Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)

On Thu, 25 Sep 2008, Christophe wrote:

> it strikes me that a reasonable approach would be a non-core pluggable
> language which accepts encrypted strings as functions, decrypts them
> (using a key compiled into the language module), and passes them on to
> PL/pgSQL for execution...This would, of course, be easily hacked with
> someone who can step through the language module with a debugger

If we presume that the module doing the encryption/decryption is itself is
a common open-source implementation, all I have to do is read in the
de-obfuscator code byte at a time, stopping every time I have a key length
worth of bytes to see if they unlock something that looks like plaintext.
You have to move to at least another layer of relatively serious security
before you need debugger-level skills to crack it.

People routinely tear through protection like this even on closed-source
systems that benefit some from security by obscurity, and if you can know
the method used that usually allows an even easier approach.

--
* Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD