Transcript Database Security in an Enterprise Environment

Database Systems Security
in an Enterprise Environment
Paul J. Wagner
University of Wisconsin – Eau Claire
St. Cloud Security Workshop, May 2003
http://www.cs.uwec.edu/~wagnerpj/security/
Database Systems Security –
Background

Need

Security curriculum is relatively light in database systems area




Focus currently on protecting information through network
configuration, systems administration, application security
Need to specifically consider database system security issues
What is most valuable – data, systems, or network?
Goals



Understand security issues in a general database system
environment
Consider database security issues in context of general security
principles and ideas
Focus on Oracle as a common DBMS, but realize there are similar
issues for other DBMSs
Main Message

Database system security is more than securing the
database






Secure database
Secure DBMS
Secure applications
Secure operating system (in relation to database system)
Secure web server (in relation to database system)
Secure network environment (in relation to database system)
Secure Database(s)

Traditional database security topics and issues

Users and Passwords



Default users/passwords
• Oracle: sys, system accounts – privileged, with default passwords
• Oracle: scott account – well-known account and password, part
of public group
– e.g. public can access all_users table
Need for general password policies (length, domain, changing,
protection, …)
Need for general account policies (who gets, what level of privilege,
when expires, …)
Secure Database(s) – cont.

Privileges and Roles





Privileges
• System – on actions (e.g. selecting, deleting, creating, …)
• Object – on data objects (e.g. on particular table)
Roles
• Collections of system privileges
• Advantage: easier management
• Disadvantage: tend to give more privilege than needed
– Commonly heard Oracle user request: “Just give me DBA
role to make it work and we’ll figure out the exact privilege I
need later.”
Grant / Revoke
• Giving (removing )privileges or roles to (from) users
• Problem – often done haphazardly
Need for continual management of privileges and roles
Need for policies on privilege/role management
Secure DBMS

Possible Holes in DBMS

Oracle: http://technet.oracle.com/deploy/security/alerts.htm (50+
listed)



Types of exploits
• Buffer overflow problems in DBMS code
• Miscellaneous attacks (Denial of Service, source code disclosure
of JSPs, others)
Similar information available for DB2, SQL Server, PostgreSQL,
MySQL, …
Oracle: UTL_FILE package in PL/SQL


allows read/write access to files in directory specified in utl_file_dir
parameter in init.ora
possible access through symbolic links
Secure DBMS (cont.)

Need for continual patching of DBMS



Encourage awareness of DBMS vulnerability issues
Continuous vigilance is essential
Cost of not patching can be huge

SQL Slammer Worm
• fast propagation – max scan rate of 55 million systems/second
• affected approximately 80,000 systems, significant segments of
Internet
• 376 byte UDP packet that exploited a buffer overflow
vulnerability
• patch had long been available
• significant effects on business database servers
– Credit verification, Phone systems, Banks/ATMs
Secure DBMS (cont.)

Use security features of DBMS

Oracle: Virtual Private Databases (VPDs)


Oracle: Oracle Label Security


Support for fine-grain data security (e.g. multiple clients can have
data in same schema without knowing other data is there)
Use of VPDs to achieve row-level security, controlled from Policy
Manager tool under Enterprise Manager
Implement auditing

Good policy: develop a comprehensive audit system for database
activity tracking


DBMS tools, user-developed tools (e.g. using triggers)
Oracle: can write to OS as well as into database for additional
security, accountability for all working with databases
Secure Application Development


Access to database system is often through applications
Example: SQL Injection Attack through web front end






Scenario: Software system tracks own usernames and passwords
in database
Client application accepts username and password, passes as
parameters
An SQL query is built dynamically, combining SQL text pieces in
the server application and the client-supplied parameters
DBMS executes query on system user table, checks for valid
user/password combination in this table
DBMS returns 0, 1 or more user/password rows to application
Application checks result and allows or denies access accordingly
SQL Injection








