Firstly I was very pleased to announce that I have been made an Oracle ACE Pro again for the year to come. I just received the Oracle ACE tee shirt, polo shirt, jacket and of course the ACE Certificate. The Oracle ACE program is great and brings together a lot of enthusiasts for the technology. Of course I specialise in Oracle database security and everything related to that subject. From security auditing, audit trails, secure coding on PL/SQL, forensics of databases and all of the features and technologies that relate to securing data in an Oracle database covering such features from time to time as Database Vault, VPD, OLS, TDE, Masking, Encryption and much more.
You can always read about what I am looking at here in this blog and also on all of our social media channels on Twitter (X), Facebook, LinkedIn, YouTube, Instagram and Threads where we also bring Oracle security content.
I am also interested in PL/SQL and write in languages such as PL/SQL, vb.net, Lua, C and others to a lesser degree. I keep promising to publish my series on writing a language interpreter in PL/SQL for a simple language and I will publish it. We have been very busy of late with the new versions of our software so this series will come as soon as we get a gap in the schedule to edit the content and then post.
We have also been digressing lately with the website dealing with broken links - we wrote a tool to find these and its worked well; we find more broken links than some other software we tested. We have also started to prepare the website for HTTPS. I know its still HTTP and some people message me from time to time to tell me this. The only reason to make the change really is because Google insists.
The site is not dynamic and we don't collect an data personal or any other data so there is nothing to protect as such BUT we are working on the change but the site is large (depending on how you count what is a valid page/file we have between 6.5k and 10k pages. Some such as .sql files are displayed as tools, examples but they are not web pages hence the counting issue. We get around 200k visitors a month to the website and have around 42k connections/followers on social media so we need to be careful with any big changes.
Onto TDE; a week or so ago David posted a short article on LinkedIn extoling the virtues of TDE and why people should use it to protect data. The post didnt have a title as such but stated "I use storage encryption, do i still need to encrypt the database". This is a short article and the main point that I got was the fact that PCI-DSS states that storage encryption is not sufficient to protect the data as the transparent nature of the storage encryption means that if an attacker gains access to the server then he/she can read the files and in particular the data files.
My comment was:
"
Hi David, Thanks for the short article. I agree TDE is useful but as you say "anyone who has access to the host can access data without logging onto the database" - The access is much narrower than this though. The access that would cause an issue is access to the datafiles and usually this is only the software owner - often called "oracle" or in the OINSTALL group. This access is usually limited as I say to the software owner so if you as an attacker have access to "oracle" then the problem is bigger. Then the attacker can simply do "sqlplus / as sysdba" and access all data transparently decrypted.
Similarly at the database level if the application grants access to the data that should be protected to public then any database user can access the data as its transparently decrypted.
You need a more rounded solution; with database permissions, connect protections, OS level restrictions on access to "oracle" and more
You should also implement a comprehensive audit trail in the DB and OS on the data that should be protected
"
The same issue in effect applies to TDE as per storage encryption; this is Oracles storage encryption and as such it transparently decrypts the data for viewing via any SQL interface. So if you have access to the server as Oracle then you can access the database as SYSDBA and read the data as can any user who is able to access the application.
The key message for me is that this is a layer below/above? storage encryption and the attacker needs privileged access to exploit it unless the application is lax in permissions and allows everyone to see data.
As I said in my comment on Davids article we need a layered approach to protect access to the OS and the database and also around data security itself and permissions and access designs.
Lets be clear TDE is a good product and useful but its a tool and as such must be combined in a complete design to protect the data at all levels
#oracleace #sym_42 #ukougtag #ukoug #oracle #security #tde #encryption #datasecurity #databreach
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
What Should you do if your Oracle Database is Hacked or Breached?
It has been a while since my last blog post as we have been incredibly busy here with customers work, new versions of our products and from a personal point of view moving house.
I just got an email from the UKOUG that one of my talks has been accepted for the conference in the East Side Rooms in Birmingham in December. I will be speaking about what to do if your Oracle database is breached or more importantly what not to do. If you are hacked then how do you deal with it. How would you investigate the breach and how would you prove what the issues were that let the attackers in in the first place. If you would like to hear more then please come along the UKOUG conference in Birmingham this December.
I have not forgotten about the blog series I talked about here a few times over the last months about how to write a language interpreter in PL/SQL and embed it into your PL/SQL applications. There is a new page on the website that links to articles written so far about writing a language interpreter or compiler for embedding in PL/SQL. There are links to the articles already published and a set of links to the new articles that will be published over the coming months.
Please have a look at the articles already written and watch out for the new ones coming soon.
We have also been working on the new version of our products that can be used to help customer secure data in their Oracle databases. The product suite has had so far around 3,500 updates and changes to it. This includes over 730 new database security checks and around 300 new PL/SQL secure code checks. We will be releasing version 4 very soon to existing customers. Ask us to demo any or our products to you; we will be very happy to do that over webex. We have PFCLScan that can be used to perform a security audit of an Oracle database; we have PFCLCode that can be used to audit PL/SQL code for security issues including things like SQL Injection; we have PFCLObfuscate that can be used to protect your PL/SQL code by obfuscating it to remove meaning and understanding and also to allow licensing to be added to your PL/SQL; we also have PFCLForensics that can be used to help manage a breach and also to help collect data and investigate how the database was breached; We also have PFCLCookie that can be used to audit a website for cookies to help with GDPR.
All of our products are built on the core product PFCLScan to use its core features and processing. If you are interested in any of these products then send me a message and I will be happy to arrange a live demo on line for you
To illustrate the power of the core engines and functionality to be able to do anything at all that could be run from a command prompt, on Unix or in SQL then we also developed some simple tools that are currently run as plugins in the main PFCLScan product. The first of these is a website broken link checker that scans a website and finds broken links and where these links are located. We have used commercial link checkers and some free ones in the past; this finds more broken links.
We are also working on our own website SEO and trying to improve traffic and positioning in Google. More on this soon
#oracleace #ukoug #sym_42 #oracle #database #security #data #breach #hacked #hacking #forensics #liveresponse #breachresponse #seo #brokenlinks
I just got an email from the UKOUG that one of my talks has been accepted for the conference in the East Side Rooms in Birmingham in December. I will be speaking about what to do if your Oracle database is breached or more importantly what not to do. If you are hacked then how do you deal with it. How would you investigate the breach and how would you prove what the issues were that let the attackers in in the first place. If you would like to hear more then please come along the UKOUG conference in Birmingham this December.
I have not forgotten about the blog series I talked about here a few times over the last months about how to write a language interpreter in PL/SQL and embed it into your PL/SQL applications. There is a new page on the website that links to articles written so far about writing a language interpreter or compiler for embedding in PL/SQL. There are links to the articles already published and a set of links to the new articles that will be published over the coming months.
Please have a look at the articles already written and watch out for the new ones coming soon.
We have also been working on the new version of our products that can be used to help customer secure data in their Oracle databases. The product suite has had so far around 3,500 updates and changes to it. This includes over 730 new database security checks and around 300 new PL/SQL secure code checks. We will be releasing version 4 very soon to existing customers. Ask us to demo any or our products to you; we will be very happy to do that over webex. We have PFCLScan that can be used to perform a security audit of an Oracle database; we have PFCLCode that can be used to audit PL/SQL code for security issues including things like SQL Injection; we have PFCLObfuscate that can be used to protect your PL/SQL code by obfuscating it to remove meaning and understanding and also to allow licensing to be added to your PL/SQL; we also have PFCLForensics that can be used to help manage a breach and also to help collect data and investigate how the database was breached; We also have PFCLCookie that can be used to audit a website for cookies to help with GDPR.
All of our products are built on the core product PFCLScan to use its core features and processing. If you are interested in any of these products then send me a message and I will be happy to arrange a live demo on line for you
To illustrate the power of the core engines and functionality to be able to do anything at all that could be run from a command prompt, on Unix or in SQL then we also developed some simple tools that are currently run as plugins in the main PFCLScan product. The first of these is a website broken link checker that scans a website and finds broken links and where these links are located. We have used commercial link checkers and some free ones in the past; this finds more broken links.
We are also working on our own website SEO and trying to improve traffic and positioning in Google. More on this soon
#oracleace #ukoug #sym_42 #oracle #database #security #data #breach #hacked #hacking #forensics #liveresponse #breachresponse #seo #brokenlinks
Would you Pay to Speak at a Conference?
I was approached by a lady on LinkedIn a few weeks ago to ask me if I would speak at a conference in another country. I said that I was interested and asked for more details and importantly do they cover the travel, hotel etc. They came back to me after a couple of weeks and said that they would offer me a discounted entry to the conference and they would not cover any expenses for travel, hotel, etc.
Of course I politely declined to attend at this point. They said they are a commercial company and have to watch the bottom line BUT I am also a commercial company. Why would I pay for flights, hotel, transfers, food AND pay to enter their conference so that I could speak?
Is this normal? Its the first time this has happened to me. Normally I will speak for free at conferences in the UK and drive there; its worth it in the UK, my potential business audience is here. I have spoken many times in other countries; most European countries and as far as Singapore and Dubai but always the organiser would cover the travel and accommodation and not ask me to pay an attendance fee. Some paid me a fee to speak.
If I was organising a conference then I would want the best speakers and pay their costs as it would make my event better and attract more people to attend.
#oracleace #sym_42 #oracle #database #security #speaking #conference
Of course I politely declined to attend at this point. They said they are a commercial company and have to watch the bottom line BUT I am also a commercial company. Why would I pay for flights, hotel, transfers, food AND pay to enter their conference so that I could speak?
Is this normal? Its the first time this has happened to me. Normally I will speak for free at conferences in the UK and drive there; its worth it in the UK, my potential business audience is here. I have spoken many times in other countries; most European countries and as far as Singapore and Dubai but always the organiser would cover the travel and accommodation and not ask me to pay an attendance fee. Some paid me a fee to speak.
If I was organising a conference then I would want the best speakers and pay their costs as it would make my event better and attract more people to attend.
#oracleace #sym_42 #oracle #database #security #speaking #conference
Passwords in Scripts and Environment Variables
There was a post a few days ago on LinkedIn by Johannes Michler about easily passing passwords to adop via a shell script when patching E-Business Suite. This script sets the password for the E-Business Suite APPS user, SYSTEM and a weblogic password by creating three environment variables that are then used to log in using the passwords in these variables.
