Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A new version of the Oracle password cracker woraauthbf is available"] [Next entry: "Fine Grained network Access Control in 11g"]

C code API to encapsulate OCI

If like me you code in C and use OCI instead of Pro*C then you will be interested in a library written by Vincent Rogier. I have looked at most C++ OCI libraries, and C libraries that encapsulate OCI in some way over the years and even though I end up writing direct OCI code myself, I was always impressed by Vincent's OCILIB.

I normally code in C for anything "real" and use C++, MFC for user interfaces as its quick and easy and also if you need to access a database (wait for it... its easy to use MSDE, SQL Server Express etc) as well as Oracle databases from MFC to create sophisticated and quick (in terms of writing) Windows code.

I saw a post on Francois Degrelle's blog today that reminded me of the library and I thought its worth a quick promote here. What's the security angle? - well we are developing Oracle security tools internally for use in audits, code audits, forensics, encryption reviews and more in C and OCI. The tools I use myself for many years are written in PL/SQL and are used to capture raw data as part of audits and other investigatory work. I have decided to convert the tools to C for speed, security of IPR and to make updates - which are frequent and often easier. The focus of our security audits is always manual in terms of analysis and we still do large parts of the audit manually and also by interview this is because a much clearer and deeper picture can be obtained in this way but tools are also important to capture and gather the large amounts of data needed to be analysed manually for all the parameters and privileges set in the dictionary. Anyway here is a glimps, it is in C, its fully instrumented, generates logs and is driven by configurations that can be read from MSDE or text based files and does SQL connections to the database and ssh to the server for gathering data and checks.

C:\oscan -c oscan.conf -v

OSCAN: Release 0.1.12 - Alpha on Mon Apr 07 11:18:26 2008

Copyright (c) 2003, 2008, Limited. All rights reserved.

[2008 Apr 07 10:18:26] Logger: Starting OSCAN...
[2008 Apr 07 10:18:26] Logger: Running Scanner
[2008 Apr 07 10:27:32] Logger: Closing Down OSCAN

Yes, i know the timing shows GMT and the system date/time is BST, it needs to be fixed still!