Transcript Document
Database Security
Database Security
Overview
Database Security
1) Introduction
2) DB Security Plan
3) Database Access Control
4) DBMS Security: Patching
5) DB Application: SQL injection, Inference Threats
6) Virtual Private Databases
7) Oracle Label Security
8) Inference Threats
9) Encryption
10) Auditing
11) Datawarehouse
1) Introduction - Motivation
Database Security
• “Securing the DB may be the single biggest action
an organization can take to protect its assets”
David C. Knox
“Effective Oracle Database 10g Security by Design”,
McGraw Hill, 2004.
ISBN 0-07-223130-0
1) Introduction - Scope
Database Security
• Database system security must worry about DB
+…
– Secure Database
– Secure applications
– Secure DBMS
– Secure operating system in relation to
database system
– Secure web server in relation to database
system
– Secure network environment in relation to
database system
1) Introduction - Literature
Database Security
AUTHOR
TEXT
Publisher
ISBN
Natan, Ron Ben
2005
Implementing
Database
Security and
Auditing
Elsevier Digital
Press
1-5558-334-2
Afyouni, Hassan
A., (2006)
Database Security
and Auditing
Thompson Course
Technology
0-619-21559-3
Oracle Press
0072231300
Effective Oracle
Database 10g
Knox, David (2004)
Security by
Design
1) Topics versus Books
Database Security
1) DB security books
Database Security
•
•
[1] Knox, David (2004), Effective Oracle Database 10g Security by Design, McGraw-Hill. ISBN
0-07-223130-0
[5] Afyouni, Hassan A. (2006), Database Security and Auditing, Thompson Course Technology,
0-619-21559-4.
[6] Litchfield, “The Database Hacker’s Handbook: Defending Database Servers”,
http://www.amazon.com/gp/reader/0764578014/ref=sib_dp_pop_toc?ie=UTF8&p=S00C#
[7] Marlene Theriault & William Heney , http://oreilly.com/catalog/orasec/chapter/ch07.html
Oracle Security.
[8] Charles P. Pfleeger, Shari Lawrence Pfleeger, Security in Computing, Prentice Hall, ISBN-10:
0132390779, October 2006. 4th ed.
[9] Michael Howard , David LeBlanc, Writing Secure Code, Microsoft Press, 2nd edition, 2003,
2nd edition, ISBN n. 0-7356-1722-8.
[10] Natan, Ron Ben (2005), Implementing Database Security and Auditing, Elsevier Digital
Press, 1-5558-334-2, 2005.
[11] Finnigan, Pete. Oracle Security Step-by-Step, SANS Press, v. 2, 2004.
•
Note these are the references from the previous slide
•
You may also go to http://adbc.kennesaw.edu (Database Courseware) and select the Security
Module
•
•
•
•
•
•
1) Introduction – Product Specific Books
Database Security
• Oracle Advanced Security (previously Advanced
Network Option), contains network encryption
tools. Depending on the version of Oracle, it is
available for no extra cost. It is for the enterprise
edition.
• Best literature for OAS is Oracle Security
Handbook by Marlene Theriault and Aaron
Newman, McGraw-Hill.
2) DB Security Plan
Database Security
http://www.oreilly.com/catalog/orasec/chapter/ch07.html
2) DB Security Plan
Database Security
Which is the most complex program/form to implement?
If a data type is changed in the Customers table, what programs/forms may need
modification?
The Orders form accesses how many tables?
The Employees table is accessed by how many programs/forms?
2) DB Security Plan
Database Security
Subjects
• DAC Versus MAC
• Access Matrix Model:
Harrison-Ruzzo-Ullman
– Authorized state: Q =
(S, O, A)
– Conditions (dependent)
• Data
• Time
• Context
• History
Objects
O1
Oj
Om
S1
A[S1,O1]
A[S1,Oj]
A[S1,Om]
Si
A[Si,O1]
A[Si,Oj]
A[Si,Om]
Sn
A[Sn,O1]
A[Sn,Oj]
A[Sn,Om]
2) DB Security Plan - Document User
Administration
Database Security
• Part of the administration process
• Reasons to document:
– Provide a paper trail
– Ensure administration consistency
• What to document:
– Administration policies, staff and
management
– Security procedures
– Procedure implementation scripts or
programs
– Predefined roles description
3) DB Access Control
Database Security
• Default Users and Passwords
– Users, Passwords
• Default users/passwords
– sys, system accounts – privileged, change default password
– Sa (MS-SQL Server)
– scott account – well-known account/password, change it
- general password policies (length, domain, changing,
protection)
• People Having too many privileges
– Privileges, Roles, Grant/Revoke
• Privileges
– System - actions
– Objects – data
• Roles (pre-defined and user-defined role)
– Collections of system privileges (example: DBA role)
• Grant / Revoke
– Giving (removing ) privileges or roles to (from) users
3) DB Access Control - Default Passwords
Database Security
•
Easiest way to log into an Oracle database is to use a default account with a
known password [Finnigin]
•
http://www.petefinnigan.com/default/default_password_checker.htm
•
This site has scripts that will identify all default users and lets you know if they
still have their default passwords. You may download these scripts.
