Dumping SGA to read encrypted blocks

After my last article AMM vs security, Martin Berger wrote to me:

well,
even without AMM you can do it:
write your own process which attaches to the same shm segments – and use its memory mapping (?)

My response was that it is also possible with ASMM but AMM makes it extremely easy. And this is because you can treat memory as regular binary files when operating on AMM.

Today I want to show you how dump blocks from SGA which is configured as ASMM to get into encrypted data which is also protected by Oracle Database Vault. To set up the environment I will use examples from a previous blog post.

Code for sgadump is written in GoLang, so please use those instructions to setup your environment: https://golang.org/doc/install

Please make sure that your ENV is set up properly:

[oracle@rokoko ~]$ cat .bash_profile | grep go
GOPATH=/home/oracle/go
PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

After installing GoLang you can do the following to compile my tool:

[oracle@rokoko ~]$ mkdir -p ~/go/src/github.com/ghetzel
[oracle@rokoko ~]$ mkdir -p ~/go/src/github.com/ora600pl
[oracle@rokoko ~]$ cd ~/go/src/github.com/ghetzel
[oracle@rokoko ghetzel]$ git clone https://github.com/ghetzel/shmtool
Cloning into 'shmtool'...
remote: Counting objects: 92, done.
remote: Total 92 (delta 0), reused 0 (delta 0), pack-reused 92
Unpacking objects: 100% (92/92), done.
[oracle@rokoko ghetzel]$ cd ~/go/src/github.com/ora600pl
[oracle@rokoko ora600pl]$ git clone https://github.com/ora600pl/sgadump
Cloning into 'sgadump'...
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 9 (delta 0), reused 9 (delta 0), pack-reused 0
Unpacking objects: 100% (9/9), done.
[oracle@rokoko ora600pl]$ cd sgadump/
[oracle@rokoko sgadump]$ ls
README.md  sgadump.go
[oracle@rokoko sgadump]$ go install

If your ENV was setup properly, you’ll find a binary file under ~/go/bin/sgadump and use it like this:

[oracle@rokoko sgadump]$ sgadump
sgadump by Kamil Stawiarski (@ora600pl) - dumps database blocks from SGA.
Usage: sgadump -b block_size -d data_object_id -s shmid -o output_file_name

Cool, now let’s make sure, that we are using ASMM and not AMM:

SQL> sho parameters memory_target

NAME				     TYPE	 VALUE
------------------------------------ ----------- ------------------------------
memory_target			     big integer 0
SQL> sho parameters sga_target

NAME				     TYPE	 VALUE
------------------------------------ ----------- ------------------------------
sga_target			     big integer 1120M

Now we will check if the tool works – first of all we have to check data_object_id of HR.EMPLOYEES, load encrypted data to memory, get ID_SHM for SGA and dump blocks. Easy, right?