Download presentation
Presentation is loading. Please wait.
1
M.P. Johnson, DBMS, Stern/NYU, Spring 20081 C20.0046: Database Management Systems Lecture #19 M.P. Johnson Stern School of Business, NYU Spring, 2008
2
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 2 Agenda Security Web issues Transactions RAID? Stored procedures? Implementation?
3
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 3 Review: hashes Hash tables Hash functions Secure hash functions Families of secure hash functions
4
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 4 New topic: Security on the web Authentication If the website user wants to pay with George’s credit card, how do we know it’s George? If the website asks George for his credit card, how does he know it’s our site? Maybe it’s a phishing site… Secrecy When George enters his credit card, will an eavesdropper be able to see it? Protecting against user input Is it safe to run SQL queries based on user input?
5
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 5 Security on the web Obvious soln: passwords What’s the problem? Slightly less obvious soln: passwords + encryption Traditional encryption: “symmetric” / “private key” DES, AES – fast – solves problem? “Newer” kind: “asymmetric” / “public key” Public key is published somewhere Private key is top secret RSA – slow – solves problem?
6
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 6 Hybrid protocols (SSH,SSL/HTTPS, etc.) Neither private- nor public-key alone suffices They each only solve half of each problem But together they solve almost everything Recurring strategy: We do private-key crypto Where do we get the key? You send it (encrypted) to me
7
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 7 SSH-like authentication (intuition) sales has a public-key When you connect to sales, 1. You pick a random number 2. Encrypt it (with the cert) and send it to them 3. They decrypt it (with their private key) 4. Now, they send it back to you Since they decrypted it, you trust they’re sales
8
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 8 HTTPS-like authentication (intuition) Amazon has a public-key certificate Encrypted with, say, Verisign’s private key When you log in to Amazon, 1. They send you the their Verisign-encrypted cert 2. You decrypt it (with Verisign’s public key), and check that it’s a cert for amazon.com Since the decrypt worked, the cert must have been encrypted by Verisign So this must really be Amazon
9
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 9 Authentication on the web Now George trusts that it’s really Amazon Assuming Amazon’s private key is secure And excluding man-in-the-middle… But: What if, say, Dick guessed George’s password? Another way: What if George claims Dick guessed his password? Soln: same process, but in reverse But now you need to get your own cert…
10
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 10 Hybrid protocol for encryption Amazon just sent you their public-key cert When you log in to Amazon, 1. You pick a random number (“session key”) 2. You encrypt it (with the cert) and send it to them 3. They decrypt it (with their private key) Now, you both share a secret key can now encrypt passwords, credit cards, etc.
11
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 11 Query-related: Injection attacks Here’s a situation: Prompt for user/pass Do lookup: If found, user gets in test.user table in MySQL http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.php / txt http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.phptxt http://pages.stern.nyu.edu/~mjohnson/dbms/php/users.php / txt http://pages.stern.nyu.edu/~mjohnson/dbms/php/users.phptxt Modulo the no hashing, is this a good idea? SELECT * FROM users WHERE user=u AND password=p; SELECT * FROM users WHERE user=u AND password=p;
12
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 12 Injection attacks We expect to get input of something like: user: mjohnson pass: topsecret SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user= 'mjohnson' AND password = 'topsecret'; SELECT * FROM users WHERE user= 'mjohnson' AND password = 'topsecret';
13
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 13 Injection attacks – MySQL/Perl/PHP Consider another input: user: ' OR 1=1 OR user = ' pass: ' OR 1=1 OR pass = ' SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = ' ' OR 1=1 OR user = ' ' AND password = ' ' OR 1=1 OR pass = ' '; SELECT * FROM users WHERE user = ' ' OR 1=1 OR user = ' ' AND password = ' ' OR 1=1 OR pass = ' '; http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.php http://pages.stern.nyu.edu/~mjohnson/dbms/eg/injection.txt SELECT * FROM users WHERE user = '' OR 1=1 OR user = '' AND password = '' OR 1=1 OR pass = ''; SELECT * FROM users WHERE user = '' OR 1=1 OR user = '' AND password = '' OR 1=1 OR pass = '';
14
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 14 Injection attacks – MySQL/Perl/PHP Consider this one: user: your-boss ' OR 1=1 # pass: abc SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = 'your-boss ' OR 1=1 #' AND password = 'abc'; SELECT * FROM users WHERE user = 'your-boss ' OR 1=1 #' AND password = 'abc'; http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.php SELECT * FROM users WHERE user = 'your-boss' OR 1=1 #' AND password = 'abc'; SELECT * FROM users WHERE user = 'your-boss' OR 1=1 #' AND password = 'abc';
