Oracle Data Redaction is Broken

Presented at Black Hat USA 2014, Aug. 6, 2014, 2:15 p.m. (60 minutes)

The Oracle data redaction service is a new feature introduced with Oracle 12c. It allows sensitive data, such as PII, to be redacted to prevent it being exposed to attackers. On paper this sounds like a great idea, but in practice, Oracle's implementation is vulnerable to multiple attacks that allow an attacker to bypass the redaction and launch privilege escalation attacks.

Presenters:

• David Litchfield - Datacom TSS
  David Litchfield is a computer security researcher with a special interest in buffer overflow exploitation and database systems. He has written and contributed to several books including the "Shellcoder's Handbook," "The Database Hacker's Handbook," and the "Oracle Hacker's Handbook." He spends his spare time diving with great white sharks.

Links:

• https://www.blackhat.com/us-14/archives.html#oracle-data-redaction-is-broken
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Oracle Data Redaction is Broken by David Litchfield.mp4
• https://www.youtube.com/watch?v=qjWtbG1c0Is

Similar Presentations:

• Black Hat USA 2010 / Hacking Oracle From Web Apps
• DEF CON 14 (2006) / Oracle Rootkits 2.0
• DEF CON 22 (2014) / Oracle Data Redaction is Broken