3) DB Access Control - Password Cracking
Database Security
• At http://www.toolcrypt.org/index.html there are
tools that you can download to crack the
passwords. You need to verify this against the DB,
because you can be sure that the hacker has
these tools.
3) DB Access Control - Find all Privileges
Database Security
• http://www.petefinnigan.com/find_all_privs.sql
• Script to find which privileges have been granted
to a particular user. This scripts lists ROLES,
SYSTEM privileges and object privileges granted to
a user. If a ROLE is found -- then it is checked
recursively.
• Output can be directed to the screen or to a file.
3) DB Access Control - Check for DBA Role
Database Security
3) DB Access Control - How are privileges granted
Database Security
• DBMS like Oracle has pre-defined roles (ex: DBA)
• You may also have user defined roles
Example
1) Create Role AcctDept;
2) Grant Select, Update on Orders to AcctDept;
3) Grant AcctDept to Smith, Jones;
4) Grant DBA to Smith;
Grant all privileges on Orders to Smith;
Grant select on Orders to Public;
Revoke delete on Orders from smith;
3) DB Access Control - Disable Account
Database Security
CREATE USER smith identified by s9 default tablespace
users;
ALTER USER scott ACCOUNT LOCK -- lock a user account
ALTER USER scott ACCOUNT UNLOCK;
ALTER USER scott PASSWORD EXPIRE; -- Force new pwd
3) DB Access Control - Launch OEM
Database Security
•
Choose stand-alone for personal Oracle and login to oracle using a dba
user/password
3) DB Access Control - Connect to a Database
Database Security
• On the left side of the screen, double click Network
and then Databases to connect to the database you
want o manage.
3) DB Access Control - Maintain User Accounts
Database Security
• Once you login, you may create users, roles and profiles as well
as granting privileges to them through a GUI interface.
3) DB Access Control - Profiles
Database Security
•
PROFILE clause: indicates the profile used for limiting database resources and enforcing
password policies. Example:
•
CREATE PROFILE app_user LIMIT
SESSIONS_PER_USER
UNLIMITED
CPU_PER_SESSION
UNLIMITED
CPU_PER_CALL
3000
CONNECT_TIME
45
LOGICAL_READS_PER_SESSION DEFAULT
LOGICAL_READS_PER_CALL
1000
PRIVATE_SGA
15K
COMPOSITE_LIMIT
5000000;
•
CREATE USER sidney
IDENTIFIED BY out_standing1
DEFAULT TABLESPACE demo
QUOTA 10M ON demo
TEMPORARY TABLESPACE temp
QUOTA 5M ON system
PROFILE app_user
PASSWORD EXPIRE;
3) DB Access Control - Security MS-Access
Database Security
• Two methods for
securing a database:
– set password to open
a database (system
security);
– user-level security, to
limit the parts of the
database that a user
can read or update
(data security).
3) DB Access Control - System Level: Open Exclusive
Database Security
3) DB Access Control - System Level Security (cont.)
Database Security
DBA Sets password
User is prompted
every time he/she
opens the DB
3) DB Access Control - MS-Access: User Level
Database Security
4) SECURE THE DBMS (Patch)
Database Security
• Possible Holes in DBMS
– http://technet.oracle.com/deploy/security/alert
s.htm (50+ listed)
– Buffer overflow problems in DBMS code
– Miscellaneous attacks (Denial of Service,
source code disclosure of JSPs, others)
• Need for continual patching of DBMS
– Cost of not patching
Worms, virus, etc. SQL slammer worm
5) DB Applications
Database Security
• “75 percent of hacks happen at the application”
– Gartner “Security at the Application Level”.