15
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 15 Injection attacks – MySQL/Perl/PHP Consider another input: user: your-boss pass: ' OR 1=1 OR pass = ' SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = 'your-boss' AND password = ' ' OR 1=1 OR pass = ' '; SELECT * FROM users WHERE user = 'your-boss' AND password = ' ' OR 1=1 OR pass = ' '; http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.php SELECT * FROM users WHERE user = 'your-boss' AND password = '' OR 1=1 OR pass = ''; SELECT * FROM users WHERE user = 'your-boss' AND password = '' OR 1=1 OR pass = '';
16
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 16 Multi-command inj. attacks (other DBs) Consider another input: user: ' ; DELETE FROM users WHERE user = ' abc ' ; SELECT FROM users WHERE password = ' pass: abc SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = ' ' ; DELETE FROM users WHERE user = 'abc'; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ' ' ; DELETE FROM users WHERE user = 'abc'; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ''; DELETE FROM users WHERE user = 'abc'; SELECT FROM users WHERE password = '' AND password = 'abc'; SELECT * FROM users WHERE user = ''; DELETE FROM users WHERE user = 'abc'; SELECT FROM users WHERE password = '' AND password = 'abc';
17
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 17 Consider another input: user: ' ; DROP TABLE users; SELECT FROM users WHERE password = ' pass: abc SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = ' ' ; DROP TABLE users; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ' ' ; DROP TABLE users; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ''; DROP TABLE users; SELECT FROM users WHERE password = '' AND password = 'abc'; SELECT * FROM users WHERE user = ''; DROP TABLE users; SELECT FROM users WHERE password = '' AND password = 'abc'; Multi-command inj. attacks (other DBs)
18
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 18 Consider another input: user: ' ; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = ' pass: abc SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = u AND password = p; SELECT * FROM users WHERE user = ' ' ; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ' ' ; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = ' ' AND password = 'abc'; SELECT * FROM users WHERE user = ''; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = '' AND password = 'abc'; SELECT * FROM users WHERE user = ''; SHUTDOWN WITH NOWAIT; SELECT FROM users WHERE password = '' AND password = 'abc'; Multi-command inj. attacks (other DBs)
19
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 19 Injection attacks – MySQL/Perl/PHP Consider another input: user: your-boss pass: ' OR 1=1 AND user = 'your-boss Delete your boss! DELETE FROM users WHERE user = u AND password = p; DELETE FROM users WHERE user = u AND password = p; DELETE FROM users WHERE user = 'your-boss' AND pass = ' ' OR 1=1 AND user = ' your-boss'; DELETE FROM users WHERE user = 'your-boss' AND pass = ' ' OR 1=1 AND user = ' your-boss'; http://pages.stern.nyu.edu/~mjohnson/dbms/php/users.php DELETE FROM users WHERE user = 'your-boss' AND pass = '' OR 1=1 AND user = 'your-boss'; DELETE FROM users WHERE user = 'your-boss' AND pass = '' OR 1=1 AND user = 'your-boss';
20
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 20 http://pages.stern.nyu.edu/~mjohnson/dbms/php/users.php Injection attacks – MySQL/Perl/PHP Consider another input: user: ' OR 1=1 OR user = ' pass: ' OR 1=1 OR user = ' Delete everyone! DELETE FROM users WHERE user = u AND pass = p; DELETE FROM users WHERE user = u AND pass = p; DELETE FROM users WHERE user = ' ' OR 1=1 OR user = ' ' AND pass = ' ' OR 1=1 OR user = ' '; DELETE FROM users WHERE user = ' ' OR 1=1 OR user = ' ' AND pass = ' ' OR 1=1 OR user = ' '; DELETE FROM users WHERE user = '' OR 1=1 OR user = '' AND pass = '' OR 1=1 OR user = ''; DELETE FROM users WHERE user = '' OR 1=1 OR user = '' AND pass = '' OR 1=1 OR user = '';
21
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 21 Preventing injection attacks Ultimate source of problem: quotes Soln 1: don’t allow quotes! Reject any entered data containing single quotes Q: Is this satisfactory? Does Amazon need to sell O’Reilly books? Soln 2: escape any single quotes Replace any ' with a '' or \' In Perl, use taint mode – won’t show In PHP, turn on magic_quotes_gpc flag in.htaccess show both PHP versions
22
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 22 Preventing injection attacks Soln 3: use prepare parameter-based queries Supported in JDBC, Perl DBI, PHP ext/mysqli http://pages.stern.nyu.edu/~mjohnson/dbms/perl/loginsafe.cgi http://pages.stern.nyu.edu/~mjohnson/dbms/perl/loginsafe.cgi http://pages.stern.nyu.edu/~mjohnson/dbms/perl/userssafe.cgi http://pages.stern.nyu.edu/~mjohnson/dbms/perl/userssafe.cgi Even more dangerous: using tainted data to run commands at the Unix command prompt Semi-colons, prime char, etc. Safest: define set if legal chars, not illegal ones
23
