Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Advisories for the July 2008 Critical Patch Update and exploit code"] [Next entry: "IOUG/Oracle Software Security Assurance Team joint survery"]

Kurt Van MeerBeeck (jDul, DUDE) has started a blog

I saw today that Kurt Van Meerbeeck who is famous for writing jDUL that became DUDE has started a blog. I have known Kurt for many years on email but only in the last couple of years have we met in person at the UKOUG conference. Kurt's blog has only one post so far "A new ORA600 website - a new blog, DUDE !" but is certainly worth keeping an eye on.

Why should we be interested from a security perspective? - well as I said I have known Kurt for many years (I just checked, our first email exchange was in 2001 when we talked about jDUL) on email and I am always fascinated by internals, undocumented details and more. Oracle security is not about simply looking at security features in the database. Every feature, especially if its enabled in the database (note: enabled in security terms does not mean used!) has some security risk level. For instance, the useful package DBMS_FILE_TRANSFER sounds useful if you are writing an Oracle based application that needs to allow files to be transfered. From a security perspective it's dangerous as it would allow files to be manipulated from within the database. The procedures GET_FILE and PUT_FILE sound useful to a hacker.

So in general all features have some risk in some circumstances. I also like Kurt's work because of its deep interest in internals. In Kurt's case this is involved with block and data storage internals. Kurt has developed a tool originally called jDUL and now called DUDE that mirrors the usefulness and functionallity of tools such as DUL used by Oracle consultants for recovering databases that have crashed and cannot be recovered in any other way. I am particularly interested in this area and have blogged on it a few times in the past because of the security connections with Oracle Forensics. A number of people have been talking about block internals because of forensics with the purpose to find deleted data as evidence. Whilst this is great and a really useful move forward in security terms for the database it is "old technology" as people like Kurt and a few others around the such as Lou Fangxin of who has a similar DUL like tool called AUL have been doing this for 7 or 8 years and have clearly got a much deeper understanding of the data storage and structure.

I have added Kurt's blog to my Oracle blogs aggregator and I have also added A Arju's blog found via Kurt's aggregator as it also contains some posts about block internals.