08 Aug Intellectual Property Risk and Unwrapping Oracle PL/SQL

Reading this week’s eWEEK coverage of the BlackHat conference, one topic Unwrapping Oracle PL/SQL, given by Pete Finnigan stood out for me. I’ll quote directly from the session abstract:
PL/SQL is the flagship language used inside the Oracle database for many years and through many versions to allow customers to implement their business rules and logic. Oracle has recognized that it is necessary for customers to protect their intellectual property coded in PL/SQL and has provided the wrap program. The wrapping mechanism has been cracked some years ago and there are unwrapping tools in the black hat community. Oracle has beefed up the wrapping mechanism in Oracle 10g to in part counter this.
The past six months has seen significant activity in both the ADO.NET vNext space and also in JDBC 4.0, which are respectively evolving quickly and moving towards a final specification. In particular, ADO.NET vNext and LINQ for Entities has done much to recgonize the level of investment thats exists in today’s databases, and putting significant effort into making easier for applications to evolve outside the confines of database schema.
This highlights a possible security consideration that future applications will need to take account – not only will the business rules and logic intellectual property exist on the database, but considering the well intentioned goals of the ADO.NET vNext entity layer, how should applications best protect their IP ? Now that it may co-exist both at the application level and the database, evolving out of step of the underlying database, this presents a new set of risks. The Java community has enjoyed a stable entity model for sometime, however to my knowledge this not a topic that has been discussed wildly in the Java community. Perhaps there are lessons we can look to there, however I would be interested to hear anyone’s experiences in this area…
Update: Pete Finnigcan slides from Black Hat 2006 have just been posted here.

Post Tagged with

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>