It is a short article and part 1 of a longer series but it prompted me to write some comments on it that you can see in LinkedIn. Having written those comments I think its worth while discussing the solution to the problem that Johannes was trying to solve as its a more generic problem than just his specific case.
Over 20 years of performing security audits of Oracle databases and often where the database supports Oracle E-Business Suite I see the remnants of the solutions. I always in every audit find passwords for databases and sometimes other systems and applications on the server hosting the database. Always!
I find passwords in SQL scripts, shell scripts, text files, . (dot) scripts and files, environment variables, output files, scripts to change passwords, passwords stored in database tables, sometimes encrypted with real encryption, sometimes with pseudo encryption and sometimes in clear text and many more places.
I have always found passwords for the database that are current and often passwords for other databases. I see often that if I am reviewing the main production database and its server that DBAs use the server as a sort of personal PC and we find scripts and evidence of connections to other main databases and their servers on the server I am reviewing.
I once found all the EBS database passwords in one script on a server. The interesting thing was that these passwords were strong (15 characters, good character set...) but they were all in a script in the root directory of the Unix server.
My case is more generic as there is a clear evidence that in Johannes example and case its more defined and maybe OK. In general you should never put passwords in scripts or environment variables; These scripts will hang around and can be found by anyone like me and could be used to access the systems if the person doing the finding does not have rights to access these systems.
In Johannes case its for a patch and the server is not in use during the patch so if adding passwords to a script is faster and easier than typing them in many many times during an installation then OK; BUT. the script must be removed afterwards and not backed up. Ideally all of the passwords must be changed after the install/upgrade so that if the script is left then the passwords do not work still.
Johannes also suggested the use of OCI vault to store the passwords. This is also OK BUT if you don't use OCI then its more complex to use it just for this. If you do use OCI already then its easier as you have the OCI already and its set up already.
You can also use Oracle wallets and secure password store for local database passwords. You could also use directory based accounts or even SSL authentication in the database so there is no password but not for other systems that do not support these.
Finding a password is easier than cracking a password. Clean up, never leave scripts lying around, make sure anything with a password in a script temporarily has its password changed straight afterwards. Using scripts and passwords where the system is temporarily restricted is fine BUT only if you clean up
#oracleace #sym_42 #oracle #database #oci #vault #passwords #securepasswords #wallet #cracking #scripts
It is a short article and part 1 of a longer series but it prompted me to write some comments on it that you can see in LinkedIn. Having written those comments I think its worth while discussing the solution to the problem that Johannes was trying to solve as its a more generic problem than just his specific case.
Over 20 years of performing security audits of Oracle databases and often where the database supports Oracle E-Business Suite I see the remnants of the solutions. I always in every audit find passwords for databases and sometimes other systems and applications on the server hosting the database. Always!
I find passwords in SQL scripts, shell scripts, text files, . (dot) scripts and files, environment variables, output files, scripts to change passwords, passwords stored in database tables, sometimes encrypted with real encryption, sometimes with pseudo encryption and sometimes in clear text and many more places.
I have always found passwords for the database that are current and often passwords for other databases. I see often that if I am reviewing the main production database and its server that DBAs use the server as a sort of personal PC and we find scripts and evidence of connections to other main databases and their servers on the server I am reviewing.
I once found all the EBS database passwords in one script on a server. The interesting thing was that these passwords were strong (15 characters, good character set...) but they were all in a script in the root directory of the Unix server.
My case is more generic as there is a clear evidence that in Johannes example and case its more defined and maybe OK. In general you should never put passwords in scripts or environment variables; These scripts will hang around and can be found by anyone like me and could be used to access the systems if the person doing the finding does not have rights to access these systems.
In Johannes case its for a patch and the server is not in use during the patch so if adding passwords to a script is faster and easier than typing them in many many times during an installation then OK; BUT. the script must be removed afterwards and not backed up. Ideally all of the passwords must be changed after the install/upgrade so that if the script is left then the passwords do not work still.
Johannes also suggested the use of OCI vault to store the passwords. This is also OK BUT if you don't use OCI then its more complex to use it just for this. If you do use OCI already then its easier as you have the OCI already and its set up already.
You can also use Oracle wallets and secure password store for local database passwords. You could also use directory based accounts or even SSL authentication in the database so there is no password but not for other systems that do not support these.
Finding a password is easier than cracking a password. Clean up, never leave scripts lying around, make sure anything with a password in a script temporarily has its password changed straight afterwards. Using scripts and passwords where the system is temporarily restricted is fine BUT only if you clean up
#oracleace #sym_42 #oracle #database #oci #vault #passwords #securepasswords #wallet #cracking #scripts
Searching Base64 Encoded text for a clear text string
I had an issue to solve where I needed to find if some base64 encoded text included a clear text string which was of course encoded in the source data. I needed to search hundreds of XML files where some nodes were Base64 encoded but the rest of the file is clear text and XML nodes. Each of the hundreds of files can also contain 1 Base64 encoded section or hundreds.
I could try and decode all the base64 encoded nodes and then search for the clear text string I needed to find but this would be time consuming as there was no simple way to just Base64 decode the relevant parts of each file without writing a custom program to parse each file, find the Base64 bits, decode them and then check each string for the clear text.
