PCode obfuscation cracked - alternatives?
134 次查看(过去 30 天)
显示 更早的评论
Hello, I'm asking this question since a quick google search revealed software able to de-obfuscate p files to m files almost perfectly.
is there any way safer (wrt reverse engineering) than pcode to protect matlab code to be used by matlab (i.e. no stand alone executable)? In particular, the code to be protected calls and is called by functions/m files that cannot be obfuscated/protected (they are part of another library that cannot be modified).
we are currently using R2012b on production systems,
Thank you,
------------EDIT--------------
Just to be clear... I'm not talking about information leaking from running code, debugging or anything requiring programming skills.
I'm talking about decompilation of a p file to a human readable and (very likely) executable m file, by a simple command line statement. A search in google brought up software that seems able to do just that.
Assuming that works (and it sure looks that way), is there a second line of defense to prevent proprietary algorithms being disassembled by a simple one-click operation, while mantaining compatibility/executability in the matlaab environment?
e.g.:Once upon a time, i recall m files could be compiled to mex, but it seems this is not the case anymore (or at least it seems requiring multiple steps and lots of headaches).
4 个评论
Walter Roberson
2013-5-14
Philip works for Mathworks. You could email him the information.
(Note: I do not work for Mathworks. However, if Mathworks would like me to investigate or give opinions on matters, I am good at keeping to NDAs.)
Jan
2013-5-14
编辑:Jan
2013-5-14
@Walter: NDAs are funny, when you find the code freely downloadable in the net. Obviously others did not care about surely existing NDAs already. If the encryption is such weak, an NDA is not the limiting factor for telling my opinions, but the fact, that rudeness is not accepted in this forum.
@guis: Thanks for mentioning this interesting detail. Understanding Matlab's parsing methods is useful for some legal applications.
回答(4 个)
Philip Borghesani
2013-5-8
What leads you to the conclusion that pcoded files can easily be de-obfuscated? I am aware of the numerous ways that information can leak from a pcoded file and there are some defenses that have been posted in other answers and downloads on this site. I believe that it is simple to defend p-code from the only credible software I found to inspect pcoded files. I believe this software is capitalizing on an already posted weakness of pcoded files.
I expect this software can be defeated by any function that checks the datatypes of inputs and errors on unexpected types.
3 个评论
Jan
2013-5-13
编辑:Jan
2014-5-3
P-coding removes all comments and the help section securely. When the names of the internally used variables are obfustcated also, e.g. 'a', 'b', 'Omega13', understanding the code might be more expensive than paying you sufficiently for the source code. I've seen such obfuscated M-file in the FileExchange. Inspite of an excellent demonstration of advanced obfuscation techniques, the comments and rating have not been positive.
You can apply AES encryption to strings, which are EVAL'ed. Unfortunately the US laws forbid to post the 2 lines of Java code or the corresponding M-code for a strong AES encryption. I'm convinced that this law is counter-productive, so it is up to the US citizens to influence the politics to remove it.
But even then the standard problem remains: How can an encryption key stored securely? You could start a C-mex thread, which pokes into the memory of a Matlab variable with a specified timing. Then the debugger is not able to determine the key reliably. But I remember, that there has not been any 100% secure method in the history of modern computing. If you invent one, M- and P-files will not be your profession anymore.
4 个评论
Jan
2013-5-13
编辑:Jan
2013-5-13
A new quote: "If a man has earned enough money, it is time to sit down and take a nap."
Matlab code and and a secure obfuscation are a contradiction by design. It is the purpose of M-code to be compatible with different Matlab versions and environments and therefore dynamic overloading is a fundamental brick of the design. This is a great benefit for interpreted languages.
Hiding details in compiled stand-alone applications is not secure, or if it is, it is not flexible anymore.
I'm going to make some experiments in the evening.
Peng Xu
2014-4-29
Pretty sure name that used internally is not obfuscated, because there is something called workspace in MATLAB, and the p-code generator has nothing to predict what is going to be in your workspace in runtime.
Peng Xu
2014-4-25
It is never secure to ship the code or even resulting binary to end-user and hope some kind of key is able to protect it. My suggestion is to put a crucial part of code away from end-user, e.g. on a company server. And in MATLAB, communicate to this server to do that crucial part. This may be the only way you can achieve a level of security that you can control.
1 个评论
Jan
2014-5-3
编辑:Jan
2014-5-3
And this has the disadvantage that the customers will hate it, when the software they have payed for does not work, when the internet connection is down temporarily. We all know the annoying troubles with online activations and such stuff.
And as we know from e.g. the heart bleed problem, even data on a company server are not under a perfect control.
另请参阅
类别
在 Help Center 和 File Exchange 中查找有关 ISO/IEC TS 17961 Rules 的更多信息
Community Treasure Hunt
Find the treasures in MATLAB Central and discover how the community can help you!
Start Hunting!