M.P. Johnson, DBMS, Stern/NYU, Sp20041 C : Database Management Systems Lecture #22 Matthew P. Johnson Stern School of Business, NYU Spring, 2004

M.P. Johnson, DBMS, Stern/NYU, Sp Agenda Previously: Scripting Next: Security  Secrecy  Integrity  Availability  Web issues Project part 4 due today (really!) Project part 5 is up  >1 multi-table query  Cite (in app) any sources of data!

M.P. Johnson, DBMS, Stern/NYU, Sp Advice for use of novel languages 1. Rerun often  don’t wait until end to try 2. Use frequent prints to be sure of var vals 3. When stuck, picture continuum from your current program to some other program  other prog. works but doesn’t do what you want  change either/both, step by step, until they meet in the middle  Other program is often commented-out version

M.P. Johnson, DBMS, Stern/NYU, Sp New topic: Security issues Secrecy  E.g.: You can see only your own grades Integrity  E.g.: Only an instructor can assign grades, and only to his students Web issues  E.g.: injection attacks

M.P. Johnson, DBMS, Stern/NYU, Sp Why security is hard It’s a “negative deliverable” It’s an asymmetric threat It’s open-ended Tolstoy: “Happy families are all alike; every unhappy family is unhappy in its own way.” Analogs: “homeland”, jails, debugging, proofing

M.P. Johnson, DBMS, Stern/NYU, Sp Users may have privileges Possible privileges:  SELECT: read access to all columns  INSERT(col-name): can insert rows with non- default values in this column  INSERT: can insert rows with non-default values in all columns  DELETE  REFERENCES(col-name): can define foreign keys that refer to (or other constraints that mention) this column  TRIGGER: triggers can reference table  EXECUTE: can run function/SP

M.P. Johnson, DBMS, Stern/NYU, Sp Granting privilegs One method of setting access levels Creator of table gets all privileges to it A privileged user can grant privileges to another user  Possible objects: tables, databases, functions, etc. .* - all tables in DB GRANT privileges ON object TO users GRANT ALL ON tbl TO IDENTIFIED BY ’evil’ WITH GRANT OPTION

M.P. Johnson, DBMS, Stern/NYU, Sp Granting and revoking Privileged user has privileges Privileged-WGO user can grant them, w/wo GO Granter can revoke privileges or GO Revocation cascades by default  To prevent, use RESTRICT (at end of cmd)  If would cascade, command fails Can change owner: ALTER TABLE my-tbl OWNER TO new-owner ALTER TABLE my-tbl OWNER TO new-owner

M.P. Johnson, DBMS, Stern/NYU, Sp Granting and revoking What we giveth, we may taketh away mjohnson: (effects?) george: (effects?) mjohnson: (effects?) GRANT SELECT, INSERT ON my-table TO george WITH GRANT OPTION GRANT SELECT ON my-table TO laura REVOKE SELECT ON my-table TO laura

M.P. Johnson, DBMS, Stern/NYU, Sp Passwords DBMS recognizes your privileges because it recognizes you  -how? Storing passwords in the DB is not safe Soln: hashed or digested passwords One-way hash function:  computing f(x) is easy;  Computing f -1 (y) is hard/impossible  MD5, SHA, PRNGs

M.P. Johnson, DBMS, Stern/NYU, Sp Role-based authorization In SQL-1999, privileges assigned with roles  Not yet supported in MySql For example:  Student role  Instructor role  Admin role Each role gets to do same (sorts of) things Privileges assigned by assigning role to users GRANT SELECT ON my-table TO employee GRANT employee TO billg

M.P. Johnson, DBMS, Stern/NYU, Sp Built-in accounts One other thing: many DBMSs (and OSs for that matter) have built-in demo accounts by default  Must “opt out” Oracle: scott/tiger (open on sales) MySQL: root/(blank) (closed on sales)  SQLServer: sa/(blank/null) 

M.P. Johnson, DBMS, Stern/NYU, Sp New topic: Security on the web Authentication  If the website user wants to pay with George’s credit card, how do we know it’s George?  If the our website asks George for his credit card, how does he know it’s our site? “man in the middle” attack Secrecy  When George enters his credit card, will an eavesdropper be able to see it? Protecting against user input  Is it safe to use user input in our SQL query?

M.P. Johnson, DBMS, Stern/NYU, Sp Authentication on the web Obvious soln: passwords  What’s the problem? Less obvious soln: passwords + encryption Traditional encryption: “symmetric” / “private key”  DES, AES – fast – solves problem? “Newer” kind: “asymmetric” / “public key”  RSA – slow – solves problem?  Public key is published somewhere  Private key is top secret

M.P. Johnson, DBMS, Stern/NYU, Sp Encryption on the web Neither private- nor public-key solves the problem But together they do! SSL/SHTTP high-level gloss:  Amazon has a public-key certificate  When you log in to Amazon, they Pick a random number Send you the encryption of it You can decrypt it with Amazon’s certificate  Now, you both share a key and can encrypt passwords, credit cards, etc.

M.P. Johnson, DBMS, Stern/NYU, Sp Encryption on the web Now George trusts that it’s really Amazon  Assuming Amazon’s key is safe But: What if, say, Dick guessed George’s password?  Another way: What if George claims Dick guessed his password? Soln: digital certificates  George encrypts his order with his private key (not a typo!)  Amazon tries to decrypt the order with George’s public key  If it works, then it must really have been George* * Yes, yes…

M.P. Johnson, DBMS, Stern/NYU, Sp Security and CGI CGI has two parameter methods:  GET  POST For secret information, GET is obviously insecure  Displays in browser  Written into server log Either way, data can still be sniffed Soln: encryption

M.P. Johnson, DBMS, Stern/NYU, Sp CGI & security Imagine scenario:  You’re Amazon  Allow look-up of book  Allow putting book in cart  A couple pages to pay We need to  Charge price P at the end  Display price P each on each page Don’t want to do DB lookup of price for every single page One bad idea: each page after first takes P as a get var from prior

M.P. Johnson, DBMS, Stern/NYU, Sp CGI & security Attack: type in false data in GET request Very insecure! Soln 1: Use POST, not GET tabase Systems”&price=.01

M.P. Johnson, DBMS, Stern/NYU, Sp Send price, etc., by POST This is more secure  Fewer users will know how to break POST than GET  But some do! Attack: hand-code the POST request sales% telnet amazon.com 80 POST HTTP/1.0 Content-Type: application/x-www-form- urlencoded Content-Length: 32 title=“Database Systems”&price=.01 sales% telnet amazon.com 80 POST HTTP/1.0 Content-Type: application/x-www-form- urlencoded Content-Length: 32 title=“Database Systems”&price=.01

M.P. Johnson, DBMS, Stern/NYU, Sp Handed-written POST example POST version of my input page:   Not obvious to web user how to hand submit  And get around any client-side validation But possible:  sales% telnet pages.stern.nyu.edu 80 POST HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 15 val=6&submit=OK sales% telnet pages.stern.nyu.edu 80 POST HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 15 val=6&submit=OK

M.P. Johnson, DBMS, Stern/NYU, Sp Injection attacks Here’s a situation:  Take user and password from user  Look up user/pass:  If found, user gets in   Is this safe? SELECT * FROM users WHERE user=u AND password = p; SELECT * FROM users WHERE user=u AND password = p;

M.P. Johnson, DBMS, Stern/NYU, Sp Injection attacks We expect to get input of something like:  user: mjohnson  pass: abc  SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user= ’mjohnson’ AND password = ’abc’; SELECT * FROM users WHERE user= ’mjohnson’ AND password = ’abc’;

M.P. Johnson, DBMS, Stern/NYU, Sp Injection attacks – MySQL/Perl/PHP Consider another input:  user: ' OR 1=1 OR user = '  pass: ' OR 1=1 OR pass = '  SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = ' ' OR 1=1 OR user = ' ' AND password = ' ' OR 1=1 OR pass = ' '; SELECT * FROM users WHERE user = ' ' OR 1=1 OR user = ' ' AND password = ' ' OR 1=1 OR pass = ' '; SELECT * FROM users WHERE user = '' OR 1=1 OR user = '' AND password = '' OR 1=1 OR pass = ''; SELECT * FROM users WHERE user = '' OR 1=1 OR user = '' AND password = '' OR 1=1 OR pass = '';

M.P. Johnson, DBMS, Stern/NYU, Sp Injection attacks – MySQL/Perl/PHP Consider another input:  user: your-boss ' OR 1=1 #  pass: abc  SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = 'your-boss ' OR 1=1 #' AND password = 'abc'; SELECT * FROM users WHERE user = 'your-boss ' OR 1=1 #' AND password = 'abc'; SELECT * FROM users WHERE user = 'your-boss' OR 1=1 #' AND password = 'abc'; SELECT * FROM users WHERE user = 'your-boss' OR 1=1 #' AND password = 'abc';

