Transcript Presentation One - Computer Science

An investigation into the security
features offered by Oracle 10g
Enterprise Edition
Author: Keletso Nyathi
Supervisor: Mr John Ebden
Computer Science Department
Project objectives
 To study and evaluate the security features on
the 10g Enterprise Edition of Oracle
 To draw out a conclusion about how secure
Oracle databases are.
 To suggest possible solutions to database
security problems.
Introduction
 A database is an integrated aggregation of data
usually organised to reflect logical or functional
relationships among data elements.
 Databases have to be protected from illegal
users.
 Poor database security is a lead contributor to
incidents of identity theft.
 My project aims at evaluating the security
provided by databases against hackers and
trying to come up with possible solutions.
Background Information
 Databases have been made available on the
Internet to provide fast querying by users.
 The growth of e-commerce has led to increased
risks of indirect attack on databases.
 Recently David Litchfield claims to have found
a new class of attack on Oracle called
“Dangling Cursor snarfing” that he uses to
hack into the system.
 Meanwhile Oracle claims that this class of
attack is trivial and highly impractical.
Oracle Database current releases
Standard Ranges from a single user for a small business
Edition
to distributed environments.
One
Limited to 2 processors
Standard Supports for large machines and clustering of
Edition
services with real application clusters.
Licensed to a single server with max of 4
processors
Personal
Edition
Single user developments and brings the whole
of Oracle functionality to a personalised edition
Can run on any number of processors but
restricted to single user.
Cont…
Express
Edition
Designed for beginners.
Can be installed on any size of machine with any
number of CPUs
Cont…
Enterprise
Edition
Most reliable, secure data management for
mission critical applications such as OLTP
environments.
Query-intensive-data warehouse demanding
internet applications.
Provides functionality to meet availability and
scalability requirements of today’s missionoriented applications for the enterprise.
Contains all of Oracle database components and
can be further enhanced with extra packs.
Support all sizes of computers and is not limited
to maximum processor count
Literature Survey.
 A paper by David Litchfield entitled “Dangling Cursor
Snarfing: A new class of Attack in Oracle”.
 Another paper by David Litchfield entitled “Which
Database is more secure? Oracle vs. Microsoft”.
 Security course offered by Barry Irwin.
 Documentation from Oracle about its security.
 Database security as well as hacking techniques from the
Internet.
 Projects from previous years.
Intended Approach
 Investigate David Litchfield’s claim against Oracle
Database
 Investigate some of the security features claimed by
Oracle.
 For each security feature, I will carry out tests to hack
into the database.
 Record findings and try to come up with possible
solutions in case of failure.
 Finally evaluate my findings and draw out a conclusion
about the overall security offered by Oracle.
Timeline
Activity
Period
Install latest version of Oracle
1 week
Familiarise with Oracle and its security features
4 weeks
Literature review on security and hacking tests
4 weeks
Examine Security in the product including cursor 12weeks
snarfing.
Make evaluation of findings on Oracle security
6 weeks
Summary of findings
4 weeks
Make a write up of project
5 weeks
Expected outcomes and possible
extensions
 Derive a conclusion about how secure Oracle is.
 If possible, make informed security suggestions for
databases.
 Acquire a deep understanding of the weaknesses in
database security
…………………………………………………………………………………………………
 This project can also be carried forward into comparing
Oracle against other databases e.g. SQL Server and
some open source databases.
 Its results might be a clue into finding an effective way
to improve database security.
Thank you
Questions and answers