Transcript Document

Database Systems Security
Course Module
Paul J. Wagner
University of Wisconsin – Eau Claire
Background

Need

Security curriculum is relatively light in database systems area



Focus currently on protecting information through network
configuration, systems administration, application security
Need to specifically consider database system security issues
Goals




Understand security issues in a specific Oracle environment and in
a general database system environment
Use module to emphasize general security principles and ideas
Develop a teaching module for computer security course or a
database systems course
Develop an accompanying lab project to give students practical
experience in this area
Main Message to Students

Database system security is more than securing the
database






Secure database
Secure DBMS
Secure applications
Secure operating system in relation to database system
Secure web server in relation to database system
Secure network environment in relation to database system
Secure databases

Traditional database security topics and issues

Users, Passwords


Default users/passwords
• sys, system accounts – privileged, with default passwords
• scott account – well-known account and password, part of public
group
– e.g. public can access all_users table
• general password policies (length, domain, changing, protection)
Privileges, Roles, Grant/Revoke



Privileges
• System - actions
• Objects – data
Roles
• Collections of system privileges
Grant / Revoke
• Giving (removing )privileges or roles to (from) users
Secure DBMS

Possible Holes in DBMS




http://technet.oracle.com/deploy/security/alerts.htm (50+ listed)
Buffer overflow problems in DBMS code
Miscellaneous attacks (Denial of Service, source code disclosure of
JSPs, others)
UTL_FILE package in PL/SQL



allows read/write access to files in directory specified in utl_file_dir
parameter in init.ora
possible access through symbolic links
Need for continual patching of DBMS


Encourage awareness of issues, continuous vigilance
Cost of not patching

SQL Slammer Worm
Secure Application Development


Access to Oracle Database or Environment Through Applications
Example: SQL Injection Attack through Web Application








Application tracks own usernames and passwords in database
Client accepts username and password, passes as parameters
Application Java code contains SQL statement:
 String query = "SELECT * FROM users_table " +
" WHERE username = " + " ‘ " + username + " ‘ " +
" AND password = " + " ‘ " + password + " ‘ " ;
Expecting one row to be returned if success, no rows if failure
Attacker enters any username, password of: Aa ‘ OR ‘ ‘ = ‘
Query becomes: SELECT * FROM users_table WHERE username =
‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘;
// F or T => T
All user rows returned to application
If application checking for 0 vs. more than 0 rows, attacker is in
Secure Application Development

Application Security in the Enterprise Environment




J2EE
.NET
Use of Proxies
Security Patterns
Secure Operating System

Interaction of Oracle and OS

Windows





Secure administrative accounts
Control registry access
Need good account policies
Others…
Linux/Unix






Choose different account names than standard suggestions
Restrict use of the account that owns Oracle software
Secure temporary directory
Some Oracle files are SUID (root)
Command line SQL*Plus with user/pass parameters appears under
ps output
Others…
Secure Web Server



Interaction of Oracle and Web Server
Apache now provided within Oracle as its application
server, started by default
Apache issues

Standard configuration has some potential problems





See Oracle Security Handbook for more discussion
Ensure secure communication from web clients to web server
Use MaxClients to limit possible connections
Others…
Internet Information Server (IIS) issues

Many…
Secure Network

Interaction of Oracle and Network

Oracle Advanced Security (OAS) product


Oracle server generally behind firewall



Features for:
• Authentication
• Integrity
• Encryption – use of SSL
Good to separate DB and web servers
Connections normally initiated on port 1521, but then dynamically
selected
Other Network Issues To Consider


Possibility of hijacking a sys/sysmgr connection
Various sniffing and spoofing issues
Miscellaneous Issues

Newer Oracle Security Features



Virtual Private Databases (VPDs)
Oracle Label Security
Auditing

Good policy: develop a comprehensive audit system for database
activity tracking

Can write to OS as well as into database for additional security,
accountability for all working with databases
Lab Exercise

Overall Security Examination of Oracle in Networked
Environment

1) Database: Set up Oracle client, test known database for:



2) DBMS: Check for known vulnerabilities





Check overall system level
Test for several specific problems from Oracle list
3) Application:


Privileged access through sys or system accounts
Public access through scott, other known/discovered usernames
Demonstrate SQL Injection
Have students modify example code to prevent such attack
OS, Web Server, Network components – yet to be developed
Task: develop summary report, including specifics for all areas
Pedagogical Issues

Potential Uses Within Curriculum




Computer Security
Database Systems
Software Engineering?
Module/Lab Exercise



Will use late in Computer Security special topics course, Spring
2003
Available to colleague to use in Database Systems course, Spring
2003
Final module and exercise will be available through web site
References



“Oracle Security Handbook” by Theriault and Newman;
Osborne/Oracle Press, 2001.
“Oracle Database Administration: The Essential
Reference”, Kreines and Laskey; O’Reilly, 1999.
“Investigation of Default Oracle Accounts”,
http://www.pentest-limited.com/user-tables.pdf
Contact Information

Central Repository for this presentation, entire panel
 http://www.cs.uwec.edu/~wagnerpj/sigcse/cybersec2003


Email: [email protected]
Phone Number: 715-836-5901