Tag: Code Protection

PL/Sequre – PL/SQL Code Protection

PL/Sequre is a PL/SQL based application designed to combat software theft of your own PL/SQL code. PL/Sequre essentially performs a PL/SQL obfuscation process on your source code. It does this by converting all user defined identifiers into meaningless hashed strings to make the code almost impossible to understand, and therefore enabling code protection. PL/Sequre also has the added advantage of allowing license checking code to be hidden in your PL/SQL code along with anti-tampering checksum code ensuring no unauthorised use.

Software Theft

The very nature of PL/SQL means that by default the source code is there to be seen by anyone with access to the owning schema in the database. For in-house bespoke solutions, the lack of code protection may not pose so much of a threat, but for PL/SQL solutions developed for the commercial market, where there may be valuable intellectual property to protect, the PL/SQL code protection against software theft is critical.

Limitations

Oracles’s own wrap.exe utility has been continuously cracked over several major releases, with a number of unwrap solutions openly on offer for download, risking valuable intellectual property to software theft. Oracle does not seem to be improving this utility, with the 9i version considered the most secure, so provides very little code protection.

PL/Sequre

PL/Sequre is a PL/SQL obfuscation utility developed in PL/SQL using the Oracle 12g R2 PL/Scope functionality. It acts as a another layer of protection against software theft, and can be used independently or to compliment the existing wrap.exe utility.

How it Works

It works by hashing user defined identifiers in the raw PL/SQL source code which includes variables, constants, procedure and function names with their arguments, internal types and their column names, but will exclude all externally referenced object names. The resulting hashed names become totalling meaningless making it virtually impossible to understand the code. It can also handle dynamic SQL and obfuscate code within quoted strings, as long as the recommended approach has been adopted.

Summary of Features

These are the main features to be found in PL/Sequre:

  • A simple PL/SQL package, run from SQLPlus or any other SQL IDE such as TOAD or SQLDeveloper
  • Obfuscation of stored procedures/functions, packages, object types, and triggers
  • Requires virtually no pre-configuration to start obfuscating .
  • Option to leave package specifications un-obfuscated so public API still useable (will leave all public functions/procedures and their arguments referenced in the package body un-obfuscated).
  • Option to generate a non-obfuscated wrapper package over a package that has been totally obfuscated (both specification and body). So no identifiers are left un-obfuscated in the body.
  • Able to encrypt dynamic SQL with quoted text if using recommended techniques
  • Can embed anti-tampering functionality to prevent any unauthorised changes to crack licensing code.
  • Outputs to one of several formats such as directly to file system, to a CLOB, or directly compiled into to the database.
  • Obfuscated identifier names persisted to a table for consistent use across a suite of PL/SQL objects or re-obfuscation of the same code.