My PowerPoint slides from this Panel
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

My PowerPoint slides from this Panel

on

  • 704 views

 

Statistics

Views

Total Views
704
Views on SlideShare
704
Embed Views
0

Actions

Likes
1
Downloads
17
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

My PowerPoint slides from this Panel Presentation Transcript

  • 1. Database Systems Security Course Module Paul J. Wagner University of Wisconsin – Eau Claire
  • 2. Background
    • Need
      • Security curriculum is relatively light in database systems area
        • Focus currently on protecting information through network configuration, systems administration, application security
        • Need to specifically consider database system security issues
    • Goals
      • Understand security issues in a specific Oracle environment and in a general database system environment
      • Use module to emphasize general security principles and ideas
      • Develop a teaching module for computer security course or a database systems course
      • Develop an accompanying lab project to give students practical experience in this area
  • 3. Main Message to Students
    • Database system security is more than securing the database
      • Secure database
      • Secure DBMS
      • Secure applications
      • Secure operating system in relation to database system
      • Secure web server in relation to database system
      • Secure network environment in relation to database system
  • 4. Secure databases
    • Traditional database security topics and issues
      • Users, Passwords
        • Default users/passwords
          • sys, system accounts – privileged, with default passwords
          • scott account – well-known account and password, part of public group
            • e.g. public can access all_users table
          • general password policies (length, domain, changing, protection)
      • Privileges, Roles, Grant/Revoke
        • Privileges
          • System - actions
          • Objects – data
        • Roles
          • Collections of system privileges
        • Grant / Revoke
          • Giving (removing )privileges or roles to (from) users
  • 5. Secure DBMS
    • Possible Holes in DBMS
      • http://technet.oracle.com/deploy/security/alerts.htm (50+ listed)
      • Buffer overflow problems in DBMS code
      • Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others)
      • UTL_FILE package in PL/SQL
        • allows read/write access to files in directory specified in utl_file_dir parameter in init.ora
        • possible access through symbolic links
    • Need for continual patching of DBMS
      • Encourage awareness of issues, continuous vigilance
      • Cost of not patching
        • SQL Slammer Worm
  • 6. Secure Application Development
    • Access to Oracle Database or Environment Through Applications
    • Example: SQL Injection Attack through Web Application
      • Application tracks own usernames and passwords in database
      • Client accepts username and password, passes as parameters
      • Application Java code contains SQL statement:
        • String query = "SELECT * FROM users_table " +
        • " WHERE username = " + " ‘ " + username + " ‘ " +
        • " AND password = " + " ‘ " + password + " ‘ " ;
      • Expecting one row to be returned if success, no rows if failure
      • Attacker enters any username, password of: Aa ‘ OR ‘ ‘ = ‘
      • Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; // F or T => T
      • All user rows returned to application
      • If application checking for 0 vs. more than 0 rows, attacker is in
  • 7. Secure Application Development
    • Application Security in the Enterprise Environment
      • J2EE
      • .NET
    • Use of Proxies
    • Security Patterns
  • 8. Secure Operating System
    • Interaction of Oracle and OS
      • Windows
        • Secure administrative accounts
        • Control registry access
        • Need good account policies
        • Others…
      • Linux/Unix
        • Choose different account names than standard suggestions
        • Restrict use of the account that owns Oracle software
        • Secure temporary directory
        • Some Oracle files are SUID (root)
        • Command line SQL*Plus with user/pass parameters appears under ps output
        • Others…
  • 9. Secure Web Server
    • Interaction of Oracle and Web Server
    • Apache now provided within Oracle as its application server, started by default
    • Apache issues
      • Standard configuration has some potential problems
        • See Oracle Security Handbook for more discussion
      • Ensure secure communication from web clients to web server
      • Use MaxClients to limit possible connections
      • Others…
    • Internet Information Server (IIS) issues
      • Many…
  • 10. Secure Network
    • Interaction of Oracle and Network
      • Oracle Advanced Security (OAS) product
        • Features for:
          • Authentication
          • Integrity
          • Encryption – use of SSL
      • Oracle server generally behind firewall
        • Good to separate DB and web servers
        • Connections normally initiated on port 1521, but then dynamically selected
      • Other Network Issues To Consider
        • Possibility of hijacking a sys/sysmgr connection
        • Various sniffing and spoofing issues
  • 11. Miscellaneous Issues
    • Newer Oracle Security Features
      • Virtual Private Databases (VPDs)
      • Oracle Label Security
    • Auditing
      • Good policy: develop a comprehensive audit system for database activity tracking
        • Can write to OS as well as into database for additional security, accountability for all working with databases
  • 12. Lab Exercise
    • Overall Security Examination of Oracle in Networked Environment
      • 1) Database: Set up Oracle client, test known database for:
        • Privileged access through sys or system accounts
        • Public access through scott, other known/discovered usernames
      • 2) DBMS: Check for known vulnerabilities
        • Check overall system level
        • Test for several specific problems from Oracle list
      • 3) Application:
        • Demonstrate SQL Injection
        • Have students modify example code to prevent such attack
      • OS, Web Server, Network components – yet to be developed
      • Task: develop summary report, including specifics for all areas
  • 13. Pedagogical Issues
    • Potential Uses Within Curriculum
      • Computer Security
      • Database Systems
      • Software Engineering?
    • Module/Lab Exercise
      • Will use late in Computer Security special topics course, Spring 2003
      • Available to colleague to use in Database Systems course, Spring 2003
      • Final module and exercise will be available through web site
  • 14. References
    • “ Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, 2001.
    • “ Oracle Database Administration: The Essential Reference”, Kreines and Laskey; O’Reilly, 1999.
    • “ Investigation of Default Oracle Accounts”, http://www.pentest-limited.com/user-tables.pdf
  • 15. Contact Information
    • Central Repository for this presentation, entire panel
      • http://www.cs.uwec.edu/~wagnerpj/sigcse/cybersec2003
      • Email: wagnerpj@uwec.edu
      • Phone Number: 715-836-5901