• “The main battlefield between hackers and
security professionals have moved from the
network layer to the web applications”
Eric Marvets, “Microsoft Security Summit”, April 13,
2006, Atlanta, Georgia
5) DB Applications - SQL Injection
Database Security
• Web Application where
1) User inputs text into a textbox
2) Text used to build SQL Query dynamically
3) Malicious input changes the nature of the query
Example: user inputs names into textbox
Name: Benjamin Franklin ' OR 1=1;
SqlStr = “SELECT * FROM EMPLOYEE
WHERE EMPLOYEE.Name = ” +
userInput
SqlStr = SELECT * FROM EMPLOYEE
WHERE EMPLOYEE.Name =
'Benjamin Franklin' OR 1 = 1;
–Result: every row of the EMPLOYEE table will be returned
SQL Injection - Solution
Database Security
• Similar to Buffer overflow:
validate user input.
6) Virtual Private Databases
Database Security
• May be implemented through Views in most
Database Management Systems (DBMS)
• In Oracle, you may create a policy that will be
fired when an operation (Insert, Update, etc.) is
performed by a certain user on a certain object.
6) VPD, Example of Row Level Security w/ Views
Database Security
6) VPD with a Policy
Database Security
http://bgoug.org/seminar-Velingrad-oct-2005/Presentations/Presentation_OLS.ppt
Virtual Private Database
Technology
Database Security
Data access via Virtual Private Database will perform the following
five steps:
1. User sends SQL to the database server.
2. The associated table triggers a pre-defined security policy.
3. The security policy returns a predicate.
4. The SQL statement is modified according to the security policy.
5. Secured data returns to user.
Table
Table
USER
USER
Step
Step11
Package
Package
Step
Step 2
2
Security
Security
Policy
Step
Step55
Step
Step44
Where
Where
Predicate
Predicate
Step
Step 3
3
6) VPD - Grant Execute on DBMS_RLS
Database Security
•
CONNECT TO ORACLE AS SYSDBA
SQL> connect sys as sysdba
Enter password: ******
Connected.
SYSDBA creates a user called SECMAN (Security manager)
SQL> create user secman identified by s default tablespace users;
SYSDBA GRANTS EXECUTE ON DBMS_RLS TO SECMAN so this user can
create the VPD
SQL> grant dba to secman;
SQL> grant execute on dbms_rls to secman;
CONNECT AS SECMAN
SQL> connect secman/s;
VPD - Definition
Database Security
Ex.: SELECT * FROM Emp; -- becomes
SELECT * FROM Emp where Emp.Name = User;
http://bgoug.org/seminar-Velingrad-oct-2005/Presentations/Presentation_OLS.ppt
Virtual Private Database
Technology
Database Security
A VPD security model uses the Oracle dbms_rls package (RLS stands for
row-level security) to implement the security policies and application
contexts. This requires a policy that is defined to control access to tables and
rows
6) VPD – Update Example
Database Security
Connecting Policy, Table and
Function
UPDATE mn668b14.Employees set ext = 777;
1 row updated.
6) VPD - Security Policy
Database Security
-- create security policy
BEGIN
DBMS_RLS.drop_policy
(object_schema => 'MN668B14',
object_name
=> ' EmployeeUpdateOrderView',
policy_name
=> 'EMP_UPDATE_ORDERS_POLICY');
END;
BEGIN
dbms_rls.add_policy (
object_schema => 'MN668B14',
object_name
=> ' EmployeeUpdateOrderView ',
policy_name
=> 'EMP_ORDERS_UPDATE__POLICY’,
function_schema => 'MN668B14',
policy_function => 'EMPUSER_ONLY',
statement_types => 'SELECT,UPDATE,INSERT,DELETE',
update_check
=> TRUE
);
END;
6) VPD - Summary
Database Security
• VPD security provides a new way to control access
to Oracle data.
• One Schema, several virtual schemas.
• Dynamic nature of a VPD. At runtime, DBMS
modifies SQL statement to add security.
Burleson, Donald (2003), "Establish security policy with Oracle virtual
private database", http://www.dba-oracle.com/art_builder_vpd.htm
7) Oracle Label Security (OLS)
Database Security
• simulates multilevel db.
• Adds a field for each row to store the row’s
sensitive label.
• Access is granted (or denied) comparing user’s
identity and security clearance label with row’s
sensitive label.
7) OLS and Multilevel Security
Database Security
• Information has different classifications
• Users have different security clearances
• Purpose: separate data based on its classification
• Mandatory Access Control (MAC): security enforced
by system and not by the user.
• Polyinstantiation: multiple rows with same PK.
Instances distinguished by security level.
7) Problem with Multilevel Security
Database Security
• It is really multiple instantiations of single-level
DBMS, which strongly degrades performance.
