Security Considerations to Protect Your Source Code
Although MATLAB® source code (.m
) is executable by itself, the contents
of MATLAB source files are easily accessed, revealing design and implementation
details. If you do not want to distribute your proprietary application code in this
format, you can use one or more of these options instead:
Create P-Code Files — Convert plain text MATLAB files to a content-obscured execute-only format.
Build Standalone Executables — Use MATLAB Compiler/Simulink Compiler to generate standalone applications from MATLAB programs or Simulink models.
Use Model Protection — Use Model Protection to conceal the contents of Simulink models.
Convert Code to Native Code — Compile source code and algorithms into platform-specific binary files.
Host Compiled Application on Remote Protected Server — Host the compiled application on a remote protected server using MATLAB Web App Server or MATLAB Production Server with restricted access.
Utilize Secure OS Services — Host the compiled application on a protected server on a shielded virtual machine.
Create P-Code Files
Convert some or all of your source code files to a content-obscured format called
a P-code file (with a .p
file extension),
and distribute your application code in this format.
Use matlab.lang.obfuscateNames
in conjunction with pcode
to further obfuscate
source-code by replacing names of local variables, local functions, and nested
functions with generic names. (since R2024b)
For more information on generating P-code files, see Create a Content-Obscured File with P-Code.
Build Standalone Executables
Another way to protect your source code is to build it into a standalone executable and distribute the executable, along with any other necessary files, to your users. You must have the MATLAB Compiler™ or Simulink® Compiler and a supported C or C++ compiler installed to prepare files for deployment. The end user, however, does not need MATLAB.
When MATLAB Compiler or Simulink Compiler creates an standalone executable, all the files required for that application are bundled into an archive. In the archive, each MATLAB code file (plain text MATLAB file or P-code file) is encrypted using the standard AES-256 algorithm. By default, the names of files and the directory structure are not obscured and other file types (such as MAT, FIG, MEX, and so on) are not encrypted.
Starting in R2021b, you can obscure the names of files and the directory
structure, and also encrypt other file types (such as MAT, FIG, MEX, and so on)
using the -s
option for mcc
(MATLAB Compiler). At run time, the encrypted files remain
encrypted on the disk but are decrypted in memory to their original form before
compiling. Depending on the use case, you can combine other methods with this one to
gain an additional layer of protection. For example, you can create a P-coded file
from MATLAB code files before they are compiled.
To build a standalone executable for your MATLAB application, develop and debug your application following the usual workflow for MATLAB program files. For information on how to generate executable files, see Create Standalone Application from MATLAB Function (MATLAB Compiler).
Use Model Protection
Protecting a model conceals the implementation details of the original model by compiling it into a referenced model. When you create a protected model, the implementation details of the original model are concealed by compiling it into a package known as an SLXP. An SLXP includes derived files to support user-requested functionality in the Simulink environment, such as code generation or simulation.
If a user creates a protected model for simulation only, most of the IP is hidden inside derived binary files. If the user creates a protected model for code generation support as well, the SLXP includes certain supporting files for code generation in either readable C/C++ code or obfuscated binary format, depending on how the user created the SLXP.
Simulation and code generation functionalities can be optionally password-protected so that only the recipients with the password can use these functionalities. When using password protection, the main supporting files for that functionality are protected using AES-256 encryption. These files are decrypted on the disk when the end user enters the password.
Not all supporting files in a package are encrypted. These files include very little of the IP but can still reveal certain information about the model such as interfaces and sample times.
For more information, see Protect Models to Conceal Contents (Simulink Coder).
Convert Code to Native Code
Convert some or all of your source code or algorithms to C/C++ code and then compile it to binary files. There are several options for converting code to binary files:
The
mex
command to generate binary files from C/C++ code.MATLAB Coder to generate binary files from MATLAB code.
Simulink Coder to generate C/C++ code from Simulink models and compile the generated code into standalone binary files.
To achieve an additional layer of protection, you can apply binary obfuscation (using tools outside of MathWorks) on the generated binary.
Host Compiled Application on Remote Protected Server
One method for protecting source code is to store that source code on a remote protected server using MATLAB Web App Server or MATLAB Production Server. The stored source code resides on a server with restricted access, and users access the application through secure interfaces. The files are encrypted with the same mechanisms as described in Build Standalone Executables.
Utilize Secure OS Services
Use different system-hardening techniques that are provided by your operating system. For example, algorithms can reside on a server with restricted access that runs on a shielded virtual machine. The shielded virtual machine can provide additional layers of security to protect your IP.