Tuesday 6 October 2009

On wrapping & obfuscating PL/SQL

The Oracle database provides the ability to obfuscate PL/SQL code using the wrap utility.

Many moons ago when I was working on a 9i database, I encountered an issue where my information wasn't completely obfuscated. I had a package that was performing some encryption, and I wanted to ensure the seed to my encryption method was hidden. Take the following example:
create or replace procedure seeder is
  vc varchar2(20) := 'This string';
begin
  null;
end;
/
On line 2 I declare a string. I would expect this information to be wrapped, just like the rest of my code, however when I assessed the wrapped version of the PL/SQL after using the following command:
wrap iname=c:\seeder.sql oname=c:\seeder.plb
I found that I could still see my string definition amongst the code (this is a partial copy from the resulting output):
...
2 :e:
1SEEDER:
1VC:
1VARCHAR2:
120:
1This string:
0
...
This wasn't acceptable, so my solution was to declare variables that contained one character strings and concatenated these to form my seed. In hindsight, perhaps I also may have used CHR() to formulate a string.

Recently on discussing this topic I wondered if the current version of the database had the same issue. I tried on 10gR2 using a combination of supplied PL/SQL packages.
exec  DBMS_DDL.CREATE_WRAPPED(dbms_metadata.get_ddl(object_type => 'PROCEDURE', name => 'SEEDER'));
And the resulting code had a different feel about it:
SAGE@sw10g> select dbms_metadata.get_ddl('PROCEDURE' ,'SEEDER') from dual;

DBMS_METADATA.GET_DDL('PROCEDURE','SEEDER')
--------------------------------------------------------------------------------

  CREATE OR REPLACE PROCEDURE "SAGE"."SEEDER" wrapped
a000000
b2
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
7
4f 92
t5QJKAdccmuGzbpujO65PNpHmLQwg5nnm7+fMr2ywFxpnp8yMlKyCQmldIsJaefHK+fHdMAz
uHRlJXxlUMNLwlxpKPqFVisW0T6XRwzqxIvAwDL+0h3l0pmBCC2LwIHHLYsJcKamqIi2Mg==

1 row selected.
So it seems that the algorithm has improved and being able to "see" strings in the wrapped code is no longer a problem.

Once again another demonstration of how "known knowns" can change over time, and you must always test behaviour on your version; your infrastructure.

3 comments:

Alex Nuijten said...

define "no longer a problem": http://technology.amis.nl/blog/4753/unwrapping-10g-wrapped-plsql

Scott Wesley said...

That's very interesting. I recall when reading Pete Finnigan's presentation you required access to SYS, but here a typical developer can do it.

Perhaps this will need to go in the bucket "security through obscurity".

And even the Oracle passwords are being drilled:
http://www.petefinnigan.com/weblog/archives/00001269.htm

brunner.florian said...

I found your blog entry and hoped to find a solution regarding the obfuscation without the wrap utility... because I also found this online unwrapper... nice tool btw.

http://hz.codecheck.ch/UnwrapIt/Unwrapped.jsp