• Examples: Trusted Oracle, DB2 for z/OS,
Informix OnLine/Secure, Sybase secure system
7) Oracle Label Security:
Database Security
• simulates multilevel db.
• Adds a field for each row to store the row’s
sensitive label.
• Access is granted (or denied) comparing user’s
identity and security clearance label with row’s
sensitive label.
• Label contains LEVEL, GROUP and
COMPARTMENT
7) OLS & VPD
Database Security
• Like VPD, OLS creates Policies
• A policy is a name that associates labels, rules,
and authorizations.
• DBA defines a set of labels for data and users,
along with authorizations for users and program
units, that defines all access to objects.
7) OLS LABEL has 3 Components
Database Security
• level : mandatory, simple hierarchy
• compartment optional, non-hierarchical
• group optional, tree level hierarchy
• OLS compares the user security clearance with the
sensitivity label assigned to the data.
• IF a label contains all 3 components, THEN
the security clearance of the user >= the data
sensitivity level, contain all compartments and at
least one group.
7) OLS - More on 3 components
Database Security
• label has 3 components:
• a single level (sensitivity) ranking
• zero or more horizontal compartments
• zero or more hierarchical groups
7) OLS – Column added
Database Security
• When an Oracle Label Security policy, a column is
added to the table that is protected by the policy.
This policy label column contains the label
information for each data row.
• DBA can choose to display or hide this column
7) OLS - Levels
Database Security
7) OLS - Compartments
Database Security
7) OLS - Groups
Database Security
7) OLS & VPD
Database Security
• FGAC = Fine Grained Access Control (A mechanism to implement Row
level security in Oracle Database)
• OLS and VPD are the utilities which are used for FGAC.
• OLS: GUI tool
• ROW LEVEL SECURITY
• COLUMN LEVEL SECUITY
in Oracle 9i, neither. use views.
in Oracle 10g you can o column masking with VPD, but not with OLS.
7) OLS Conclusion
Database Security
• Built on top of VPD
• Higher Level, more refined than VPD
• Built around Row Level Security, Not much for
Column Level Security
8) Inference Threat
Database Security
9) Encryption: overview
Database Security
• Encrypting Data-in-transit
As it is transmitted between client-server
• Encrypting Data-at-rest
Storing data in the database as encrypted
Encrypting of Data is another layer of security
(security in depth). It does not substitute
other DB security techniques such as strong
password.
9) Encrypting Data-in-transit
Database Security
For a Hacker to eavesdrop on a conversation and
steal data, two things may occur
1) Physically tap into the communications between
the db client & the db server
2) Hacker must understand the communication
stream in order to extract sensitive data.
In order to do this, what does the Hacker need ?
Tools for packet sniffing
Database Security
the Hacker needs to have
• With a minimum understanding of TCP/IP +
• Use one of many network protocol analyzer that
are freely available.
• Packet (formatted block of data transmitted by a
Network).
• Sniffing: capturing and analyzing package
(like dog sniffing).
Minimum Understanding of TCP/IP
Database Security
• Network Security book.
Example:
Roberta Bragg, Mark Rhodes-Ousley and Keith Strassberg,
Network Security; The Complete Reference.
• TCP/IP is well documented all over the web.
• Documentation describes the headers of the
packet.
9) Encryption - Where to run Network Analyzer Packet ?
Database Security
• Client Machine that has access to the Database
server
• Database Server
Network Protocol Analyzer: examples
Database Security
• Tcpdump: utility available as part of installation
on most UNIX systems. Can be downloaded from
http://www.tcpdump.org
• (windump). Windows counterpart. Available on
some systems. Can be downloaded from
http://windump.polito.it
• Wireshark (http://www.wireshark.org/download.html):
world’s most famous NP Analyzer. Formerly Ethereal
(www.ethereal.com).
Implement Encryption,data-in-transit
Database Security
Fortunately there are also many encryption
techniques for data in transit:
• Database-specific features such as Oracle
Advanced Security
• Connection-based metods (such as SSL)
• Secure tunnels (such as SSH)
• Relying on the operating Systems (IPSec
Encryption)
Secure Socket Layer (SSL)
Database Security
• cryptographic protocols that provide secure
communications on the Internet for such things as web
browsing, e-mail, Internet faxing, instant messaging and
other data transfers.
• You may enable SSL from within a DBMS.
• SQL-Server for example: Programs -> Microsoft SQL Server
-> Server Network Utility, check the Force protocol
Encryption checkbox. Then Stop and start SQL Server.
• Server also must be informed how it will derive encryption
keys
• Note: make sure that your version of SSL is compatible
with your version of MySQL (like in ODBC or JDBC).
