Database Systems Security in an Enterprise Environment - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Database Systems Security in an Enterprise Environment

Description:

Example: SQL Injection Attack through web front end ... Application is expecting one (valid) row to be returned if success, no rows if failure ... – PowerPoint PPT presentation

Number of Views:93
Avg rating:3.0/5.0
Slides: 18
Provided by: csU69
Category:

less

Transcript and Presenter's Notes

Title: Database Systems Security in an Enterprise Environment


1
Database Systems Security in an Enterprise
Environment
  • Paul J. Wagner
  • University of Wisconsin Eau Claire
  • St. Cloud Security Workshop, May 2003
  • http//www.cs.uwec.edu/wagnerpj/security/

2
Database Systems Security Background
  • Need
  • Security curriculum is relatively light in
    database systems area
  • Focus currently on protecting information through
    network configuration, systems administration,
    application security
  • Need to specifically consider database system
    security issues
  • What is most valuable data, systems, or
    network?
  • Goals
  • Understand security issues in a general database
    system environment
  • Consider database security issues in context of
    general security principles and ideas
  • Focus on Oracle as a common DBMS, but realize
    there are similar issues for other DBMSs

3
Main Message
  • Database system security is more than securing
    the database
  • Secure database
  • Secure DBMS
  • Secure applications
  • Secure operating system (in relation to database
    system)
  • Secure web server (in relation to database
    system)
  • Secure network environment (in relation to
    database system)

4
Secure Database(s)
  • Traditional database security topics and issues
  • Users and Passwords
  • Default users/passwords
  • Oracle sys, system accounts privileged, with
    default passwords
  • Oracle scott account well-known account and
    password, part of public group
  • e.g. public can access all_users table
  • Need for general password policies (length,
    domain, changing, protection, )
  • Need for general account policies (who gets, what
    level of privilege, when expires, )

5
Secure Database(s) cont.
  • Privileges and Roles
  • Privileges
  • System on actions (e.g. selecting, deleting,
    creating, )
  • Object on data objects (e.g. on particular
    table)
  • Roles
  • Collections of system privileges
  • Advantage easier management
  • Disadvantage tend to give more privilege than
    needed
  • Commonly heard Oracle user request Just give
    me DBA role to make it work and well figure out
    the exact privilege I need later.
  • Grant / Revoke
  • Giving (removing )privileges or roles to (from)
    users
  • Problem often done haphazardly
  • Need for continual management of privileges and
    roles
  • Need for policies on privilege/role management

6
Secure DBMS
  • Possible Holes in DBMS
  • Oracle http//technet.oracle.com/deploy/security/
    alerts.htm (50 listed)
  • Types of exploits
  • Buffer overflow problems in DBMS code
  • Miscellaneous attacks (Denial of Service, source
    code disclosure of JSPs, others)
  • Similar information available for DB2, SQL
    Server, PostgreSQL, MySQL,
  • Oracle UTL_FILE package in PL/SQL
  • allows read/write access to files in directory
    specified in utl_file_dir parameter in init.ora
  • possible access through symbolic links

7
Secure DBMS (cont.)
  • Need for continual patching of DBMS
  • Encourage awareness of DBMS vulnerability issues
  • Continuous vigilance is essential
  • Cost of not patching can be huge
  • SQL Slammer Worm
  • fast propagation max scan rate of 55 million
    systems/second
  • affected approximately 80,000 systems,
    significant segments of Internet
  • 376 byte UDP packet that exploited a buffer
    overflow vulnerability
  • patch had long been available
  • significant effects on business database servers
  • Credit verification, Phone systems, Banks/ATMs

8
Secure DBMS (cont.)
  • Use security features of DBMS
  • Oracle Virtual Private Databases (VPDs)
  • Support for fine-grain data security (e.g.
    multiple clients can have data in same schema
    without knowing other data is there)
  • Oracle Oracle Label Security
  • Use of VPDs to achieve row-level security,
    controlled from Policy Manager tool under
    Enterprise Manager
  • Implement auditing
  • Good policy develop a comprehensive audit system
    for database activity tracking
  • DBMS tools, user-developed tools (e.g. using
    triggers)
  • Oracle can write to OS as well as into database
    for additional security, accountability for all
    working with databases

9
Secure Application Development
  • Access to database system is often through
    applications
  • Example SQL Injection Attack through web front
    end
  • Scenario Software system tracks own usernames
    and passwords in database
  • Client application accepts username and password,
    passes as parameters
  • An SQL query is built dynamically, combining SQL
    text pieces in the server application and the
    client-supplied parameters
  • DBMS executes query on system user table, checks
    for valid user/password combination in this table
  • DBMS returns 0, 1 or more user/password rows to
    application
  • Application checks result and allows or denies
    access accordingly

