Call: +44 (0)7759 277220 Call
Article

Welcome to PFCLObfuscate!

Welcome to the PFCLObfuscate website blog.

PFCLObfuscate is one of the software products designed and created by PeteFinnigan.com Limited. We specialise in securing databases and have for many years concentrated on the Oracle database. Indeed our founder Pete Finnigan is well known in the community and has written books on the subject of Oracle database security and also has helped many companies protect and secure database through teaching our training courses, performing security audits and recommending what should be fixed to make data secure and also by specialised consulting in the area of data security.

PFCLObfuscate came out of consulting projects that we undertook to secure the Intellectual Property Rights (IPR) of some clients PL/SQL based applications. We wrote some scripts to obfuscate PL/SQL code and SQL*Plus scripts and manually did consulting to help configure and set up the scripts to integrate with build processes. We also manually coded protections for tamperproofing, license type protections and also protections to prevent the PL/SQL code being run elsewhere if stolen from the source database. The core feature was obfuscating variable names, identifiers and to make the code hard to reverse engineer.

There is a cautionary note with any obfuscation in that it is not possible fully protect PL/SQL code in our case and code in general with obfuscation. The goal with obfuscation is to make it hard for an attacker to reverse engineer the PL/SQL source code or simply to slow him down; this should stop most people but a true reverse engineer will not be put off for ever; it really then comes down to how long he is willing to spend before he moves onto someone elses easier code.

The best options that we could offer were strong obfuscations and additions of tamperproofing and license type code and more but then to also wrap the resultant obfuscated PL/SQL code with Oracles Wrap.exe program. We used the 9iR2 wrap.exe program because it is harder to reverse this. The 10g and 11g wrap.exe output is too easy to reverse indeed there are even websites where you can paste your wrapped code in and have it unwrapped. The 9iR2 wrap.exe output is harder to reverse manually yourself BUT there are also 9iR2 unwrappers out there; not as easy to find and none where you simply cut and paste to a website (at least as far as I know!) So the final step to protect the code was to stop any known unwrapper from working so this is what we worked out how to do and did it.

So the resulting PL/SQL code that installs into the database and works in exactly the same way as the clear text original was protected with multiple layers;

  1. The original PL/SQL scource code was obfuscated to make it hard to reverse engineer and understand.
  2. Manual protections were added to the PL/SQL such as tamperproofing with PL/SQL code.
  3. The resultant code was wrapped with Oracles wrap.exe program.
  4. Finally we added wrap protections to the wrap output to stop unwrappers from being able to unwrap the code

This gives good strength and security to PL/SQL code. A potential thief of your IPR in PL/SQL in this scenario would read the wrapped code and not be able to glean any detail or structure. If the reverser/attacker were to obtain an unwrapper then they would first need to defeat the upwrap protections added and then unwrap the code with their unwrapper and finally they would be presented with the obfuscated code which would need to be reversed.

That gives some background to our first consulting work with securing PL/SQL; what we did around a year ago was re-write the simple scripts in C using lex and yacc so that the tool became a proper parser. Just after doing that we picked up more consulting work so we used the new C / Lex / Yacc version along with some manual consuting for that project. We wrote up some samples for use of the tool and also a 40 page manual on how to use it. All went well. The C version is much more extendable and robust and includes a debug mode so that the scanning of source code can output lexical tokens instead of obfuscated source to aid setup. The C based tool also now included a set of inpput files to control keywords, reserved words, words to omit from obfuscation (public APIs) and also strings to omit and more. We also built in an instrumentation interface to allow support calls to be processed more easily; i.e. the user can run an obfuscation again and turn on trace to aid locating why something didnt work as planned. This version was sucecssfully used with two clients.

We also re-wrote the wrap protection program in C and this was used for one client.

Next came the plan to license the obfuscation tools and we decided to license the obfuscation tool PFCLObfuscation first for end users to buy; the WrapProtect tool will be available later in the year but contact us if you are interested we are happy to use it on consulting projects where we configure it ourselves at this stage.

PFCLObfuscate has been commercialised. The manual was re-written, we created a proper Windows MSI installer for it, added license protection and converted the main tool to use a configuration file for much easier setup and also have a support site for tickets and we have a road map for new features.

OK, thats a little of the history of how PFCLObfuscate came to be and how you will be able to now license PFCLObfuscate for your own use. I will be showing some of its features here soon.