Application Java code contains SQL statement:
 String query = "SELECT * FROM users_table " +
" WHERE username = " + " ‘ " + username + " ‘ " +
" AND password = " + " ‘ " + password + " ‘ " ;
- SQL strings must be single quoted
Application is expecting one (valid) row to be returned if success, no rows
if failure
Attacker enters arbitrary username: anyname, but special “password” of:
Aa ‘ OR ‘ ‘ = ‘
Dynamically-constructed query becomes:
SELECT * FROM users_table
WHERE username = ‘anyname‘
AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘;
Where clause: F AND F OR T => F OR T => T !
All user rows returned to application
If application checking for 0 vs. more than 0 rows, attacker is in
Need to check application input – generally not good to allow special
characters in through client-side parameters
Secure Application Development

Application Security in the Enterprise Environment




Tactic: Use of Proxy Applications



J2EE
.NET
Large number of interactions between application environment and
database systems
Assume network filtering most problem traffic
Application can control fine-grain behavior, application protocol security
Security Patterns (from J2EE Design Patterns Applied)

Single-Access Point Pattern


Check Point Pattern


single point of entry into system
centralized enforcement of authorization when requesting resources
Role Pattern

disassociation of users and privileges for easier management
Secure Operating System

Interaction of DBMS and OS

Oracle on Windows





Secure administrative accounts
Control registry access
Need good account policies
Others…
Oracle on Linux/Unix






Choose different account names than standard suggestions
Restrict use of the account that owns Oracle software
Secure temporary directory
Some Oracle files are SUID (root)
Command line SQL*Plus with user/pass parameters appears under
ps output
Others…
Secure Web Server



Interaction of Oracle and Web Server
Apache now provided within Oracle as its application
server, started by default
Apache issues

Standard configuration has some potential problems





See Oracle Security Handbook for more discussion
Ensure secure communication from web clients to web server
Use MaxClients to limit possible connections, avoid Denial of
Service attacks
Others…
Internet Information Server (IIS) issues



Integration with other MS products (e.g. Exchange Server)
Known vulnerabilities
Others…
Secure Web Server (cont.)




Web is often front-end / gateway to DBMS
DBMS/database should be black-box to user
Attacker can force errors trying to gain information
Which error message should be displayed when asking for
an incorrectly named Java Server Page?
Sorry, that file
is not found
java.io.FileNotFoundException: /u01/prodcomm/portal/x.jsp
at java.io.FileInputStream.open(Native method)
at java.io.FileInputStream.(FileInputStream.java:64)
at oracle.jsp.provider.JspFilesystemResource(…)
at oracle.jsp.app.JspAppLoader.reloadPage(JSPAppLoader.java)
….
Secure Network

Interaction of DBMS and Network

DBMS server should be behind firewall




Oracle Advanced Security (OAS) product


Good to separate DB and web servers (mitigate losses if hacked)
DB server should be behind firewall, web server usually in DMZ
Oracle: Connections normally initiated on port 1521, but port is then
dynamically selected – management of port access is made more difficult
• Anyone with Oracle client software who knows your host IP/name and
database instance name can configure client to connect to your database
instance
Features for:
• Authentication
• Integrity
• Encryption – use of SSL
Other Network Issues To Consider


Possibility of hijacking a privileged user connection
Various sniffing and spoofing issues
Messages Revisited

Database system security is more than securing the
database







Secure database
Secure DBMS
Secure applications
Secure operating system
Secure web server
Secure network environment
General security principles apply in database system
security



Security is a process, not a product
Security chain is only as strong as its weakest link
Best security defense utilizes multiple layers
References



“Oracle Security Handbook” by Theriault and Newman;
Osborne/Oracle Press, 2001.
“Oracle Database Administration: The Essential
Reference”, Kreines and Laskey; O’Reilly, 1999.
“Investigation of Default Oracle Accounts”,
http://www.pentest-limited.com/user-tables.pdf
Again, slides and security links available at:
http://www.cs.uwec.edu/~wagnerpj/security/
