Database System Security UW-Stout Information and Cyber Security Workshop 8/24/2006 Paul Wagner,

Slides:



Advertisements
Similar presentations
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Advertisements

Understand Database Security Concepts
WebGoat & WebScarab “What is computer security for $1000 Alex?”
How Did I Steal Your Database Mostafa
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
ASP.NET Programming with C# and SQL Server First Edition
CSCI 6962: Server-side Design and Programming Secure Web Programming.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Chapter 13 – Network Security
© D. Wong  Indexes  JDBC  JDBC in J2EE (Java 2 Enterprise Edition)
August 1, The Software Security Problem August 1, 2006.
Computer Security and Penetration Testing
Module 7: Fundamentals of Administering Windows Server 2008.
Software Security Testing Vinay Srinivasan cell:
Attacking Applications: SQL Injection & Buffer Overflows.
SEC835 Practical aspects of security implementation Part 1.
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
1 IT420: Database Management and Organization Database Security 5 April 2006 Adina Crăiniceanu
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
Oracle 11g DATABASE DEVELOPMENT LAB1. Introduction  Oracle 11g Database:-  Oracle 11g database is designed for some features, which helps to the organizations.
SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.
CSCI 3140 Module 6 – Database Security Theodore Chiasson Dalhousie University.
Database Role Activity. DB Role and Privileges Worksheet.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 7: Implementing Security Using Group Policy.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Lu Wei1 Outline Introduction Basic SQL Setting Up and Using PostgreSQL Advanced SQL Embeded SQL.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER.
Slide Set #24: Database security SY306 Web and Databases for Cyber Operations.
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
SQL Injection.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Dynamic SQL Writing Efficient Queries on the Fly
SQL Injection.
Securing the Network Perimeter with ISA 2004
SQL INJECTION ATTACKS.
Introduction to SQL Server 2000 Security
Oracle Architecture Overview
Lecture 2 - SQL Injection
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Database System Security UW-Stout Information and Cyber Security Workshop 8/24/2006 Paul Wagner,

Background Need Security curriculum is relatively light in database systems area Security curriculum is relatively light in database systems area Focus currently on protecting information through network configuration, systems administration, application security Need to specifically consider database system security issues

Background (cont.) Goals Understand security issues in: Understand security issues in: a general database system environment a general database system environment a specific DBMS (Oracle) environment a specific DBMS (Oracle) environment Consider database security issues in context of general security principles and ideas Consider database security issues in context of general security principles and ideas Consider issues relating to both database storage and database system communication with other applications Consider issues relating to both database storage and database system communication with other applications

Main Message Database system security is more than securing the database Secure database Secure database Secure DBMS Secure DBMS Secure applications / application development Secure applications / application development Secure operating system in relation to database system Secure operating system in relation to database system Secure web server in relation to database system Secure web server in relation to database system Secure network environment in relation to database system Secure network environment in relation to database system

Secure databases Database – a domain-specific collection of data; e.g. an Employee database Historical database security topics and issues Users, Passwords Users, Passwords Default users/passwords Oracle: sys, system accounts – privileged (Oracle 8i and prior - with default passwords) Oracle: sys, system accounts – privileged (Oracle 8i and prior - with default passwords) Oracle: scott account – well-known account and password, part of public group Oracle: scott account – well-known account and password, part of public group e.g. public can access all_users table general password policies (length, domain, changing, protection) general password policies (length, domain, changing, protection)

Secure Databases (cont.) Privileges, Roles, Grant/Revoke Privileges, Roles, Grant/RevokePrivileges System - actions System - actions Objects – data Objects – dataRoles Collections of system privileges Collections of system privileges Grant / Revoke Giving (removing )privileges or roles to (from) users Giving (removing )privileges or roles to (from) users

Secure DBMS Database Management System (DBMS) – the domain- independent set of software used to manage and access your database(s) Possible Holes in DBMS (50+ listed) (50+ listed) Majority of problems - buffer overflow problems in (legacy) DBMS code Majority of problems - buffer overflow problems in (legacy) DBMS code Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others) Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others) Oracle example - UTL_FILE package in PL/SQL Oracle example - UTL_FILE package in PL/SQL allows read/write access to files in directory specified in utl_file_dir parameter in init.ora possible access through symbolic links

Secure DBMS (2) Need for continual patching of DBMS Encourage awareness of issues, continuous vigilance Encourage awareness of issues, continuous vigilance Cost of not patching Cost of not patching SQL Slammer Worm - ~100,000 systems affected

Secure DBMS (3) US-CERT advisories List of major software packages currently watched includes Oracle List of major software packages currently watched includes Oracle

Secure Application Development Access to Oracle Database or Environment Through Applications Need to consider security of applications using database as well as security of data in database itself Example: SQL Injection Attack

SQL Injection Definition – inserting malicious SQL code through an application interface Definition – inserting malicious SQL code through an application interface Often through web application, but possible with any interface Typical scenario Typical scenario Three-tier application (web interface, application, database) Overall application tracks own usernames and passwords in database (advantage: can manage users in real time) Web interface accepts username and password, passes these to application layer as parameters