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 23 Preventing injection attacks When to do security-checking for quotes, etc.? Temping choice: in client-side data validation But not enough! can submit GET and POST params manually Must do security checking on server Even if you do it on client-side too Same with data-validation Example of constraints
24
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 24 POST vars Because of hand-coded HTTP requests, can’t rely on post vars being either safe or “true” Actual past websites: send price by post (why?) More secure than GET Fewer users will know how to break POST than GET But some do! Attack: hand-code the POST request sales% telnet amazon.com 80 POST http://amazon.com/cart.cgi HTTP/1.0 Content-Type:application/x-www-form-urlencoded Content-Length: 32 title=Database+Systems&price=.01 sales% telnet amazon.com 80 POST http://amazon.com/cart.cgi HTTP/1.0 Content-Type:application/x-www-form-urlencoded Content-Length: 32 title=Database+Systems&price=.01
25
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 25 Hand-written POST example POST version of my input page: http://pages.stern.nyu.edu/~mjohnson/dbms/php/post.php http://pages.stern.nyu.edu/~mjohnson/dbms/php/post.php Not obvious to web user how to hand submit And get around any client-side validation But possible: http://pages.stern.nyu.edu/~mjohnson/dbms/eg/postbyhand.txt http://pages.stern.nyu.edu/~mjohnson/dbms/eg/postbyhand.txt sales% telnet pages.stern.nyu.edu 80 POST http://pages.stern.nyu.edu/~mjohnson/dbms/php/post.php HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 15 val=6&submit=OK sales% telnet pages.stern.nyu.edu 80 POST http://pages.stern.nyu.edu/~mjohnson/dbms/php/post.php HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 15 val=6&submit=OK
26
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 26 More info phpGB MySQL Injection Vulnerability http://www.securiteam.com/unixfocus/6X00O1P5PY.html http://www.securiteam.com/unixfocus/6X00O1P5PY.html "How I hacked PacketStorm“ http://www.wiretrip.net/rfp/txt/rfp2k01.txt http://www.wiretrip.net/rfp/txt/rfp2k01.txt Google hacking… inurl:"ViewerFrame?Mode=" intitle:"Live View / - AXIS" | inurl:view/view.sht intitle:"toshiba network camera - User Login" http://200.71.42.48/ViewerFrame?Mode=Motion&Language=0 http://200.71.42.48/ViewerFrame?Mode=Motion&Language=0 http://141.211.44.254/view/index.shtml http://141.211.44.254/view/index.shtml http://66.186.226.189/view/index.shtml http://66.186.226.189/view/index.shtml
27
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 27 New-old topic: Transactions So far, have simply issued commands Ignored xacts Recall, though: an xact is an operation/set of ops executed atomically In one instant ACID test: Xacts are atomic Each xact (not each statement) must leave the DB consistent
28
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 28 Default xact behavior (in Oracle) An xact begins upon login By default, xact lasts until logoff Except for DDL statements They automatically commit Examples with two views of tbl… But with TYPE=innodb ! mysql> set autocommit = 0
29
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 29 Direct xact instructions At any point, may explicitly COMMIT: SQL> COMMIT; Saves all statements entered up to now Begins new xact Conversely, can ROLLBACK SQL> ROLLBACK; Cancels all statements entered since start of xact Example: delete from emp; or delete junk;
30
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 30 Direct xact instructions Remember, DDL statements are auto- committed They cannot be rollbacked Examples: Q: Why doesn’t rollback “work”? drop table junk; rollback; drop table junk; rollback; truncate table junk; rollback; truncate table junk; rollback;
31
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 31 Savepoints (in Oracle?) Xacts are atomic Can rollback to beginning of current xact But might want to rollback only part way Make 10 changes, make one bad change Want to: roll back to before last change Don’t have Word-like multiple undo But do have savepoints
32
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 32 Savepoints Create a savepoint: emp example: --changes SAVEPOINT sp1; --changes SAVEPOINT sp2; --changes SAVEPOINT sp3 --changes ROLLBACK TO SAVEPOINT sp2; ROLLBACK TO SAVEPOINT sp1; --changes SAVEPOINT sp1; --changes SAVEPOINT sp2; --changes SAVEPOINT sp3 --changes ROLLBACK TO SAVEPOINT sp2; ROLLBACK TO SAVEPOINT sp1; SAVEPOINT savept_name; Can skip savepoints But can ROLLBACK only backwards Can ROLLBACK only to last COMMIT
33
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 33 AUTOCOMMIT (in Oracle?) Finally, can turn AUTOCOMMIT on: SQL> SET AUTOCOMMIT ON; Can put this in your config file Can specify through JDBC, etc. Then each statement is auto-committed as its own xact Not just DDL statements
34
M.P. Johnson, DBMS, Stern/NYU, Spring 2008 34 RAID levels RAID level 1: each disk gets a mirror RAID level 4: one disk is xor of all others Each bit is sum mod 2 of corresponding bits E.g.: Disk 1: 10110011 Disk 2: 10101010 Disk 3: 00111000 Disk 4: How to recover? What’s the disadvantage of R4? Various other RAID levels in text…
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.