Transcript Literature Review - Rhodes University

An investigation into the security
features of Oracle 10g R2 Enterprise
Edition
Supervisor: Mr J Ebden
Database security



Aaron Newman views database security as composed of
multiple layers of protection to reduce the risk of intrusion just
like in a medieval castle.
This poses a great challenge for the intruder thus giving the
DBA time to take appropriate actions against these malicious
users.
Each layer is specially designed to give the highest defence
against intrusion
Background of project



The trigger to my project was the white paper released by
Litchfield D in which he describes precisely cursor snarfing, a
new security flaw he recently discovered on Oracle databases.
He published another whitepaper called “Which database is
more secure? Oracle vs. Microsoft SQL Server” in which he
reveals the alarming security flaws in Oracle.
Meanwhile Oracle claims that this flaw is trivial and rare, it
requires some impractical special cases for it to be happen.
Background cont…


Firewalls can no longer protect databases from all intrusion
because modern database threats are higher than firewalls on the
OSI model
Attackers have found a way of by passing the firewalls by using
specific search strings in search engines that lead them straight to
the database.
The OSI model
The approach by Oracle



Oracle uses the four major methods for their database security.
These are authentication, roles and privileges, auditing and finally
data integrity.
These form the desired layered security structure, first a user is
authenticated, then he is authorised to perform some actions
which are then monitored by auditing.
Finally, data is protected and accessible to only the authorised by
data integrity.
Authentication




Verifying that users are who they claim to be, these may be a
person using a computer, a computer itself or a program on a
computer.
Oracle allows 4 login trials before the database is blocked and
also allows a password to be used only for three months to
combat authentication breaches.
The database is locked for 30 days or only unlocked by the DBA
after a day if more than 4 attempts are exceeded.
Oracle claims to have a safe password management and also
enables users to make very strong passwords. In addition Oracle
does not allow a user to use the same password consecutively.
Critics of Oracle




Paul Wright published a whitepaper that describes how a hacker
can manage to perform a brute force attack on the login of the
Oracle database despite Oracle’s claim of a login block
Mark Burnett talks about the effects of login block as a way to
avoid combating brute force attacks.
An intruder can cause DOS, harvest usernames from site, cause
a diversion by flooding the help desk with support calls and
disable an account by continually locking it.
Account lockouts is ineffective against slow attacks, attacks that
try one password against a large list, first time correct guesses,
DBA accounts.
Roles and Privileges.






Oracle offers different privileges to different users
These are rights to execute particular SQL statements e.g.
creating tables, executing stored procedures.
To provide easy privilege management and control, privileges
can be bundled together into a role ( a group of privileges
assigned to a group of users or a single user.
Roles make it easy to monitor and make alterations to privileges
granted to a group of users for security reasons.
Roles also allow some privileges to be password protected which
narrows down the search criteria in case of a breach.
Roles can be assigned to other roles and then finally to users.
Auditing




This is the monitoring and recording of database user actions.
Audits can be triggered when specified elements in an Oracle
database are accessed or altered.
Auditing keeps record of both failed and successful attempts on
the server.
One disadvantage in auditing is that there is no mechanism to
prevent the DBA from tempering with the audit output in the
case of an attacker gaining SYS privileges.
Data Integrity





This is an act of ensuring that data is complete and identically
maintained during an operation such as transfer, storage or
retrieval.
Oracle encrypts data by a process called Transparent Data
Encryption which restricts data retrieval by unauthorised users.
The encryption and decryption of data is handled by the
database instead of users and applications, even the DBA has no
access to data.
This is the peak of Oracle’s layered security after firewalls,
authentication and authorisation.
It can be implemented using simple and easy SQL commands.
Oracle’s Software Security Assurance





A strong guide against security flaws must be taken since this has
the ability of letting intruders by pass even the toughest security
measure.
A secure system does not only offer security features but also
prevents security flaws.
Oracle claims to have security assurance to prevents security
flaws
Contrary to Oracle’s claims, David Litchfield in his whitepaper
claims that Oracle does not keep record of problems
encountered and they do not understand them.
The claim made by Litchfield is strengthened by the amount of
patches that Oracle has advised DBA to install, this has an effect
of adding complexity to the system.
Cont…
Number of
flaws
Years
Summary




Database security is crucial to the safety of a user’s personal data
which includes card numbers, bank details and medical details.
Firewalls on their own can not combat all the database security
concerns.
Databases are safe if they are to remain isolated from any
network.
Oracle offers a layered security structure like that of a medieval
castle. There is the outermost which uses the network firewalls,
then followed by authentication and authorisation( roles and
privileges), auditing and finally data encryption.
Questions and Answers