SQL Injection (2) Example: Application Java code contains SQL statement: Example: Application Java code contains SQL statement: String query = "SELECT * FROM users_table " + " WHERE username = " + " ‘ " + username + " ‘ " + " WHERE username = " + " ‘ " + username + " ‘ " + " AND password = " + " ‘ " + password + " ‘ " ; Note: String values must be single quoted in SQL, so application provides this for each passed string parameter Note: String values must be single quoted in SQL, so application provides this for each passed string parameter Expecting one row to be returned if success, no rows if failure Expecting one row to be returned if success, no rows if failure Common variant – SELECT COUNT(*) FROM … Common variant – SELECT COUNT(*) FROM …

SQL Injection (3) Attacker enters: Attacker enters: any username (valid or invalid) any username (valid or invalid) password of: Aa‘ OR ‘ ‘ = ‘ password of: Aa‘ OR ‘ ‘ = ‘ Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; Note: WHERE clause => F and F or T => F or T => T Note: WHERE clause => F and F or T => F or T => T AND has higher precedence than OR All user/pass rows returned to application All user/pass rows returned to application If application checking for 0 vs. more than 0 rows, attacker is in If application checking for 0 vs. more than 0 rows, attacker is in

SQL Injection - Prevention What’s the problem here? Not checking and controlling input properly Not checking and controlling input properly Specifically, not controlling string input Note: there are a variety of ways SQL injection can happen Note: there are a variety of ways SQL injection can happen Regular inclusion of SQL metacharacters through Variable interpolation Variable interpolation String concatenation with variables and/or constants String concatenation with variables and/or constants String format functions like sprintf() String format functions like sprintf() String templating with variable replacement String templating with variable replacement Hex or Unicode encoded metacharacters

SQL Injection Prevention (2) How to resolve this? First (Attempted) Solution: Check Content First (Attempted) Solution: Check Content Client code checks to ensure certain content rules are met Server code checks content as well Specifically – don’t allow apostrophes to be passed Problem: there are other characters that can cause problems --// SQL comment character --// SQL comment character ;// SQL command separator ;// SQL command separator %// SQL LIKE subclause wildcard character %// SQL LIKE subclause wildcard character Which characters do you filter (blacklist) / keep (whitelist)?

SQL Injection – Variant 1 Any username, password: ‘ or 1=1-- Note: -- comments out rest of line, including terminating single quote in application Note: -- comments out rest of line, including terminating single quote in application Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘‘ OR 1=1--‘;

SQL Injection – Variant 2 Any username, password: foo’;DELETE FROM users_table WHERE username LIKE ‘% Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘foo‘; DELETE FROM users_table WHERE username LIKE ‘%’ Note: system executes two statements SELECT * FROM users_table WHERE username = ‘anyname’ AND password = ‘foo’;// returns nothing SELECT * FROM users_table WHERE username = ‘anyname’ AND password = ‘foo’;// returns nothing DELETE FROM users_table WHERE username LIKE ‘%’ DELETE FROM users_table WHERE username LIKE ‘%’

SQL Injection – Variant 3 ODBC allows shell injection using ‘|’ character ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ Similar issue exists with MS SQL Server Extended Stored Procedures

SQL Injection – Variant 4 Second-Order SQL Injection User creates account with user = root’-- User creates account with user = root’-- Application escapes and inserts as root’’-- Application escapes and inserts as root’’-- User resets password User resets password Your query fetches username from database to verify account exists with correct old password Your query fetches username from database to verify account exists with correct old password UPDATE users_table SET PASSWORD=‘pass’ WHERE username = ‘root’--’ UPDATE users_table SET PASSWORD=‘pass’ WHERE username = ‘root’--’ NOTE: above scenario allows user to reset the password on the real root account NOTE: above scenario allows user to reset the password on the real root account

SQL Injection – Prevention (3) Second (better) solution Use Prepared Statements instead of regular Statements in your SQL code Use Prepared Statements instead of regular Statements in your SQL code Regular Statements Regular Statements SQL query is generated entirely at run-time Custom procedure and data are compiled and run Compilation allows combination of procedure and data, allowing problems with SQL metacharacters Compilation allows combination of procedure and data, allowing problems with SQL metacharacters String sqlQuery = null; Statement stmt = null; sqlQuery = "select * from users where " + "username = " + "'" + fe.getUsername() + "'" + " and " + "upassword = " + "'" + fe.getPassword() + "'"; stmt = conn.createStatement(); rset = stmt.executeQuery(sqlQuery);

SQL Injection – Prevention(4) Prepared Statements Prepared Statements SQL query is precompiled with placeholders Data is added in at run-time, converted to correct type for the given fields String sqlQuery = null; PreparedStatement pStmt = null; sqlQuery = "select * from users where username = ? and upassword = ?"; pStmt = conn.prepareStatement(sqlQuery); pStmt.setString(1, fe.getUsername()); pStmt.setString(2, fe.getPassword()); rset = pStmt.executeQuery();

SQL Injection – Prevention (5) Issues with PreparedStatements Cannot use them in all situations Cannot use them in all situations Generally limited to replacing field values in SELECT, INSERT, UPDATE, DELETE statements E.g. our use for username field value, password field value E.g. our use for username field value, password field value Example: if also asking user for information that determines choice of table name, cannot use a prepared statement

SQL Injection Prevention (6) Additional Precautions Do not access the database as a privileged user Do not access the database as a privileged user Any user who gains access will have that user’s privileges Limit database user to only what they need to do Limit database user to only what they need to do e.g. reading information from database, no insert/update/delete Do not allow direct access to database from the internet Do not allow direct access to database from the internet Require users to go through your applications Do not embed database account passwords in your code Do not embed database account passwords in your code Encrypt and store them in a repository that is read at application startup Do not expose information in error messages Do not expose information in error messages E.g. do not display stack traces

Other Application Issues Be aware of how information is transmitted between client applications and database Research Project at UWEC Most common client applications (vendor-supplied or user-programmed) at least encrypt the connection password Most common client applications (vendor-supplied or user-programmed) at least encrypt the connection password Some clients encrypt the connection user Some clients encrypt the connection user Certain DBMSs have varying levels of security (e.g. PostgreSQL) Certain DBMSs have varying levels of security (e.g. PostgreSQL) One DBMS transmits the connection password length (MS SQL Server 2005 Express) One DBMS transmits the connection password length (MS SQL Server 2005 Express)

Secure Application Development Application Security in the Enterprise Environment J2EE – JDBC, Servlets, JSPs, JNDI, EJBs, … J2EE – JDBC, Servlets, JSPs, JNDI, EJBs, ….NET – many components.NET – many components Use of Proxy Applications Assume network filtering most evil traffic Assume network filtering most evil traffic Application can control fine-grain behavior, application protocol security Application can control fine-grain behavior, application protocol security

Secure Application Development (cont.) Security Patterns (from J2EE Design Patterns Applied) Single-Access Point Pattern Single-Access Point Pattern single point of entry into system Check Point Pattern Check Point Pattern centralized enforcement of authentication and authorization Role Pattern Role Pattern disassociation of users and privileges

Secure Operating System Interaction of Oracle and OS Windows Windows Secure administrative accounts Control registry access Need good account policies Others…

Secure Operating System (cont.) Linux/Unix Linux/Unix Choose different account names than standard suggestions Restrict use of the account that owns Oracle software Secure temporary directory Some Oracle files are SUID (root) Command line SQL*Plus with user/pass parameters appears under ps output Others…

Secure Web Server Interaction of Oracle and Web Server Apache now provided within Oracle as its application server, started by default Apache issues Standard configuration has some potential problems Standard configuration has some potential problems See Oracle Security Handbook for more discussion Ensure secure communication from web clients to web server Ensure secure communication from web clients to web server Use MaxClients to limit possible connections Use MaxClients to limit possible connections Others… Others…

Secure Web Server (cont.) Internet Information Server (IIS) issues Integration with other MS products (e.g. Exchange Server) Integration with other MS products (e.g. Exchange Server) Many known vulnerabilities over recent versions (patches available) Many known vulnerabilities over recent versions (patches available) Others… Others…

Secure Network Interaction of Oracle and Network Oracle Advanced Security (OAS) product Oracle Advanced Security (OAS) product Features for: Authentication Authentication Integrity Integrity Encryption – use of SSL Encryption – use of SSL Oracle server generally behind firewall Oracle server generally behind firewall Good to separate DB and web servers Connections normally initiated on port 1521, but then dynamically selected Other Network Issues To Consider Other Network Issues To Consider Possibility of hijacking a sys/sysmgr connection Various sniffing and spoofing issues

Miscellaneous Issues Newer Oracle Security Features Virtual Private Databases (VPDs) Virtual Private Databases (VPDs) Oracle Label Security Oracle Label SecurityAuditing Good policy: develop a comprehensive audit system for database activity tracking Good policy: develop a comprehensive audit system for database activity tracking Can write to OS as well as into database for additional security, accountability for all working with databases

Exercise Overall Security Examination of Oracle in Networked Environment 1) Database: Set up Oracle client, test known database for: 1) Database: Set up Oracle client, test known database for: Privileged access through sys or system accounts Public access through scott, other known/discovered usernames 2) DBMS: Check for known vulnerabilities 2) DBMS: Check for known vulnerabilities Check overall system level, patch level Test for specific problems from Oracle list 3) Application: 3) Application: Test for SQL Injection, other application weaknesses

Exercise (cont.) Similar types of tasks for OS, Web Server, Network components Similar types of tasks for OS, Web Server, Network components Task: develop report, including specifics for all areas Task: develop report, including specifics for all areas

References “Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, “Oracle Database Administration: The Essential Reference”, Kreines and Laskey; O’Reilly, Pete Finnigan’s Oracle Security web site, James Walden’s SIGCSE 2006 workshop on “Software Programming Security: Buffer Overflows and Other Common Mistakes” Eric Lobner, Matthew Giuliani, Paul Wagner; “Investigating Database Security in a Network Environment”, paper published at MICS 2006,