The only realistic way is to search the Bas64 encoded strings for a Base64 version of the clear text string. This is not as simple as it first sounds but is still reasonably simple. We need to know a little about how Base64 works.
The3 Base64 algorithm at a simple level takes blocks of 3 bytes (8 bits) and then splits the 3*8=24 bits into 4*6=24 bits. The 4 pieces of 6 bits are then encoded to a look up. This allows non-ascii data to be represented as ascii by using 6 bits for each piece and then looking up a printable character from the map. OK, there is more than this to Base64 but that is the high level of it for this discussion.
This means that the position of the encoded search string in the target Base64 encoded data matters. So, we cannot just Base64 the search string and search for it if the encoded data starts on a different byte than the search string. So if we search for the string "Hello" and we encode from "H" as character 1 in the sequence of processing every 3 characters but the "H" appears at a character 2 position in the original to be searched text then it will not find it
So, if we want to find a clear string in a Base64 encoded text then we need to Base64 encode the search 3 times and use that for 3 searches of the original encoded string. If for instance we want to find the code "dbms_output.enable(1000000);" then we need three encoded strings
The complete string is shown at the top as well as 123, 123 for character positions. The encoded version in the Base64 version we are searching could start on character 1 or character 2 or character 3. We therefore need 3 search strings Base64 encoded that are the maximum multiple of 3 characters we cab get out of the original string. You can see the 3 examples we have chosen and their Base64 versions. Interestingly you might question why we have "MDA" more than once or "MTA"; if you look at the original string this is easy to spot why...
Now we can use a simple search tool to search the original files and locate all of the instances of the string we would like to find.
Why are we interested in this?
What has this go to do with Oracle Security?
Well, I am doing it because I was asked to BUT there is a clear security angle and even an Oracle Security angle. Often an attacker of an application using or hosting an Oracle database might use Base64 or other techniques to hide or change their attacks strings for SQL Injection or other attacks. Sites often use security tools such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) or.... The aim of the attacker is to trick these security systems and try and get past the rules and Base64 is a classic method to change the attack.
If you have logs for your database and application check for any Base64 encoded strings passed to the websites and check out what is in them, for instance search for common SQL Injection attacks. It can be useful to simply grep the Base64 data for known strings like we have exampled here rather then extracting potential Base64 and decoding it and then looking for strings.
#oracleace #sym_42 #oracle #database #security #base64 #sqlinjection #hacking #ids #ips #intrusion #detection
I could try and decode all the base64 encoded nodes and then search for the clear text string I needed to find but this would be time consuming as there was no simple way to just Base64 decode the relevant parts of each file without writing a custom program to parse each file, find the Base64 bits, decode them and then check each string for the clear text.
The only realistic way is to search the Bas64 encoded strings for a Base64 version of the clear text string. This is not as simple as it first sounds but is still reasonably simple. We need to know a little about how Base64 works.
The3 Base64 algorithm at a simple level takes blocks of 3 bytes (8 bits) and then splits the 3*8=24 bits into 4*6=24 bits. The 4 pieces of 6 bits are then encoded to a look up. This allows non-ascii data to be represented as ascii by using 6 bits for each piece and then looking up a printable character from the map. OK, there is more than this to Base64 but that is the high level of it for this discussion.
This means that the position of the encoded search string in the target Base64 encoded data matters. So, we cannot just Base64 the search string and search for it if the encoded data starts on a different byte than the search string. So if we search for the string "Hello" and we encode from "H" as character 1 in the sequence of processing every 3 characters but the "H" appears at a character 2 position in the original to be searched text then it will not find it
So, if we want to find a clear string in a Base64 encoded text then we need to Base64 encode the search 3 times and use that for 3 searches of the original encoded string. If for instance we want to find the code "dbms_output.enable(1000000);" then we need three encoded strings
12312312312312312312312312312
dbms_output.enable(1000000);
1) dbms_output.enable(1000000) ZGJtc19vdXRwdXQuZW5hYmxlKDEwMDAwMDAp
2) bms_output.enable(1000000); Ym1zX291dHB1dC5lbmFibGUoMTAwMDAwMCk7
3) ms_output.enable(1000000 bXNfb3V0cHV0LmVuYWJsZSgxMDAwMDAw
The complete string is shown at the top as well as 123, 123 for character positions. The encoded version in the Base64 version we are searching could start on character 1 or character 2 or character 3. We therefore need 3 search strings Base64 encoded that are the maximum multiple of 3 characters we cab get out of the original string. You can see the 3 examples we have chosen and their Base64 versions. Interestingly you might question why we have "MDA" more than once or "MTA"; if you look at the original string this is easy to spot why...
Now we can use a simple search tool to search the original files and locate all of the instances of the string we would like to find.
Why are we interested in this?
What has this go to do with Oracle Security?
Well, I am doing it because I was asked to BUT there is a clear security angle and even an Oracle Security angle. Often an attacker of an application using or hosting an Oracle database might use Base64 or other techniques to hide or change their attacks strings for SQL Injection or other attacks. Sites often use security tools such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) or.... The aim of the attacker is to trick these security systems and try and get past the rules and Base64 is a classic method to change the attack.