SSH Tunnels
Database Security
• SSH used in many applications. Example: Substitute for
FTP with encryption.
• From most DBMSs, you can set up SSH tunnels to encrypt
database traffic by port forwarding (Encrypted session
between client and server).
• Example: to connect Linux client machine of IP
CCC.CCC.C.CCC to a MySQL instance installed on a server
with IP address of SSS.SSS.S.SS listening in on port 3306
(default MySQL port).
•
Ssh –L 1000:localhost:3306 SSS.SSS.S.SS –l mylogin –I ~/ .ssh id –N -g
•
-L=port forwarding, Any connection attempted on port 1000 on the local
machine should be forwarded to port 3306 on the server. Therefore any
connection on port 1000 will go through encryption.
IPSec
Database Security
• Another Infrastructure option that protects the DB
with encryption tools.
• IPSec is done by the OS so you need to encrypt
all communications (can’t be selective).
• It operates at layer 3 of the OSI network (lower
level).
Installing IPSec on Windows/XP
• install IP Security Policy manager. Then from
Control Panel -> Administrative Tools, select IPSec
Encrypting Data-at-rest
Database Security
• There are two reasons to do this
– Protect it from DBAs.
– Protect from File or Disk Theft.
Encrypting Data-at-rest
Database Security
• Encrypting at Application Layer
Must do it at multiple locations from within app.
Data can only be used from within application
• Encrypting at File System/Operating System Layer
less flexible. Requires you to encrypt everything.
Performance degrades
Weak for handling Disk Theft problem.
• Encrypting within Database
– Usually, most practical option
Encrypting at Application Layer
Database Security
• Application Developers use a cryptographic library
to encrypt such as Java Cryptographic Extensions
(JCE) – set of APIs in the java.security and
java.crypto packages
Encryption at OS layer
Database Security
• Windows implements the Encrypted File System
(EFS) and you can use it for MS-SQL Server.
• Disadvantages ?
Encryption within Database
Database Security
• SQL Server 2005 you can access Windows
CryptoAPI through DB_ENCRYPT and
DB_DECRYPT within T-SQL (similar to PL/SQL)
Can use DES, Triple DES and AES
(symmetric keys)
• In ORACLE, you can access
– DBMS_OBFUSCATION_TOOLKIT package that
implements DES and Triple DES
Summary
Database Security
• DB Encryption can be divided into Data-in-transit
and Data-at-rest
• Encryption is useful as a last layer of defense
(defense in depth). Should never be used as an
alternative solution
• Encryption should be used only when needed
• Key Management is Key
10) Auditing
Database Security
• Need to be selective
2 main types of auditing:
Database Security
• Oracle-supplied auditing using AUDIT command.
Results go to AUD$
• Trigger-based DML auditing
• Either way, DBA must monitor auditing table.
Auditing examples/scripts:
• http://www.securityfocus.com/infocus/1689
• http://www.petefinnigan.com/papers/audit.sql
Example of Audit command
Database Security
• Must have audit system privileges
• Only tracks in subsequent user sessions
• Creates records in table AUD$ owned by sys
– You don’t query this table, you query
• Views such as DBA_AUDIT_TRAIL
•
•
•
•
SQL>
SQL>
SQL>
SQL>
AUDIT Delete any table;
NOAUDIT delete any table;
AUDIT SELECT TABLE, UPDATE TABLE;
AUDIT create session;
When to audit
Database Security
• When should we audit Oracle users ?
– Basic set of auditing measures all the time
– Capture user access, use of system privileges,
changes to the db schema (DDL)
If company handles sensitive data (financial
market, military, etc.) OR
If there are suspicious activities concerning the
DB or a user, specific actions should be done.
Audit w/ Triggers (generic solution)
Database Security
• Create a table that will contain audit information
• Create a trigger that inserts a row into the table
every time a certain operation is created such as
LOGON, LOGOFF, CREATE TABLE, DELETE, etc.
11) Datawarehouses
Database Security
• Traditionally queried only by upper management
• Encryption has not been an option due to
performance implications
• Designed as Open systems, permitting exploratory
approach
• Optimization techniques for quick responses
Datawarehouse Trends & Problems
Database Security
• Range of potential users are rapidly increasing
• Number of security breaches are rapidly increasing
• Legislation is addressing issue to protect personal
information
• Statistical Databases and Inferences
User is allowed to see aggregate
data, but not individual rows. With
malicious
input, user infers the value of individual rows.
End of Lecture
Database Security
End
Of
Today’s
Lecture.