Without unwrapping code, I've submitted bug reports to vendors that shipped wrapped code and been able to tell them that a particular package was executing a particular SQL statement that was behaving incorrectly/ causing performance issues/ etc. If you're really interested in top-end protection, that combines code obfuscation with wrapping (using older versions of the wrap utility) which makes it harder for the attacker to circumvent.īe aware, though, that even if code is wrapped and the attacker can't unwrap it, if the code is running on the attacker's machine, the attacker can freely do things like look at v$sql where all the SQL statements will be visible in clear text, the attacker can trace the code to see everything that it is touching, etc. That said, Pete Finnigan (the Oracle security guru) has a tool PFCLObfuscate. If you build a product that is accessed over the internet, the code would only exist on your servers so the attacker would have no access. If you truly need to prevent people from viewing your code, the best approach would be to use an architecture that doesn't involve deploying your code to their servers. If the attacker's computer can decrypt it, the attacker can decrypt it. No matter how encrypted and obfuscated the code, the attacker's computer has to be able to decrypt it in order to run it. If I were you, I'd ask your friend to elaborate on exactly what he or she is trying to suggest.įundamentally, if you are going to deploy code written in any language to a server owned by an attacker, that attacker is going to be able to read and manipulate the code. I have no idea what your friend is saying.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |