Database Systems Security in an Enterprise Environment

1
Database Systems Security in an Enterprise
Environment

• Paul J. Wagner
• University of Wisconsin Eau Claire
• St. Cloud Security Workshop, May 2003
• http//www.cs.uwec.edu/wagnerpj/security/

2
Database Systems Security Background

• Need
• Security curriculum is relatively light in
  database systems area
• Focus currently on protecting information through
  network configuration, systems administration,
  application security
• Need to specifically consider database system
  security issues
• What is most valuable data, systems, or
  network?
• Goals
• Understand security issues in a general database
  system environment
• Consider database security issues in context of
  general security principles and ideas
• Focus on Oracle as a common DBMS, but realize
  there are similar issues for other DBMSs

3
Main Message

• Database system security is more than securing
  the database
• Secure database
• Secure DBMS
• Secure applications
• Secure operating system (in relation to database
  system)
• Secure web server (in relation to database
  system)
• Secure network environment (in relation to
  database system)

4
Secure Database(s)

• Traditional database security topics and issues
• Users and Passwords
• Default users/passwords
• Oracle sys, system accounts privileged, with
  default passwords
• Oracle scott account well-known account and
  password, part of public group
• e.g. public can access all_users table
• Need for general password policies (length,
  domain, changing, protection, )
• Need for general account policies (who gets, what
  level of privilege, when expires, )

5
Secure Database(s) cont.

• Privileges and Roles
• Privileges
• System on actions (e.g. selecting, deleting,
  creating, )
• Object on data objects (e.g. on particular
  table)
• Roles
• Collections of system privileges
• Advantage easier management
• Disadvantage tend to give more privilege than
  needed
• Commonly heard Oracle user request Just give
  me DBA role to make it work and well figure out
  the exact privilege I need later.
• Grant / Revoke
• Giving (removing )privileges or roles to (from)
  users
• Problem often done haphazardly
• Need for continual management of privileges and
  roles
• Need for policies on privilege/role management

6
Secure DBMS

• Possible Holes in DBMS
• Oracle http//technet.oracle.com/deploy/security/
  alerts.htm (50 listed)
• Types of exploits
• Buffer overflow problems in DBMS code
• Miscellaneous attacks (Denial of Service, source
  code disclosure of JSPs, others)
• Similar information available for DB2, SQL
  Server, PostgreSQL, MySQL,
• Oracle UTL_FILE package in PL/SQL
• allows read/write access to files in directory
  specified in utl_file_dir parameter in init.ora
• possible access through symbolic links

7
Secure DBMS (cont.)

• Need for continual patching of DBMS
• Encourage awareness of DBMS vulnerability issues
• Continuous vigilance is essential
• Cost of not patching can be huge
• SQL Slammer Worm
• fast propagation max scan rate of 55 million
  systems/second
• affected approximately 80,000 systems,
  significant segments of Internet
• 376 byte UDP packet that exploited a buffer
  overflow vulnerability
• patch had long been available
• significant effects on business database servers
• Credit verification, Phone systems, Banks/ATMs

8
Secure DBMS (cont.)

• Use security features of DBMS
• Oracle Virtual Private Databases (VPDs)
• Support for fine-grain data security (e.g.
  multiple clients can have data in same schema
  without knowing other data is there)
• Oracle Oracle Label Security
• Use of VPDs to achieve row-level security,
  controlled from Policy Manager tool under
  Enterprise Manager
• Implement auditing
• Good policy develop a comprehensive audit system
  for database activity tracking
• DBMS tools, user-developed tools (e.g. using
  triggers)
• Oracle can write to OS as well as into database
  for additional security, accountability for all
  working with databases

9
Secure Application Development

• Access to database system is often through
  applications
• Example SQL Injection Attack through web front
  end
• Scenario Software system tracks own usernames
  and passwords in database
• Client application accepts username and password,
  passes as parameters
• An SQL query is built dynamically, combining SQL
  text pieces in the server application and the
  client-supplied parameters
• DBMS executes query on system user table, checks
  for valid user/password combination in this table
• DBMS returns 0, 1 or more user/password rows to
  application
• Application checks result and allows or denies
  access accordingly

