Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle's summer update fixes 65 flaws"] [Next entry: "Oracle Password Repository"]

Blackhat Las Vegas 2006 and unwrapping PL/SQL

The two elements of the title of this post are related. I am speaking at the Blackhat USA conference 2006 in Las Vegas next week (August 1st to August 3rd) about how to unwrap PL/SQL. The schedule gives details of all the papers and there are some good ones this year. David Litchfield as usual does not announce in advance what he is speaking about, Alex is talking about 2nd generation root kits for Oracle databases and there are couple more database talks, SQL Injection by truncation and also a talk about how to audit without killing the system. There are lots of other great security papers that are non - Oracle related.

My presentation is all about how PL/SQL is wrapped in 9i and lower and how the wrap mechanism works internally and also about the features and programs shipped by Oracle to allow reading of wrapped code. I will also present a simple proof of concept unwrapper - written of course in PL/SQL. I am also showing that Oracle always knew that PL/SQL could be unwrapped. The 10g mechanisn is also discussed along with some ideas on how to protect your source code. A little more detail is shown in the summary on the blackhat site.