If you have logs for your database and application check for any Base64 encoded strings passed to the websites and check out what is in them, for instance search for common SQL Injection attacks. It can be useful to simply grep the Base64 data for known strings like we have exampled here rather then extracting potential Base64 and decoding it and then looking for strings.
#oracleace #sym_42 #oracle #database #security #base64 #sqlinjection #hacking #ids #ips #intrusion #detection
Write An Interpreter in PL/SQL - Adding More Features
Just a short post about the PL/SQL parser and interpreter that I have been developing.
As I have said in recent posts I am going to release a set of articles about the development of this interpreter in PL/SQL. I have over 120 pages of written notes and examples so far. As I said in the last post I will decide how to release these, either as about 15 - 25 blog posts or as articles indexed on my site; so not in the actual blog software but essentially the same; I may also release all of the notes as a short e-book on this website; not sure yet.
Of course, there are still features to add to the language and also to the interpreter and also to decide whether to convert it and also implement a compiler for the language and assembler and a CPU VM...
I have extended the language now so that it also has IF/ELSE/FI and also LOOP/EXIT/POOL keywords; so whist it can still support simple BASIC like syntax and GOTO and LABELs etc it is now easier to write programs without worrying about those GOTO and LABELs. The LABELs are now alpha as well so not :30 or :10 as in the previous examples. Also unlike BASIC we don't have a formal line structured program with a line number per line. We can also free form and indent the program structure as you will see in my examples.
I just wanted to show a quick couple of examples that tests IF statements and also the LOOP and EXIT statements. Here is a sample that tests and IF statement and a second that tests an IF/ELSE statement and a simple LOOP including an EXIT keyword.
Here is the simple example:
And running this gives:
This is a simple example of our language being interpreted and executed in PL/SQL. It is not blindingly fast as it took but that is fine; we have ways in the future we can speed this up by reducing the size of the script and also potentially reducing the size of the PL/SQL. We can work on performance of the interpreter after we are happy with its functionality.
Here is a second simple example in the script language that implements a nested loop in our language to print out a grid of numbers:
Running this example shows:
Whilst this is a shorter example than the first its slower at 11 seconds execution time as its more complex but it shows some great features of the language with a loop nested in another loop and two uses of IF/EXIT/FI to escape the loops. The PRINT statement with its dynamic parameter list is powerful where we can mix variables values and strings. This is similar in function but not syntax to the C language ... and things like printf()
The interpreter is around 850 lines of PL/SQL that implements some reasonable features of a programming language. I now call it PFCLScript rather than a simple version of BASIC; we can still write BASIC like code but now much better code.
I hope to get some speaking slots at conferences later this year and be able to demonstrate and show the design around this code.
#oracleace #sym_42 #oracle #plsql #secure #code #securecode #interpreter #vm #cpu #compiler #parser
As I have said in recent posts I am going to release a set of articles about the development of this interpreter in PL/SQL. I have over 120 pages of written notes and examples so far. As I said in the last post I will decide how to release these, either as about 15 - 25 blog posts or as articles indexed on my site; so not in the actual blog software but essentially the same; I may also release all of the notes as a short e-book on this website; not sure yet.
Of course, there are still features to add to the language and also to the interpreter and also to decide whether to convert it and also implement a compiler for the language and assembler and a CPU VM...
I have extended the language now so that it also has IF/ELSE/FI and also LOOP/EXIT/POOL keywords; so whist it can still support simple BASIC like syntax and GOTO and LABELs etc it is now easier to write programs without worrying about those GOTO and LABELs. The LABELs are now alpha as well so not :30 or :10 as in the previous examples. Also unlike BASIC we don't have a formal line structured program with a line number per line. We can also free form and indent the program structure as you will see in my examples.
I just wanted to show a quick couple of examples that tests IF statements and also the LOOP and EXIT statements. Here is a sample that tests and IF statement and a second that tests an IF/ELSE statement and a simple LOOP including an EXIT keyword.
Here is the simple example:
declare
lv_prog varchar2(32767):=q'[
LET m=20
LET x=1
LET y=1
IF xPRINT "x This should print "
PRINT "x---------------------"
FI
IF y>m THEN
PRINT "y This should not print"
PRINT "y----------------------"
FI
IF xPRINT "x1 This should print"
PRINT "x1---------------------"
ELSE
PRINT "x2 This should not print"
PRINT "x2---------------------"
FI
IF y>m THEN
PRINT "y1 This should not print"
PRINT "y1---------------------"
ELSE
PRINT "y2 This should print"
PRINT "y2---------------------"
FI
LET m=2
LET x=1
PRINT "Start of tests"
PRINT "=================="
LOOP
PRINT "x is [";x;"]"
IF x>m THEN
EXIT
FI
LET x=x+1
POOL
PRINT "End of Tests"
END
]';
begin
--
pfclscript.init(true,1);
pfclscript.run(lv_prog);
--
end;
/
And running this gives:
SQL> @interp
x This should print
x---------------------
x1 This should print
x1---------------------
y2 This should print
y2---------------------
Start of tests
==================
x is [1]
x is [2]
x is [3]
End of Tests
PFCLScript Execution Time (Seconds) : +000000 00:00:05.265551000
SQL>
This is a simple example of our language being interpreted and executed in PL/SQL. It is not blindingly fast as it took but that is fine; we have ways in the future we can speed this up by reducing the size of the script and also potentially reducing the size of the PL/SQL. We can work on performance of the interpreter after we are happy with its functionality.
