My PowerPoint slides from this Panel

558 views
503 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
558
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

My PowerPoint slides from this Panel

  1. 1. Database Systems Security Course Module Paul J. Wagner University of Wisconsin – Eau Claire
  2. 2. Background <ul><li>Need </li></ul><ul><ul><li>Security curriculum is relatively light in database systems area </li></ul></ul><ul><ul><ul><li>Focus currently on protecting information through network configuration, systems administration, application security </li></ul></ul></ul><ul><ul><ul><li>Need to specifically consider database system security issues </li></ul></ul></ul><ul><li>Goals </li></ul><ul><ul><li>Understand security issues in a specific Oracle environment and in a general database system environment </li></ul></ul><ul><ul><li>Use module to emphasize general security principles and ideas </li></ul></ul><ul><ul><li>Develop a teaching module for computer security course or a database systems course </li></ul></ul><ul><ul><li>Develop an accompanying lab project to give students practical experience in this area </li></ul></ul>
  3. 3. Main Message to Students <ul><li>Database system security is more than securing the database </li></ul><ul><ul><li>Secure database </li></ul></ul><ul><ul><li>Secure DBMS </li></ul></ul><ul><ul><li>Secure applications </li></ul></ul><ul><ul><li>Secure operating system in relation to database system </li></ul></ul><ul><ul><li>Secure web server in relation to database system </li></ul></ul><ul><ul><li>Secure network environment in relation to database system </li></ul></ul>
  4. 4. Secure databases <ul><li>Traditional database security topics and issues </li></ul><ul><ul><li>Users, Passwords </li></ul></ul><ul><ul><ul><li>Default users/passwords </li></ul></ul></ul><ul><ul><ul><ul><li>sys, system accounts – privileged, with default passwords </li></ul></ul></ul></ul><ul><ul><ul><ul><li>scott account – well-known account and password, part of public group </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>e.g. public can access all_users table </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>general password policies (length, domain, changing, protection) </li></ul></ul></ul></ul><ul><ul><li>Privileges, Roles, Grant/Revoke </li></ul></ul><ul><ul><ul><li>Privileges </li></ul></ul></ul><ul><ul><ul><ul><li>System - actions </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Objects – data </li></ul></ul></ul></ul><ul><ul><ul><li>Roles </li></ul></ul></ul><ul><ul><ul><ul><li>Collections of system privileges </li></ul></ul></ul></ul><ul><ul><ul><li>Grant / Revoke </li></ul></ul></ul><ul><ul><ul><ul><li>Giving (removing )privileges or roles to (from) users </li></ul></ul></ul></ul>
  5. 5. Secure DBMS <ul><li>Possible Holes in DBMS </li></ul><ul><ul><li>http://technet.oracle.com/deploy/security/alerts.htm (50+ listed) </li></ul></ul><ul><ul><li>Buffer overflow problems in DBMS code </li></ul></ul><ul><ul><li>Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others) </li></ul></ul><ul><ul><li>UTL_FILE package in PL/SQL </li></ul></ul><ul><ul><ul><li>allows read/write access to files in directory specified in utl_file_dir parameter in init.ora </li></ul></ul></ul><ul><ul><ul><li>possible access through symbolic links </li></ul></ul></ul><ul><li>Need for continual patching of DBMS </li></ul><ul><ul><li>Encourage awareness of issues, continuous vigilance </li></ul></ul><ul><ul><li>Cost of not patching </li></ul></ul><ul><ul><ul><li>SQL Slammer Worm </li></ul></ul></ul>
  6. 6. Secure Application Development <ul><li>Access to Oracle Database or Environment Through Applications </li></ul><ul><li>Example: SQL Injection Attack through Web Application </li></ul><ul><ul><li>Application tracks own usernames and passwords in database </li></ul></ul><ul><ul><li>Client accepts username and password, passes as parameters </li></ul></ul><ul><ul><li>Application Java code contains SQL statement: </li></ul></ul><ul><ul><ul><li>String query = &quot;SELECT * FROM users_table &quot; + </li></ul></ul></ul><ul><ul><ul><li> &quot; WHERE username = &quot; + &quot; ‘ &quot; + username + &quot; ‘ &quot; + </li></ul></ul></ul><ul><ul><ul><li>&quot; AND password = &quot; + &quot; ‘ &quot; + password + &quot; ‘ &quot; ; </li></ul></ul></ul><ul><ul><li>Expecting one row to be returned if success, no rows if failure </li></ul></ul><ul><ul><li>Attacker enters any username, password of: Aa ‘ OR ‘ ‘ = ‘ </li></ul></ul><ul><ul><li>Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; // F or T => T </li></ul></ul><ul><ul><li>All user rows returned to application </li></ul></ul><ul><ul><li>If application checking for 0 vs. more than 0 rows, attacker is in </li></ul></ul>
  7. 7. Secure Application Development <ul><li>Application Security in the Enterprise Environment </li></ul><ul><ul><li>J2EE </li></ul></ul><ul><ul><li>.NET </li></ul></ul><ul><li>Use of Proxies </li></ul><ul><li>Security Patterns </li></ul>
