1

We have some sensitive IPR in some Stored Procedures. We encrypt the stored procedures. However, at the point they are created, they are plain text.

Is there anyway we can prevent SQL Server Profiler from being used to monitor the execution of the Create procedure statements?

(Yes, I know that you can also un-encrypt the stored procedures reasonably easily)

THEMike
  • 175
  • 2
  • 9

1 Answers1

1

Not in a generic manner.

You can restrict the access to the database server to trusted users but trying to achieve perfect (or even descent) security using code obfuscation is a pointless waste of time and resources in most (if not all) cases.

Edit: there is one thing that you can do to make it a tinny little bit harder to see exactly what is happening in you code is to write it as a CLR stored procedure. It's not going to slow someone competent very much but it'll make it harder to follow what's going on just using the SQL debugger.

Stephane
  • 6,432
  • 3
  • 26
  • 47
  • Pretty much what I thought. However. I am being required to raise the bar as high as I can... – THEMike Nov 12 '13 at 13:35
  • It depends on what you're protecting but, frankly, it might not be worth the price and complexity. The problem is that you're vulnerable to class-level attacks: a single attacker have to do the work only once to access 100% of your installations (similar to how DRM has to be cracked only once to be rendered obsolete). It means that, unless the obfuscation you're doing is extremely cheap, has extremely low impact on regular users and is easily replaceable, it's probably not cost-effective. – Stephane Nov 12 '13 at 13:39