Tuesday, June 16, 2009

BBED and Oracle Vault


I was always wondering how much Oracle Vault is preventing your data to avoid unauthorized accesses by DBA. To be honest I didn’t dig into Oracle code looking for security hole but after I recall about Block Editor I decided to try that tool.

And it is working – I was able to read a data from data file based on file system without any problem. OK there was some work to do like find out a block number and so on but it wasn’t really hard.

After that I tried to use BBED on ASM based file but without luck, but I’m a person who don’t give up so easy. I was thinking about some RMAN copy and it is required a additional disk space and we can deal only with copy of running DB. I have research a internet and I have found amazing stuff about ASM - Luca Canali web site - I read it and I found a solution how to read a data from running DB. It is possible to read a block from ASM into file system, edit it and copy back into running DB. Oracle Vault as expected didn’t recognize that block has been edited.

So is it a possibility to protect data ? In my opinion data encryption is a good choice until someone don’t find a way how to encrypt and decrypt it ;)

Working example of my work should be here in a few days.