Explore the vulnerabilities in Oracle's data redaction service, introduced in Oracle 12c, through this Black Hat conference talk. Learn how the service, designed to protect sensitive data like PII, can be bypassed by attackers, potentially leading to privilege escalation. Delve into the history of Oracle security issues, examine the implementation flaws, and discover multiple attack vectors that compromise the redaction feature. Understand the implications for PCI compliance and data encryption. Compare Oracle's approach to Microsoft's, and gain insights into Oracle's internal processes and documentation practices. Discover practical strategies to protect against these vulnerabilities and critically evaluate the effectiveness of Oracle's data redaction service in real-world scenarios.
Overview
Syllabus
Introduction
Who am I
History
Launching External Procedures
Oracles Fix
Backend Bypass
Patches
Oracle vs Microsoft
Oracle Data Redaction
Why Redaction
How it works
XML query vulnerability
Updating a column
Brute force
Common Criteria
Protection Profile
Data is not changed
Is it useful
PCI compliance
Data encryption
How do I protect against this
Oracles internal processes
Its not rocket science
No documentation
Oracle Fusion Media Pack
Taught by
Black Hat