M.P. Johnson, DBMS, Stern/NYU, Sp Injection attacks – MySQL/Perl/PHP Consider another input:  user: your-boss  pass: ' OR 1=1 OR pass = '  SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = 'your-boss' AND password = ' ' OR 1=1 OR pass = ' '; SELECT * FROM users WHERE user = 'your-boss' AND password = ' ' OR 1=1 OR pass = ' '; SELECT * FROM users WHERE user = 'your-boss' AND password = '' OR 1=1 OR pass = ''; SELECT * FROM users WHERE user = 'your-boss' AND password = '' OR 1=1 OR pass = '';

M.P. Johnson, DBMS, Stern/NYU, Sp Multi-command injection attacks Consider another input:  user: ' ; DELETE FROM users WHERE user = ' abc ' ; SELECT FROM users WHERE password = '  pass: abc  SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = ' ' ; DELETE FROM users WHERE user = 'abc'; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ' ' ; DELETE FROM users WHERE user = 'abc'; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ''; DELETE FROM users WHERE user = 'abc'; SELECT FROM users WHERE password = '' AND password = 'abc'; SELECT * FROM users WHERE user = ''; DELETE FROM users WHERE user = 'abc'; SELECT FROM users WHERE password = '' AND password = 'abc';

M.P. Johnson, DBMS, Stern/NYU, Sp Multi-command injection attacks Consider another input:  user: ' ; DROP TABLE users; SELECT FROM users WHERE password = '  pass: abc  SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = ' ' ; DROP TABLE users; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ' ' ; DROP TABLE users; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ''; DROP TABLE users; SELECT FROM users WHERE password = '' AND password = 'abc'; SELECT * FROM users WHERE user = ''; DROP TABLE users; SELECT FROM users WHERE password = '' AND password = 'abc';

M.P. Johnson, DBMS, Stern/NYU, Sp Multi-command injection attacks Consider another input:  user: ' ; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = '  pass: abc  SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = ' ' ; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ' ' ; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ''; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = '' AND password = 'abc'; SELECT * FROM users WHERE user = ''; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = '' AND password = 'abc';

M.P. Johnson, DBMS, Stern/NYU, Sp Injection attacks – MySQL/Perl/PHP Consider another input:  user: your-boss  pass: ' OR 1=1 AND user = 'your-boss  Delete your boss! DELETE FROM users WHERE user = u AND password = p; DELETE FROM users WHERE user = u AND password = p; DELETE FROM users WHERE user = 'your-boss' AND pass = ' ' OR 1=1 AND user = ' your-boss'; DELETE FROM users WHERE user = 'your-boss' AND pass = ' ' OR 1=1 AND user = ' your-boss'; DELETE FROM users WHERE user = 'your-boss' AND pass = '' OR 1=1 AND user = 'your-boss'; DELETE FROM users WHERE user = 'your-boss' AND pass = '' OR 1=1 AND user = 'your-boss';

M.P. Johnson, DBMS, Stern/NYU, Sp Injection attacks – MySQL/Perl/PHP Consider another input:  user:  pass: ' OR 1=1 OR user = '  Delete everyone! DELETE FROM users WHERE user = u AND password = p; DELETE FROM users WHERE user = u AND password = p; DELETE FROM users WHERE user = '' AND pass = ' ' OR 1=1 OR user = ' '; DELETE FROM users WHERE user = '' AND pass = ' ' OR 1=1 OR user = ' '; DELETE FROM users WHERE user = '' AND pass = '' OR 1=1 OR user = ''; DELETE FROM users WHERE user = '' AND pass = '' OR 1=1 OR user = '';

M.P. Johnson, DBMS, Stern/NYU, Sp Preventing injection attacks Source of problem (in SQL case): use of quotes Soln 1: don’t allow quotes!  Reject any entered data containing single quotes Q: Is this satisfactory?  Does Amazon need to sell O’Reilly books? Soln 2: escape any single quotes  Replace any ‘ with a ‘’ or \’  In PHP, turn on magic_quotes_gpc

M.P. Johnson, DBMS, Stern/NYU, Sp Preventing injection attacks Soln 3: use prepare parameter-based queries  Supported in JDBC, Perl DBI, PHP ext/mysqli   Very dangerous: using tainted data to run commands at the Unix command prompt  Semi-colons, prime char, etc.  Safest: define set if legal chars, not illegal ones

M.P. Johnson, DBMS, Stern/NYU, Sp Preventing injection attacks When to do security checking for quotes, etc.? Natural choice: in client-side data validation But not enough!  As saw: can still manually submit GET and POST  Must do security checking on server

M.P. Johnson, DBMS, Stern/NYU, Sp More Info phpGB MySQL Injection Vulnerability  "How I hacked PacketStorm“ 

M.P. Johnson, DBMS, Stern/NYU, Sp Next time Next: XML For next time: read section 4.7, hand-outs Now: one-minute responses  Vote on advanced topic(s) to drop/any topic to expand