10
SQL Injection

• Application Java code contains SQL statement
• String query "SELECT FROM users_table "
• " WHERE username " " " username "
  "
• " AND password " " " password " "
• - SQL strings must be single quoted
• Application is expecting one (valid) row to be
  returned if success, no rows if failure
• Attacker enters arbitrary username anyname, but
  special password of Aa OR
• Dynamically-constructed query becomes
• SELECT FROM users_table
• WHERE username anyname
• AND password Aa OR
• Where clause F AND F OR T gt F OR T gt T !
• All user rows returned to application
• If application checking for 0 vs. more than 0
  rows, attacker is in
• Need to check application input generally not
  good to allow special characters in through
  client-side parameters

11
Secure Application Development

• Application Security in the Enterprise
  Environment
• J2EE
• .NET
• Large number of interactions between application
  environment and database systems
• Tactic Use of Proxy Applications
• Assume network filtering most problem traffic
• Application can control fine-grain behavior,
  application protocol security
• Security Patterns (from J2EE Design Patterns
  Applied)
• Single-Access Point Pattern
• single point of entry into system
• Check Point Pattern
• centralized enforcement of authorization when
  requesting resources
• Role Pattern
• disassociation of users and privileges for easier
  management

12
Secure Operating System

• Interaction of DBMS and OS
• Oracle on Windows
• Secure administrative accounts
• Control registry access
• Need good account policies
• Others
• Oracle on Linux/Unix
• Choose different account names than standard
  suggestions
• Restrict use of the account that owns Oracle
  software
• Secure temporary directory
• Some Oracle files are SUID (root)
• Command line SQLPlus with user/pass parameters
  appears under ps output
• Others

13
Secure Web Server

• Interaction of Oracle and Web Server
• Apache now provided within Oracle as its
  application server, started by default
• Apache issues
• Standard configuration has some potential
  problems
• See Oracle Security Handbook for more discussion
• Ensure secure communication from web clients to
  web server
• Use MaxClients to limit possible connections,
  avoid Denial of Service attacks
• Others
• Internet Information Server (IIS) issues
• Integration with other MS products (e.g. Exchange
  Server)
• Known vulnerabilities
• Others

14
Secure Web Server (cont.)

• Web is often front-end / gateway to DBMS
• DBMS/database should be black-box to user
• Attacker can force errors trying to gain
  information
• Which error message should be displayed when
  asking for an incorrectly named Java Server Page?

Sorry, that file is not found
java.io.FileNotFoundException /u01/prodcomm/porta
l/x.jsp at java.io.FileInputStream.open(Native
method) at java.io.FileInputStream.(FileInputStrea
m.java64) at oracle.jsp.provider.JspFilesystemRes
ource() at oracle.jsp.app.JspAppLoader.reloadPage
(JSPAppLoader.java) .
15
Secure Network

• Interaction of DBMS and Network
• DBMS server should be behind firewall
• Good to separate DB and web servers (mitigate
  losses if hacked)
• DB server should be behind firewall, web server
  usually in DMZ
• Oracle Connections normally initiated on port
  1521, but port is then dynamically selected
  management of port access is made more difficult
• Anyone with Oracle client software who knows your
  host IP/name and database instance name can
  configure client to connect to your database
  instance
• Oracle Advanced Security (OAS) product
• Features for
• Authentication
• Integrity
• Encryption use of SSL
• Other Network Issues To Consider
• Possibility of hijacking a privileged user
  connection
• Various sniffing and spoofing issues

16
Messages Revisited

• Database system security is more than securing
  the database
• Secure database
• Secure DBMS
• Secure applications
• Secure operating system
• Secure web server
• Secure network environment
• General security principles apply in database
  system security
• Security is a process, not a product
• Security chain is only as strong as its weakest
  link
• Best security defense utilizes multiple layers

17
References

• Oracle Security Handbook by Theriault and
  Newman Osborne/Oracle Press, 2001.
• Oracle Database Administration The Essential
  Reference, Kreines and Laskey OReilly, 1999.
• Investigation of Default Oracle Accounts,
  http//www.pentest-limited.com/user-tables.pdf
• Again, slides and security links available at
• http//www.cs.uwec.edu/wagnerpj/security/