Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
I just saw via my Oracle blogs aggregator that Anton Scheffer has released a nice blog post showing how he has cracked the 10g PL/SQL wrap mechanism or rather how he has found out the one missing bit of information (the substitution table). The 9i and lower wrap mechanism was shown by myself at BlackHat in 2006, i also hinted briefly at the 10g mechanism. My paper can be found on my Oracle security white papers page. David then detailed much more of the 10g wrap mechanism in his book the Oracle hackers hand book. He showed the mechanism/algorithm used but stopped at revealing the substitution table in his book.
Anton has done some research into finding the substitution table but not via reversing the binary but via a simpler method of comparing the clear text (from known PL/SQL) to the compressed text. This is then used to create a complete table that allows unwrapping of PL/SQL for 10g. He has also included some Java code to allow unwrapping of PLB files. This is some nice research. His post is called "Unwrapping 10G wrapped PL/SQL". Also of note is a paper mentioned in his post by three Israeli's "Automatic detection of vulnerabilities in wrapped packages in Oracle"
Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.
PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.
PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.
Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation