Many moons ago when I was working on a 9i database, I encountered an issue where my information wasn't completely obfuscated. I had a package that was performing some encryption, and I wanted to ensure the seed to my encryption method was hidden. Take the following example:
create or replace procedure seeder is vc varchar2(20) := 'This string'; begin null; end; /On line 2 I declare a string. I would expect this information to be wrapped, just like the rest of my code, however when I assessed the wrapped version of the PL/SQL after using the following command:
wrap iname=c:\seeder.sql oname=c:\seeder.plbI found that I could still see my string definition amongst the code (this is a partial copy from the resulting output):
... 2 :e: 1SEEDER: 1VC: 1VARCHAR2: 120: 1This string: 0 ...This wasn't acceptable, so my solution was to declare variables that contained one character strings and concatenated these to form my seed. In hindsight, perhaps I also may have used
CHR()
to formulate a string.Recently on discussing this topic I wondered if the current version of the database had the same issue. I tried on 10gR2 using a combination of supplied PL/SQL packages.
exec DBMS_DDL.CREATE_WRAPPED(dbms_metadata.get_ddl(object_type => 'PROCEDURE', name => 'SEEDER'));And the resulting code had a different feel about it:
SAGE@sw10g> select dbms_metadata.get_ddl('PROCEDURE' ,'SEEDER') from dual; DBMS_METADATA.GET_DDL('PROCEDURE','SEEDER') -------------------------------------------------------------------------------- CREATE OR REPLACE PROCEDURE "SAGE"."SEEDER" wrapped a000000 b2 abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd 7 4f 92 t5QJKAdccmuGzbpujO65PNpHmLQwg5nnm7+fMr2ywFxpnp8yMlKyCQmldIsJaefHK+fHdMAz uHRlJXxlUMNLwlxpKPqFVisW0T6XRwzqxIvAwDL+0h3l0pmBCC2LwIHHLYsJcKamqIi2Mg== 1 row selected.So it seems that the algorithm has improved and being able to "see" strings in the wrapped code is no longer a problem.
Once again another demonstration of how "known knowns" can change over time, and you must always test behaviour on your version; your infrastructure.
define "no longer a problem": http://technology.amis.nl/blog/4753/unwrapping-10g-wrapped-plsql
ReplyDeleteThat's very interesting. I recall when reading Pete Finnigan's presentation you required access to SYS, but here a typical developer can do it.
ReplyDeletePerhaps this will need to go in the bucket "security through obscurity".
And even the Oracle passwords are being drilled:
http://www.petefinnigan.com/weblog/archives/00001269.htm
I found your blog entry and hoped to find a solution regarding the obfuscation without the wrap utility... because I also found this online unwrapper... nice tool btw.
ReplyDeletehttp://hz.codecheck.ch/UnwrapIt/Unwrapped.jsp