PROTECTING ORACLE PL/SQL SOURCE CODE FROM A DBA USER

Stiven Villa
Mind Map by , created over 5 years ago

fndsanf,dsanf

93
0
0
Tags
Stiven Villa
Created by Stiven Villa over 5 years ago
COMPARATIVA BASES DE DATOS 2017
David Marín
El SGBD Oracle (Oracle Server)
Marcelo Echeverria
GCSE AQA Biology 2 Plants & Photosynthesis
Lilac Potato
Cells and the Immune System
Eleanor H
Certificación Java 8 - Oracle Certified Associate - Tema 1 - Estructura de Clases
Miguel Gómez Cuesta
Motores de bases de datos
cabañas
ROUND & TRUNC [DATES]
Adrian Mora
Descripción del Curso
Andrés Velásco5802
PROTECTING ORACLE PL/SQL SOURCE CODE FROM A DBA USER
1 ORACLE DATABASE SECURITY
1.1 Authentication Oracle allows for various types of authentication. Oracle-based authentication allows for Oracle database accounts with user-ids and strong passwords which are encrypted with a modified DES algorithm for each database connection. Oracle passwords are stored in an encrypted format in the data dictionary. Each session key is unique, which means the key is not re-used in any other session. Oracle also supports authentications based on the operating system’s user accounts which are then passed on to Oracle RDBMS
1.2 Profiles Oracle makes use of profiles to allow the database administrator to place specific restrictions, rules and controls on a number of system resources, password usage lifetime and various Oracle products. These profiles can be named, defined, and then assigned to groups of users or to specific users. There are two types of profiles as bellow.
1.2.1 System resource profiles: Those profiles can be used to put user limits on certain system resources such as memory, CPU time, the number of data blocks that can be read per session, the number of concurrent active sessions, idle time, and the maximum connection time for a user, etc. Also, they can be used to define and enforce password rules such as account lockout after a number of failed login attempts, password life, etc
1.2.2 Product profiles: To prevent users from accessing specific commands or all commands in Oracle SQL, SQL/Plus, and PL/SQL. Use of this option allows the administrator to do such things as prevent user access to the operating system
1.3 Privileges By default, Oracle relational database management system does not give any privileges to new users. New users must be given privileges before they create database connection and execute any database operation. Oracle users cannot do anything unless they have the specific privilege to do so. There are too many privileges in Oracle database management systems that can be given, around 100 in all. There are two different types of privileges available to be granted to any user. They are system and object privileges.
1.4 Roles Roles are used to make easy the management process of assigning privileges to users. Roles are first created and then given different system and object privileges that can be assigned to users. Oracle database users can be given multiple roles even if they have the same privileges. It is much easier to create group of privileges that are organized into roles and then assign the role to one or more users.
1.5 Protecting Data Integrity Oracle relational database management system provides several features to ensure data integrity in different cases such system failure, human error, or attacks. These features include redo log files, rollback segments, and LogMiner. All data changes are recorded in at least two redo log files that are maintained by Oracle. In the event of a system failure or data corruption, the last good backup and the redo log should be restored to bring the system back to the state it was before the corruption or data loss.
2 PL/SQL SOURCE CODE BLOCKS AND WRAPPING PROCESS PL/SQL stands for Procedural Language/SQL. PL/SQL extends SQL by adding constructs found in procedural languages, resulting in a structural language that is more powerful than SQL Typical uses include data validation (integrated into the database) or access control mechanisms. Furthermore, they can consolidate and centralize logic that was originally implemented in applications
2.1 Overhead: Because stored statements are stored directly in the database, they may remove all or part of the compilation overhead that is typically required in situations where software applications send inline SQL statements to a database
2.2 Avoidance of network traffic: A major advantage with stored pl/sql object is that they can run directly within the database engine. In a production system, this typically means that the procedures run entirely on a specialized database server, which has direct access to the data being accessed
2.3 Wrapping Process Wrapping is the process of hiding PL/SQL source code. Wrapping helps developers to protect their source code from any user who can benefit or might misuse it. Wrapping a package causes the code to be obfuscated, that is to say made unreadable by programmers, so that the code cannot be readily stolen, or looked through by hackers for weaknesses to exploit, thus protecting the intellectual property of the programming company.
2.3.1 Wrap utility: The wrap utility is an external application which processes an input SQL file which contains different statements and wraps the PL/SQL units in it, such as a function, procedure, package, type specification, or type body.
2.3.2 DBMS_DDL subprograms: The DBMS_DDL package contains procedures for wrapping only a single PL/SQL unit, such as a function, procedure, package, type specification, or type body.
2.4 Limitations of Wrapping  Wrapping process is not recommended for hiding passwords or table names because is not a secure method. Wrapping does not hide the source code for database triggers. To prevent users from examining the source code workings of a trigger, a one-line trigger that invokes a wrapped subprogram is necessary. Wrapping process does not detect syntax or semantic errors. Wrapped PL/SQL units are not downward-compatible between Oracle Database releases they are only upward-compatible.
2.5 Unwrapping Process In old versions of Oracle we can almost easily deduce the original source code of PL/SQL package from the wrapped code produced. In version 10g and 11i of Oracle Finnigan claims that unwrapping is almost the same as for 9i version, though some it is more difficult now because new wrap mechanism is provided, the symbol table is no longer visible, used base64 encryption
2.6 PROTECTING PL/SQL OBJECTS BY DISABLING DML/DDL STATEMENTS TO ANY USER To protect PL/SQL objects is necessary to disable DDL statements like create, replace and some DML statements oriented to the static data dictionary views. To prevent execution of any DML/DDL statements on some object we must monitor every user session and analyze every SQL statements before their execution. We developed some scripts which can prevent any unauthorized user to execute DML/DDL statements over any database object

Media attachments