MATLAB: Safe to open P-code files

Question

Hi,

My question and concern is that I have purchased some .p and .m files from a MATLAB software developer. I would like to know what risks I assume by opening the files, especially the .p files that I cannot review to ensure safe operation (risks such as spreading a fatal virus to my employer's entire network, etc). My limited research on p-coded files explained that no one except those who have purchased the rights to view source code (million dollar rights) from MathWorks will be able to open or view the .p files. Are there any tools in addition to requiredFilesandProducts that I can use to determine a threat? Or is author trust the ultimate answer?

Thanks in advance.

Answer 1

A funny question.

If you run a P-file, you do this in Matlab. Matlab is compiled code and very powerful. It calls thousands of library functions, which have been programmed by more or less reliable programmers. Therefore even plain Matlab code can crash your machine and flood your network by a denial of service attack. E.g. the lib for sprintf contained a bug in former Matlab versions, which allowed to gain admin privileges on the local computer. If such a command appears anywhere in a bunch of 20'000 lines, you will never find it.

Therefore P-coding does not increase the threat-level remarkably. Note that even the Matlab engine is not the main problem of the computer, but the operating system and all software to contact the internet as browsers and file viewer. It is been proven nearly every week, that we cannot trust the programmers of Windows, MacOS, Linux, AcrobatReader, Flash, Java, Firefox, InternetExplorer, IrfanView, VLC, etc., although they try to do their very best. But by accident, they leave possibilities in the programs, which can be exploitet by evil attackers or which block the computer or network autonomously.

Of course you can examine P-files with Matlab's debugger. You can set breakpoints, step through the code line by line and observe the current WorkSpace [EDITED: in older Matlab versions]. The profiler and comamnds like inmem reveal the called functions in addition. This is a strange feature and I cannot imagine, why Mathworks decided to allow this. In consequence the obfuscation level of P-coding is not high, although you cannot obtain the original source code.

I do not run P-files from the FileExchange, because it is suspicious for me, that someone wants to publish code without letting others see, what he has written. But I ran the huge Matlab system, although it could contain spyware also and I do not have any chance to detect this.

My advice: Trust the programmer, but do not trust too much. In the real life only redundant not connected machines and solid backup strategy help to reduce the effects of attacks or accidents. Neither trust nor control can be more reliable.