  8. 8. Secure Operating System <ul><li>Interaction of Oracle and OS </li></ul><ul><ul><li>Windows </li></ul></ul><ul><ul><ul><li>Secure administrative accounts </li></ul></ul></ul><ul><ul><ul><li>Control registry access </li></ul></ul></ul><ul><ul><ul><li>Need good account policies </li></ul></ul></ul><ul><ul><ul><li>Others… </li></ul></ul></ul><ul><ul><li>Linux/Unix </li></ul></ul><ul><ul><ul><li>Choose different account names than standard suggestions </li></ul></ul></ul><ul><ul><ul><li>Restrict use of the account that owns Oracle software </li></ul></ul></ul><ul><ul><ul><li>Secure temporary directory </li></ul></ul></ul><ul><ul><ul><li>Some Oracle files are SUID (root) </li></ul></ul></ul><ul><ul><ul><li>Command line SQL*Plus with user/pass parameters appears under ps output </li></ul></ul></ul><ul><ul><ul><li>Others… </li></ul></ul></ul>
  9. 9. Secure Web Server <ul><li>Interaction of Oracle and Web Server </li></ul><ul><li>Apache now provided within Oracle as its application server, started by default </li></ul><ul><li>Apache issues </li></ul><ul><ul><li>Standard configuration has some potential problems </li></ul></ul><ul><ul><ul><li>See Oracle Security Handbook for more discussion </li></ul></ul></ul><ul><ul><li>Ensure secure communication from web clients to web server </li></ul></ul><ul><ul><li>Use MaxClients to limit possible connections </li></ul></ul><ul><ul><li>Others… </li></ul></ul><ul><li>Internet Information Server (IIS) issues </li></ul><ul><ul><li>Many… </li></ul></ul>
  10. 10. Secure Network <ul><li>Interaction of Oracle and Network </li></ul><ul><ul><li>Oracle Advanced Security (OAS) product </li></ul></ul><ul><ul><ul><li>Features for: </li></ul></ul></ul><ul><ul><ul><ul><li>Authentication </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Integrity </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Encryption – use of SSL </li></ul></ul></ul></ul><ul><ul><li>Oracle server generally behind firewall </li></ul></ul><ul><ul><ul><li>Good to separate DB and web servers </li></ul></ul></ul><ul><ul><ul><li>Connections normally initiated on port 1521, but then dynamically selected </li></ul></ul></ul><ul><ul><li>Other Network Issues To Consider </li></ul></ul><ul><ul><ul><li>Possibility of hijacking a sys/sysmgr connection </li></ul></ul></ul><ul><ul><ul><li>Various sniffing and spoofing issues </li></ul></ul></ul>
  11. 11. Miscellaneous Issues <ul><li>Newer Oracle Security Features </li></ul><ul><ul><li>Virtual Private Databases (VPDs) </li></ul></ul><ul><ul><li>Oracle Label Security </li></ul></ul><ul><li>Auditing </li></ul><ul><ul><li>Good policy: develop a comprehensive audit system for database activity tracking </li></ul></ul><ul><ul><ul><li>Can write to OS as well as into database for additional security, accountability for all working with databases </li></ul></ul></ul>
  12. 12. Lab Exercise <ul><li>Overall Security Examination of Oracle in Networked Environment </li></ul><ul><ul><li>1) Database: Set up Oracle client, test known database for: </li></ul></ul><ul><ul><ul><li>Privileged access through sys or system accounts </li></ul></ul></ul><ul><ul><ul><li>Public access through scott, other known/discovered usernames </li></ul></ul></ul><ul><ul><li>2) DBMS: Check for known vulnerabilities </li></ul></ul><ul><ul><ul><li>Check overall system level </li></ul></ul></ul><ul><ul><ul><li>Test for several specific problems from Oracle list </li></ul></ul></ul><ul><ul><li>3) Application: </li></ul></ul><ul><ul><ul><li>Demonstrate SQL Injection </li></ul></ul></ul><ul><ul><ul><li>Have students modify example code to prevent such attack </li></ul></ul></ul><ul><ul><li>OS, Web Server, Network components – yet to be developed </li></ul></ul><ul><ul><li>Task: develop summary report, including specifics for all areas </li></ul></ul>
  13. 13. Pedagogical Issues <ul><li>Potential Uses Within Curriculum </li></ul><ul><ul><li>Computer Security </li></ul></ul><ul><ul><li>Database Systems </li></ul></ul><ul><ul><li>Software Engineering? </li></ul></ul><ul><li>Module/Lab Exercise </li></ul><ul><ul><li>Will use late in Computer Security special topics course, Spring 2003 </li></ul></ul><ul><ul><li>Available to colleague to use in Database Systems course, Spring 2003 </li></ul></ul><ul><ul><li>Final module and exercise will be available through web site </li></ul></ul>
  14. 14. References <ul><li>“ Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, 2001. </li></ul><ul><li>“ Oracle Database Administration: The Essential Reference”, Kreines and Laskey; O’Reilly, 1999. </li></ul><ul><li>“ Investigation of Default Oracle Accounts”, http://www.pentest-limited.com/user-tables.pdf </li></ul>
  15. 15. Contact Information <ul><li>Central Repository for this presentation, entire panel </li></ul><ul><ul><li>http://www.cs.uwec.edu/~wagnerpj/sigcse/cybersec2003 </li></ul></ul><ul><ul><li>Email: wagnerpj@uwec.edu </li></ul></ul><ul><ul><li>Phone Number: 715-836-5901 </li></ul></ul>

×