Podcast with Peter Finnigan on the problems with the PL/SQL wrapper mechanism
Tue, 2006.10.17 - 13:22 — müzso
SearchOracle.com has a podcast with Peter Finnigan on his recently published whitepaper discussing the weaknesses of the PL/SQL wrapper built into most currently used Oracle RDBMSes.
The podcast is available as an mp3 from SearchOracle's website. It's not about the inner workings of the wrapper (do not listen to the podcast if you're curious about that ... read the paper instead
), but Pete's opinion about the wrapper's security and Oracle security in general.
Actually it's nothing new that Oracle is full of bugs (just about any DBA -who has spent some time with supporting an Oracle DB- is well aware of it), but the difficulty of (or required work for) reverse engineering wrapped PL/SQL code is something that was not that apparent until now.
I've also spent two days of my life some years ago trying to break the wrapper, but I gave up after some initial successes. It seemed to be too much of a headache compared to the benefits of success. I didn't know about IDL or the ADA roots of PL/SQL at that time either. However I'm sure that most security-minded PL/SQL developers tried to figure out how this or that wrapped code might work.
You can come up with a lot even if you cannot fully unwrap it. You can get all the variables, external calls, etc. from the wrapped code just by looking at it.
PS: I just looked it up - I played around with the wrapper in Jan 2004. How fast time passes by!
The podcast is available as an mp3 from SearchOracle's website. It's not about the inner workings of the wrapper (do not listen to the podcast if you're curious about that ... read the paper instead
), but Pete's opinion about the wrapper's security and Oracle security in general.Actually it's nothing new that Oracle is full of bugs (just about any DBA -who has spent some time with supporting an Oracle DB- is well aware of it), but the difficulty of (or required work for) reverse engineering wrapped PL/SQL code is something that was not that apparent until now.
I've also spent two days of my life some years ago trying to break the wrapper, but I gave up after some initial successes. It seemed to be too much of a headache compared to the benefits of success. I didn't know about IDL or the ADA roots of PL/SQL at that time either. However I'm sure that most security-minded PL/SQL developers tried to figure out how this or that wrapped code might work.
You can come up with a lot even if you cannot fully unwrap it. You can get all the variables, external calls, etc. from the wrapped code just by looking at it. PS: I just looked it up - I played around with the wrapper in Jan 2004. How fast time passes by!
All of my own contents here (if not noted otherwise) are licensed under the
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License. My posts reflect my personal opinion and shall not be associated with any of my employers.
Recent comments
1 year 46 weeks ago
3 years 16 weeks ago
3 years 16 weeks ago
3 years 18 weeks ago
3 years 19 weeks ago
3 years 25 weeks ago
3 years 25 weeks ago
3 years 26 weeks ago
3 years 26 weeks ago
3 years 26 weeks ago