Here is a second simple example in the script language that implements a nested loop in our language to print out a grid of numbers:
declare
lv_prog varchar2(32767):=q'[
LET m=2
LET x=1
PRINT "Start of tests"
PRINT "=================="
LOOP
LET y=1
LOOP
PRINT "x, y is [";x;",";y;"]"
IF y>m THEN
EXIT
FI
LET y=y+1
POOL
IF x>m THEN
EXIT
FI
LET x=x+1
POOL
PRINT "=================="
PRINT "End of Tests"
END
]';
begin
--
pfclscript.init(true,1);
pfclscript.run(lv_prog);
--
end;
/
Running this example shows:
SQL> @interp
Start of tests
==================
x, y is [1,1]
x, y is [1,2]
x, y is [1,3]
x, y is [2,1]
x, y is [2,2]
x, y is [2,3]
x, y is [3,1]
x, y is [3,2]
x, y is [3,3]
==================
End of Tests
PFCLScript Execution Time (Seconds) : +000000 00:00:11.041386000
SQL>
Whilst this is a shorter example than the first its slower at 11 seconds execution time as its more complex but it shows some great features of the language with a loop nested in another loop and two uses of IF/EXIT/FI to escape the loops. The PRINT statement with its dynamic parameter list is powerful where we can mix variables values and strings. This is similar in function but not syntax to the C language ... and things like printf()
The interpreter is around 850 lines of PL/SQL that implements some reasonable features of a programming language. I now call it PFCLScript rather than a simple version of BASIC; we can still write BASIC like code but now much better code.
I hope to get some speaking slots at conferences later this year and be able to demonstrate and show the design around this code.
#oracleace #sym_42 #oracle #plsql #secure #code #securecode #interpreter #vm #cpu #compiler #parser
Can We Remove IF Statements from PL/SQL?
I like PL/SQL and I am always playing around with it or writing tools for use in security audits in PL/SQL or trying to do things that are not normal with PL/SQL such as writing an interpreter. One thing I found in some testing of PL/SQL recently is that the shorter the PL/SQL the faster it is parsed and compiled. This is common sense really; it should take 'x' seconds to compile a PL/SQL of 'y' length but if the length is 20% shorter it stands to reason it should parse and compile faster; because its shorter. Less code to read in and process, parse, less DIANA, less AST, less P-Code.
I was also thinking about the C language ternary operator where there is no IF statement but a short cut as follows:
This is a single line IF/ELSE; without the IF/ELSE keywords. The condition is tested and if true the first part after the "?" is returned as the result of the statement or if the condition is false then the part after the ":"
Can we do similar in PL, no ternary operator in PL/SQL BUT we can as it happens use the condition in other places than an IF statement. So if I have a simple function to test if a character is ALPHA i.e. a-z or A-Z then it looks like this:
As you can see the simple function uses the ascii function to test the passed in character and then return TRUE or FALSE. I realised that we do not need the IF/ELSE/END IF as we can simply put the test condition in the return() directly and the function will then return TRUE or FALSE:
This is now a much shorter version of the function producing the same result BUT without the IF/ELSE/END IF now. Great, we reduced the code, increased complexity slightly but made the code succinct.
Obviously we cannot do this change everywhere in all PL/SQL code. It works because the IF/ELSE/END IF returns just true or false. But it will also work not just in return but also in other places that take a condition.
The whole thing is here to prove it works:
And running gives:
The use of diutil.bool_to_int() is just to show the result. In the original use of this function it was embedded in another call so the IF/ELSE/END IF is truly removed
#oracleace #sym42 #plsql #securecode #oracle #security #extremeplsql #23ai #23c
I was also thinking about the C language ternary operator where there is no IF statement but a short cut as follows:
(x==y)?"true":"false";
This is a single line IF/ELSE; without the IF/ELSE keywords. The condition is tested and if true the first part after the "?" is returned as the result of the statement or if the condition is false then the part after the ":"
Can we do similar in PL, no ternary operator in PL/SQL BUT we can as it happens use the condition in other places than an IF statement. So if I have a simple function to test if a character is ALPHA i.e. a-z or A-Z then it looks like this:
function IsAlpha(pv_c in varchar2) return boolean is
lv_ret boolean;
begin
if(((ascii(pv_c)>=65) and (ascii(pv_c)<=90))
or ((ascii(pv_c)>=97) and (ascii(pv_c)<=122))) then
lv_ret:=true;
else
lv_ret:=false;
end if;
return(lv_ret);
exception
when others then
dbms_output.put_line('Error');
end;
As you can see the simple function uses the ascii function to test the passed in character and then return TRUE or FALSE. I realised that we do not need the IF/ELSE/END IF as we can simply put the test condition in the return() directly and the function will then return TRUE or FALSE:
function IsAlpha2(pv_c in varchar2) return boolean is
begin
return(((ascii(pv_c)>=65) and (ascii(pv_c)<=90))
or ((ascii(pv_c)>=97) and (ascii(pv_c)<=122)));
exception
when others then
dbms_output.put_line('Error');
end;
This is now a much shorter version of the function producing the same result BUT without the IF/ELSE/END IF now. Great, we reduced the code, increased complexity slightly but made the code succinct.
