PROJECT AIM

To secure and enhance the Business logics

PROBLEM IN PL/SQL BUSINESS LOGIC

Though the Oracle PL/SQL gives more functionality, it lacks in code security feature. Company has to be responsible for its IPR (Intellectual Property Rights) on their business logic. Business Logics are not secured in PL/SQL Environment. Oracle provides wrap utility to hide the actual source code into non-readable code form. But, it can be reversible. Pete Finnigan, a specialist in researching and securing Oracle databases, demonstrates the step-by-step process of wrapping and unwrapping of PL/SQL code (ref. 1) and some sites unwraps the PL/SQL wrapped code online (ref. 2). So, the business logic can be copied, modified and updated. Hence, Oracle security is not guaranteed. Intellectual Property (i.e. Business Logic) of the company is not secure when they shipped the code. So we oppose to put the business logic in PL/SQL. Hence, we provide two solutions here. They are Use Third Party tools to secure PL/SQL code. Move Business Logic into secured and enhanced environment

SOLUTIONS

SOLUTION1: USE THIRD PARTY TOOL Pete Finnigan, who hack the PL/SQL code, released a PL/SQL code secure tool called PFCLObfuscate. None other tools available now. It is proprietary tool. You have to buy license for each machine. The cost is high.

SOLUTION 2: MOVE BUSINESS LOGIC INTO SECURED AND ENHANCED ENVIRONMENT By the above statement, its proved put business logic in PL/SQL is not secure. Hence we have to choose another technology that provides security and enhance from its existing technology. Java is an alternative technology. Because It is free and open source Lots of choices in tools Layered Application Architecture Widely Accepted technology Secure than PL/SQL

HOW JAVA BUSINESS LOGIC IS SECURE? Java bytecode can also be reversed (or decompiled) into source code. To secure the bytecode, java had bytecode obfuscation tools. Most of tools act as shrinker, optimizer and obfuscator. It obfuscates both codes and string constants. It can translate stack traces. Hence your business logic will be secure (ref. 3).

MOVE BUSINESS LOGIC INTO SAME ARCHITECTURE Oracle supports java. It allows us to create Java Stored Procedures. Oracle classifies the java program and SQL Statements from your Java Stored Procedures and sends java programs to Oracles Aurora JVM and SQL statements to the SQL Engine. We may put business logic into the Java Stored Procedures. Hence our Business Logic will be secured but not any enhancement. Because, business logic is still with database server.

MOVE BUSINESS LOGIC INTO DIFFERENT ARCHITECTURE Both Business Logics PL/SQL Stored Procedures and Java Stored Procedures are resides with database server. Chad Z. Hower, a Microsoft MVP, explained clearly why and where to be business logic (ref. 4). If we extend number of users and provide additional functionality to the server, it overheads to the database server. Database Servers hardware cost is relatively higher than Application Servers hardware cost. We extend the application server instead of database server if we put business logic separate and all business logics are highly depending with database environment. Hence we get good performance with low cost and avoid database dependence. According to his statement, it is better to be separate business tier from database tier. Next, we have to select another technology that does the same in PL/SQL environment without affecting previous performance.

EXISTING ARCHITECTURE

Client Side

Presentation Layer

.NET/JAVA GUI

Application Server Side

Service Layer

WEB SERVICES

Business Logic Layer

PL/SQL PACKAGES PL/SQL PACKAGES ORACLE Database

Database Server Side

Data Access Layer

ORACLE DB
Resource Layer

Complete Oracle Suite

In the existing architecture, problematic part is server side itself. We have to all separate business logic layer from server side. Proposed Architecture is given below.

PROPOSED ARCHITECTURE

Client Side

Presentation Layer

.NET/JAVA GUI

Application Server Side

Service Layer

WEB SERVICES

Application Server Side

Business Layer

POJO/RMI/ EJB

Application Server Side

Data Access Layer

JDBC + SQL

Database Server Side

Resource Layer

Any RDBMS

According to new architecture, all layers will be separated. For each layer, we have enough tools and framework to support.

REFERENCE 1) Wrapping and Unwrapping http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Finnigan.pdf 2) Unwrap the code - Demo http://www.codecrete.net/UnwrapIt/ 3) Bytecode Obfuscation https://www.owasp.org/index.php/Bytecode_obfuscation 4) Chad Z. Hower Microsoft MVP http://www.codeproject.com/Articles/10746/Dude-where-s-my-business-logic