Of course, everyone knows about “unwrappers” and I guess many of you even tried to make an unwrapper of your own (I also tried to make one after Pete Finnigan’s presentation:). But nevertheless its funny that Oracle in its documentation for 11.2 “loudly” states that unwrap does not protect anything from viewing, and even gives a direct link to the online unwrapper
Wrapping text does not prevent anyone from displaying it with a utility such as:
For high-assurance security, use Oracle Database Vault, described in Oracle Database Vault Administrator’s Guide.
Here is a comparison of unwrap capabilities in documentations for different versions:
- In 9.2 everything is safely hidden, except for literals, names of variables, tables and columns:
String literals, number literals, and names of variables, tables, and columns remain in plain text within the wrapped file. Wrapping a procedure helps to hide the algorithm and prevent reverse-engineering, but it is not a way to hide passwords or table names that you want to be secret.
- In 10.2 the data is hidden only from “most users”, but at least it makes reverse-engineering difficult!
Although wrapping a compilation unit helps to hide the algorithm and makes reverse-engineering difficult, Oracle Corporation does not recommend it as a secure method for hiding passwords or table names. Obfuscating a PL/SQL unit prevents most users from examining the source code, but might not stop all attempts.
- In 11.1 everything looks humble and boring:
Wrapping is not a secure method for hiding passwords or table names. Wrapping a PL/SQL unit prevents most users from examining the source code, but might not stop all of them.