Obviously we cannot do this change everywhere in all PL/SQL code. It works because the IF/ELSE/END IF returns just true or false. But it will also work not just in return but also in other places that take a condition.
The whole thing is here to prove it works:
set serveroutput on
declare
lv_ret boolean;
--
function IsAlpha(pv_c in varchar2) return boolean is
lv_ret boolean;
begin
if(((ascii(pv_c)>=65) and (ascii(pv_c)<=90))
or ((ascii(pv_c)>=97) and (ascii(pv_c)<=122))) then
lv_ret:=true;
else
lv_ret:=false;
end if;
return(lv_ret);
exception
when others then
dbms_output.put_line('Error');
end;
--
function IsAlpha2(pv_c in varchar2) return boolean is
begin
return(((ascii(pv_c)>=65) and (ascii(pv_c)<=90))
or ((ascii(pv_c)>=97) and (ascii(pv_c)<=122)));
exception
when others then
dbms_output.put_line('Error');
end;
--
begin
lv_ret:=IsAlpha('A');
dbms_output.put_line(sys.diutil.bool_to_int(lv_ret));
lv_ret:=IsAlpha('0');
dbms_output.put_line(sys.diutil.bool_to_int(lv_ret));
lv_ret:=IsAlpha2('A');
dbms_output.put_line(sys.diutil.bool_to_int(lv_ret));
lv_ret:=IsAlpha2('0');
dbms_output.put_line(sys.diutil.bool_to_int(lv_ret));
end;
/
And running gives:
SQL> @if
1
0
1
0
PL/SQL procedure successfully completed.
SQL>
The use of diutil.bool_to_int() is just to show the result. In the original use of this function it was embedded in another call so the IF/ELSE/END IF is truly removed
#oracleace #sym42 #plsql #securecode #oracle #security #extremeplsql #23ai #23c
Protect and Secure Your PL/SQL Code
Do you develop PL/SQL? Is your Oracle PL/SQL protected?
My name is Pete Finnigan and in the next few minutes I will show you how you can protect you PL/SQL investment from theft. We can:
Ask to Purchase a License or see a live demo first
Did you know that if you do not protect your PL/SQL then anyone with access to the database where your code is deployed can steal it.
If you don't protect your PL/SQL before it is deployed then someone can read your code in clear text and understand it and rewrite it as their own. You think your application is fantastic and customers will buy it but if you don't protect it someone will take it for free and use it or access your source code and copy the ideas within it.
Which means that your code could be stolen and deployed to further databases and used without you receiving a penny in license fees that you should be due.
Luckily for you we have an easy to use solution that helps prevent anyone from learning how your PL/SQL application code works and understanding your ideas and prevents the theft of your code from a database where it is deployed. Our solution can also easily add protection to your application to prevent its use even if its copied to another database.
Using PFCLObfuscate is easy. After installing the product you can see that the software is highly configurable at the product level and also down to the individual source code level and anywhere in between.
The above picture shows the main configuration settings for the tool. For each piece of PL/SQL at a schema level or even down to individual pieces of PL/SQL we can easily provide settings. All of the settings are stored at the schema level in files BUT we can also save the configuration per schema and open/close saves configs easily if we need separate settings at a file level or group of files within a schema. The image below shows some of the PFCLObfuscate settings that can be changed
Once we have all the settings configured as we need we can connect to a database and choose a schema to download PL/SQL source code from:
The next step is easy; simply click "refresh" from the file menu to get all the source code for the chosen schema. This is shown next:
When we have a list of PL/SQL packages, headers, procedures and functions then we can simply check the box next to each piece of PL/SQL that we want to obfuscate. This is shown next:
We can display the original clear text as well as the obfuscated text:
The product is much more though. We can easily inject code at any point we choose in the clear text PL/SQL. This means that it is easy to add license type protection to your PL/SQL. This means you can ship PL/SQL to customers for instance where it has a time limit - e.g. it works for 30 days and stops or we can inject locks into your PL/SQL so that you can for instance limit which database the protected code will work in. We can also use the same functionality to add better string obfuscation or indeed anything that you need. The main configuration screen is here:
As you can see we use Lua files to inject code into your PL/SQL. These scripts write PL/SQL that is then automatically added to the obfuscate stream and is obfuscated with the rest of your code.
Not everything in your PL/SQL can be obfuscated. Imagine that you have calls to a specific package procedure such as schema.package.procedure(a,b). If we obfuscate the call then it cannot find it as the original package is not obfuscated. We have two options here; we can either omit this call from the obfuscation by adding it to the omit files OR we can also obfuscate everything else. We have some customers who also obfuscate all table definitions and triggers and more with PFCLObfuscate.
Don't forget we can also use the product completely from the command line and the whole process to protect all of your PL/SQL can be automated and be added into your build processes.
Detailed documentation is available and can be used as a reference when working with the product and we also have email based support where we will answer any questions.
Pete Finnigan is the designer of this software and he has more than 21 years real world experience helping customers secure data in Oracle databases. Pete is an Oracle ACE, a member of the OakTable and also a member of Symposium 42 and is a published author multiple times on the subject of securing data in Oracle databases.
License PFCLObfuscate to easily protect your own PL/SQL source code. A download of the software is built for you and is available as soon as payment is received. The Pro license is £1,095 GBP (+ Taxes if applicable) to install and use to protect all of your PL/SQL. To arrange a purchase Email Sales Now
Buy a Pro license in the next 30 days from this post date and get 25% off our one day live on-line "secure Coding in PL/SQL" class taught by Pete Finnigan. You can choose a date from our on-line course agenda. To arrange a purchase Email Sales Now
#oracleace #sym_42 #oracle #plsql #protection #obfuscation #license #protect #sourcecode #database
My name is Pete Finnigan and in the next few minutes I will show you how you can protect you PL/SQL investment from theft. We can:
- Stop people stealing your ideas
- Make sure you control your PL/SQL
- Secure your PL/SQL code
- Simple to use
Ask to Purchase a License or see a live demo first
Here is the Perfect Solution to Stop Theft of your PL/SQL
Did you know that if you do not protect your PL/SQL then anyone with access to the database where your code is deployed can steal it.
If you don't protect your PL/SQL before it is deployed then someone can read your code in clear text and understand it and rewrite it as their own. You think your application is fantastic and customers will buy it but if you don't protect it someone will take it for free and use it or access your source code and copy the ideas within it.
Which means that your code could be stolen and deployed to further databases and used without you receiving a penny in license fees that you should be due.
Luckily for you we have an easy to use solution that helps prevent anyone from learning how your PL/SQL application code works and understanding your ideas and prevents the theft of your code from a database where it is deployed. Our solution can also easily add protection to your application to prevent its use even if its copied to another database.
- Obfuscate and compact your PL/SQL code which means your customers cannot understand and steal your intellectual property
- Detailed configuration and customization which means that you can set up and re-use the same rules on a different project
- Control the obfuscation process which means you decide what is protected and what is not
- Add simple date and time based licensing which means you control when your application runs in the customers system
- Add run time controls automatically to your application which means you can activate and control which database it works in
- Command line operation which means you can integrate PFCLObfuscate into your existing build cycle
Using PFCLObfuscate to protect your PL/SQL code
Using PFCLObfuscate is easy. After installing the product you can see that the software is highly configurable at the product level and also down to the individual source code level and anywhere in between.
The above picture shows the main configuration settings for the tool. For each piece of PL/SQL at a schema level or even down to individual pieces of PL/SQL we can easily provide settings. All of the settings are stored at the schema level in files BUT we can also save the configuration per schema and open/close saves configs easily if we need separate settings at a file level or group of files within a schema. The image below shows some of the PFCLObfuscate settings that can be changed
Once we have all the settings configured as we need we can connect to a database and choose a schema to download PL/SQL source code from:
The next step is easy; simply click "refresh" from the file menu to get all the source code for the chosen schema. This is shown next:
When we have a list of PL/SQL packages, headers, procedures and functions then we can simply check the box next to each piece of PL/SQL that we want to obfuscate. This is shown next:
We can display the original clear text as well as the obfuscated text:
The product is much more though. We can easily inject code at any point we choose in the clear text PL/SQL. This means that it is easy to add license type protection to your PL/SQL. This means you can ship PL/SQL to customers for instance where it has a time limit - e.g. it works for 30 days and stops or we can inject locks into your PL/SQL so that you can for instance limit which database the protected code will work in. We can also use the same functionality to add better string obfuscation or indeed anything that you need. The main configuration screen is here:
As you can see we use Lua files to inject code into your PL/SQL. These scripts write PL/SQL that is then automatically added to the obfuscate stream and is obfuscated with the rest of your code.
Not everything in your PL/SQL can be obfuscated. Imagine that you have calls to a specific package procedure such as schema.package.procedure(a,b). If we obfuscate the call then it cannot find it as the original package is not obfuscated. We have two options here; we can either omit this call from the obfuscation by adding it to the omit files OR we can also obfuscate everything else. We have some customers who also obfuscate all table definitions and triggers and more with PFCLObfuscate.
Don't forget we can also use the product completely from the command line and the whole process to protect all of your PL/SQL can be automated and be added into your build processes.
Detailed documentation is available and can be used as a reference when working with the product and we also have email based support where we will answer any questions.
Pete Finnigan is the designer of this software and he has more than 21 years real world experience helping customers secure data in Oracle databases. Pete is an Oracle ACE, a member of the OakTable and also a member of Symposium 42 and is a published author multiple times on the subject of securing data in Oracle databases.
License PFCLObfuscate to easily protect your own PL/SQL source code. A download of the software is built for you and is available as soon as payment is received. The Pro license is £1,095 GBP (+ Taxes if applicable) to install and use to protect all of your PL/SQL. To arrange a purchase Email Sales Now
Buy a Pro license in the next 30 days from this post date and get 25% off our one day live on-line "secure Coding in PL/SQL" class taught by Pete Finnigan. You can choose a date from our on-line course agenda. To arrange a purchase Email Sales Now
#oracleace #sym_42 #oracle #plsql #protection #obfuscation #license #protect #sourcecode #database
