Safe to open P-code files?
37 views (last 30 days)
Show older comments
Hi,
My question and concern is that I have purchased some .p and .m files from a MATLAB software developer. I would like to know what risks I assume by opening the files, especially the .p files that I cannot review to ensure safe operation (risks such as spreading a fatal virus to my employer's entire network, etc). My limited research on p-coded files explained that no one except those who have purchased the rights to view source code (million dollar rights) from MathWorks will be able to open or view the .p files. Are there any tools in addition to requiredFilesandProducts that I can use to determine a threat? Or is author trust the ultimate answer?
Thanks in advance.
3 Comments
Walter Roberson
on 20 Dec 2016
The original source file of .p files is discarded. There is, though, still information about variable names. It seems likely to me that somewhere along the way that Mathworks wrote a "decompile" tool for .p files that would produce some version of source from a .p file. But that is speculation.
Accepted Answer
Jan
on 20 Dec 2016
Edited: Jan
on 21 Dec 2016
A funny question.
If you run a P-file, you do this in Matlab. Matlab is compiled code and very powerful. It calls thousands of library functions, which have been programmed by more or less reliable programmers. Therefore even plain Matlab code can crash your machine and flood your network by a denial of service attack. E.g. the lib for sprintf contained a bug in former Matlab versions, which allowed to gain admin privileges on the local computer. If such a command appears anywhere in a bunch of 20'000 lines, you will never find it.
Therefore P-coding does not increase the threat-level remarkably. Note that even the Matlab engine is not the main problem of the computer, but the operating system and all software to contact the internet as browsers and file viewer. It is been proven nearly every week, that we cannot trust the programmers of Windows, MacOS, Linux, AcrobatReader, Flash, Java, Firefox, InternetExplorer, IrfanView, VLC, etc., although they try to do their very best. But by accident, they leave possibilities in the programs, which can be exploitet by evil attackers or which block the computer or network autonomously.
Of course you can examine P-files with Matlab's debugger. You can set breakpoints, step through the code line by line and observe the current WorkSpace [EDITED: in older Matlab versions]. The profiler and comamnds like inmem reveal the called functions in addition. This is a strange feature and I cannot imagine, why Mathworks decided to allow this. In consequence the obfuscation level of P-coding is not high, although you cannot obtain the original source code.
I do not run P-files from the FileExchange, because it is suspicious for me, that someone wants to publish code without letting others see, what he has written. But I ran the huge Matlab system, although it could contain spyware also and I do not have any chance to detect this.
My advice: Trust the programmer, but do not trust too much. In the real life only redundant not connected machines and solid backup strategy help to reduce the effects of attacks or accidents. Neither trust nor control can be more reliable.
3 Comments
Jan
on 21 Dec 2016
@David: You are right: Modern Matlab versions do not allow to debug P-coded functions. This implies, that older Matlab versions can still do this.
The OP asked for the threat level of running P-files. Depending on the license agreement he has accepted, he is not even allowed to reverse engineer the program, even if it is delivered as M-file. Therefore the limited obfuscation level of P-files is not the point. But if he really want to examine the functions and is allowed to do this, than it matters that the lisence agreement of Matlab does not allow to examine or reveal the details of the obfuscation methods in P-files.
When I sell code, I ship 98% as M-files and 2% as P-files. I do not rely on the P-files to be undiscoverable, but you cannot do this on the fly or by accident. You need time and a certain effort, such that you know, that you are reverse engineering. In this case, a EULA on paper, which is manually signed before the customer has bought the software, is more reliable than P-coding.
More Answers (1)
David Barry
on 20 Dec 2016
Edited: David Barry
on 20 Dec 2016
Yes author trust is the ultimate answer. If you don't trust them then why work with them? Alternatively you should have stated in your terms and conditions with said supplier that you want open access to all source code. p-code is a way for people to obfuscate intellectual property not distribute viruses.
0 Comments
See Also
Products
Community Treasure Hunt
Find the treasures in MATLAB Central and discover how the community can help you!
Start Hunting!