Skip site navigation (1) Skip section navigation (2)

Obfuscated stored procedures (was Re: Oracle and Postgresql)

From: Bill Moran <wmoran(at)collaborativefusion(dot)com>
To: Greg Smith <gsmith(at)gregsmith(dot)com>
Cc: Jonathan Bond-Caron <jbondc(at)openmv(dot)com>, "'Postgres General List'" <pgsql-general(at)postgresql(dot)org>
Subject: Obfuscated stored procedures (was Re: Oracle and Postgresql)
Date: 2008-09-16 00:29:22
Message-ID: 20080915202922.1778a062.wmoran@collaborativefusion.com (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-www
Greg Smith <gsmith(at)gregsmith(dot)com> wrote:
> 
> The problem here is that the PostgreSQL community is fully aware how bogus 
> any encryption method is and doesn't even bother, while Oracle is 
> perfectly happy selling a solution that is easily bypassed.  Don't get me 
> wrong--the work involved is just difficult enough that I'm sure most 
> PL/SQL procedures are quite safe from being reversed, and what you get 
> back again will be kind of crummy code, so that's good enough for your 
> typical ISV.  But the security doesn't stand up to simple scrutiny, and a 
> highly visible open-source project doing the same quality of 
> implementation would receive seriously bad press for releasing something 
> so shoddy.  PostgreSQL would be compelled to name it something like 
> "half-assed obfuscation" in order to make it clear just how limited the 
> protection actually is, and then you've kind of lost the sales pitch that 
> motivated the feature in the first place.

I don't understand why this is so bloody difficult to implement:
Extend SECURITY DEFINER to include allowing only the definer to read
the code.

What more than that needs to be done to have honest to goodness secure
procedures?

-- 
Bill Moran
Collaborative Fusion Inc.

wmoran(at)collaborativefusion(dot)com
Phone: 412-422-3463x4023

In response to

Responses

pgsql-www by date

Next:From: David FetterDate: 2008-09-16 00:50:25
Subject: Re: Obfuscated stored procedures (was Re: Oracle andPostgresql)
Previous:From: Scott MarloweDate: 2008-09-15 23:07:02
Subject: Re: Oracle and Postgresql

pgsql-general by date

Next:From: David FetterDate: 2008-09-16 00:30:38
Subject: Re: about partitioning
Previous:From: Warren BellDate: 2008-09-15 23:33:27
Subject: could not open file "pg_subtrans/0014": Invalid argument

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group