sit down and take a nap."
Matlab code and and a secure obfuscation are a contradiction by design. It is the purpose of M-code to be compatible with different Matlab versions and environments and therefore dynamic overloading is a fundamental brick of the design. This is a great benefit for interpreted languages.
Hiding details in compiled stand-alone applications is not secure, or if it is, it is not flexible anymore.
I'm going to make some experiments in the evening.
Peng Xu
Peng Xu il 29 Apr 2014
Pretty sure name that used internally is not obfuscated, because there is something called workspace in MATLAB, and the p-code generator has nothing to predict what is going to be in your workspace in runtime.

Accedi per commentare.


Peng Xu
Peng Xu il 25 Apr 2014
It is never secure to ship the code or even resulting binary to end-user and hope some kind of key is able to protect it. My suggestion is to put a crucial part of code away from end-user, e.g. on a company server. And in MATLAB, communicate to this server to do that crucial part. This may be the only way you can achieve a level of security that you can control.
  1 Commento
Jan
Jan il 3 Mag 2014
Modificato: Jan il 3 Mag 2014
And this has the disadvantage that the customers will hate it, when the software they have payed for does not work, when the internet connection is down temporarily. We all know the annoying troubles with online activations and such stuff.
And as we know from e.g. the heart bleed problem, even data on a company server are not under a perfect control.

Accedi per commentare.


David Leffingwell
David Leffingwell il 12 Giu 2023

Categorie

Scopri di più su MATLAB Compiler in Help Center e File Exchange

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!

Translated by