Database Security - Department of Computer Science
Download
Report
Transcript Database Security - Department of Computer Science
Yiwen Wang
--“Securing the DB may be the single biggest
action an organization can take to protect its
assets”
David C. Knox
Dec 13th CS555 presentation
1
Database Security - protection from malicious
attempts to steal (view) or modify data.
Bank accounts
Credit card, Salary, Income tax data
University admissions, marks/grades
Land records, licenses
Data = crown jewels for organizations
Recent headlines:
Personal information of millions of credit card users stolen
Criminal gangs get into identity theft
Web applications been hacked due to the database
vulnerabilities
1) DB Security Plan
2) Database Access Control
3) DBMS Security: Patching
4) DB Application: SQL injection, Inference Threats
5) Virtual Private Databases
6) Oracle Label Security
7) Inference Threats
8) Encryption
9) Auditing
10) Datawarehouse
11) Security Animations
Default Users and Passwords
Users, Passwords
Default users/passwords
sys, system accounts – privileged, change default password
Sa (MS-SQL Server)
scott account – well-known account/password, change it
- general password policies (length, domain, changing,
protection)
People Having too many privileges
Privileges, Roles, Grant/Revoke
Privileges
System - actions
Objects – data
Roles (pre-defined and user-defined role)
Collections of system privileges (example: DBA role)
Grant / Revoke
Giving (removing ) privileges or roles to (from) users
GRANT privilege_name
ON object_name
TO role_name;
REVOKE privilege_name
ON object_name
FROM role_name;
Some important database priveleges:
Select
Insert
Update
Delete
Index
Alter
Create database
Drop database
All
Usage
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Applications are often the biggest source of insecurity
OWASP Top 10 Web Security Vulnerabilities
Unvalidated input
Broken access control
Broken account/session management
Cross-site scripting (XSS) flaws
Buffer overflows
(SQL) Injection flaws
Improper error handling
Insecure storage
Denial-of-service
Insecure configuration management
Application
Program
Database
SQL Injection
Definition – inserting malicious SQL code through
an application interface
Often through web application, but possible with any
interface
Typical scenario
Three-tier application (web interface, application, database)
Overall application tracks own usernames and passwords in
database (advantage: can manage users in real time)
Web interface accepts username and password, passes these
to application layer as parameters
Example: Application Java code contains SQL
statement:
String query = "SELECT * FROM users table " +
" WHERE username = " + " ‘ " + username + " ‘ " +
" AND password = " + " ‘ " + password + " ‘ " ;
Note: String values must be single quoted in SQL, so
application provides this for each passed string
parameter
Expecting one row to be returned if success, no rows
if failure
Common variant – SELECT COUNT(*) FROM …
Attacker enters:
any username (valid or invalid)
password of: Aa‘ OR ‘ ‘ = ‘
Query becomes: SELECT * FROM users_table
WHERE username = ‘anyname‘ AND password =
‘Aa‘ OR ‘ ‘ = ‘ ‘;
Note: WHERE clause => F and F or T => F or T => T
AND has higher precedence than OR
All user/pass rows returned to application
If application checking for 0 vs. more than 0 rows,
attacker is in
How to resolve this?
First (Attempted) Solution: Check Content
Client code checks to ensure certain content rules are
met
Server code checks content as well
Specifically – don’t allow apostrophes to be passed
Problem: there are other characters that can cause
problems
- ;
%
// SQL comment character
// SQL command separator
// SQL LIKE subclause wildcard character
Which characters do you filter (blacklist) / keep
(whitelist)?
Bertino, E., & Sandhu, R. (2005). Database
security—concepts, approaches, and challenges.
IEEE Transactions on Dependable and Secure
Computing, 2(1), 2-18
Defense Information Systems Agency. (2004).
Database security technical implementation guide, 7(1).
Department of Defense. Retrieved January 31, 2010,
from
http://www.databasesecurity.com/dbsec/databa
se-stig-v7r1.pdf
Wilhelm Burger Mark J.Burge(2010) Digital Image
Processing—An Algorithmic Introduction Using Java
Thank you !