10
SQL Injection
  • Application Java code contains SQL statement
  • String query "SELECT FROM users_table "
  • " WHERE username " " " username "
    "
  • " AND password " " " password " "
  • - SQL strings must be single quoted
  • Application is expecting one (valid) row to be
    returned if success, no rows if failure
  • Attacker enters arbitrary username anyname, but
    special password of Aa OR
  • Dynamically-constructed query becomes
  • SELECT FROM users_table
  • WHERE username anyname
  • AND password Aa OR
  • Where clause F AND F OR T gt F OR T gt T !
  • All user rows returned to application
  • If application checking for 0 vs. more than 0
    rows, attacker is in
  • Need to check application input generally not
    good to allow special characters in through
    client-side parameters

11
Secure Application Development
  • Application Security in the Enterprise
    Environment
  • J2EE
  • .NET
  • Large number of interactions between application
    environment and database systems
  • Tactic Use of Proxy Applications
  • Assume network filtering most problem traffic
  • Application can control fine-grain behavior,
    application protocol security
  • Security Patterns (from J2EE Design Patterns
    Applied)
  • Single-Access Point Pattern
  • single point of entry into system
  • Check Point Pattern
  • centralized enforcement of authorization when
    requesting resources
  • Role Pattern
  • disassociation of users and privileges for easier
    management

12
Secure Operating System
  • Interaction of DBMS and OS
  • Oracle on Windows
  • Secure administrative accounts
  • Control registry access
  • Need good account policies
  • Others
  • Oracle on Linux/Unix
  • Choose different account names than standard
    suggestions
  • Restrict use of the account that owns Oracle
    software
  • Secure temporary directory
  • Some Oracle files are SUID (root)
  • Command line SQLPlus with user/pass parameters
    appears under ps output
  • Others

13
Secure Web Server
  • Interaction of Oracle and Web Server
  • Apache now provided within Oracle as its
    application server, started by default
  • Apache issues
  • Standard configuration has some potential
    problems
  • See Oracle Security Handbook for more discussion
  • Ensure secure communication from web clients to
    web server
  • Use MaxClients to limit possible connections,
    avoid Denial of Service attacks
  • Others
  • Internet Information Server (IIS) issues
  • Integration with other MS products (e.g. Exchange
    Server)
  • Known vulnerabilities
  • Others

14
Secure Web Server (cont.)
  • Web is often front-end / gateway to DBMS
  • DBMS/database should be black-box to user
  • Attacker can force errors trying to gain
    information
  • Which error message should be displayed when
    asking for an incorrectly named Java Server Page?

Sorry, that file is not found
java.io.FileNotFoundException /u01/prodcomm/porta
l/x.jsp at java.io.FileInputStream.open(Native
method) at java.io.FileInputStream.(FileInputStrea
m.java64) at oracle.jsp.provider.JspFilesystemRes
ource() at oracle.jsp.app.JspAppLoader.reloadPage
(JSPAppLoader.java) .
15
Secure Network
  • Interaction of DBMS and Network
  • DBMS server should be behind firewall
  • Good to separate DB and web servers (mitigate
    losses if hacked)
  • DB server should be behind firewall, web server
    usually in DMZ
  • Oracle Connections normally initiated on port
    1521, but port is then dynamically selected
    management of port access is made more difficult
  • Anyone with Oracle client software who knows your
    host IP/name and database instance name can
    configure client to connect to your database
    instance
  • Oracle Advanced Security (OAS) product
  • Features for
  • Authentication
  • Integrity
  • Encryption use of SSL
  • Other Network Issues To Consider
  • Possibility of hijacking a privileged user
    connection
  • Various sniffing and spoofing issues

16
Messages Revisited
  • Database system security is more than securing
    the database
  • Secure database
  • Secure DBMS
  • Secure applications
  • Secure operating system
  • Secure web server
  • Secure network environment
  • General security principles apply in database
    system security
  • Security is a process, not a product
  • Security chain is only as strong as its weakest
    link
  • Best security defense utilizes multiple layers

17
References
  • Oracle Security Handbook by Theriault and
    Newman Osborne/Oracle Press, 2001.
  • Oracle Database Administration The Essential
    Reference, Kreines and Laskey OReilly, 1999.
  • Investigation of Default Oracle Accounts,
    http//www.pentest-limited.com/user-tables.pdf
  • Again, slides and security links available at
  • http//www.cs.uwec.edu/wagnerpj/security/
Write a Comment
User Comments (0)
About PowerShow.com