Protecting oracle pl/sql source code from a dba user

TL;DR

This paper introduces a method to prevent DBA users from executing DDL and DML statements on specific PL/SQL procedures in Oracle databases, enhancing source code security beyond built-in wrapping.

Contribution

The proposed approach analyzes database sessions to block unauthorized modifications to protected PL/SQL objects, even from users with DBA privileges.

Findings

Successfully blocks DDL/DML on protected procedures

Prevents DBA from dropping or disabling scripts

Operates without requiring changes to existing database roles

Abstract

In this paper we are presenting a new way to disable DDL statements on some specific PL/SQL procedures to a dba user in the Oracle database. Nowadays dba users have access to a lot of data and source code even if they do not have legal permissions to see or modify them. With this method we can disable the ability to execute DDL and DML statements on some specific pl/sql procedures from every Oracle database user even if it has a dba role. Oracle gives to developer the possibility to wrap the pl/sql procedures, functions and packages but those wrapped scripts can be unwrapped by using third party tools. The scripts that we have developed analyzes all database sessions, and if they detect a DML or a DDL statement from an unauthorized user to procedure, function or package which should be protected then the execution of the statement is denied. Furthermore, these scripts do not allow a dba user to drop or disable the scripts themselves. In other words by managing sessions prior to the execution of an eventual statement from a dba user, we can prevent the execution of eventual statements which target our scripts.