Database Systems Security

Slide 1: Database Systems Security Paul J. Wagner University of Wisconsin – Eau Claire

Slide 2: Database Systems Security – Background Need  Security curriculum is relatively light in database systems area q Focus currently on protecting information through network 3 configuration, systems administration, application security Need to specifically consider database system security issues 3 Goals  Understand security issues in a specific Oracle environment and q in a general database system environment Consider database security issues in context of general security q principles and ideas

Slide 3: Main Message Database system security is more than securing the database  Secure database q Secure DBMS q Secure applications q Secure operating system in relation to database system q Secure web server in relation to database system q Secure network environment in relation to database system q

Slide 4: Secure databases Traditional database security topics and issues  Users, Passwords q Default users/passwords 3 • sys, system accounts – privileged, with default passwords • scott account – well-known account and password, part of public group – e.g. public can access all_users table • general password policies (length, domain, changing, protection) Privileges, Roles, Grant/Revoke q Privileges 3 • System - actions • Objects – data Roles 3 • Collections of system privileges Grant / Revoke 3 • Giving (removing )privileges or roles to (from) users

Slide 5: Secure DBMS Possible Holes in DBMS  http://technet.oracle.com/deploy/security/alerts.htm (50+ listed) q Buffer overflow problems in DBMS code q Miscellaneous attacks (Denial of Service, source code disclosure of q JSPs, others) UTL_FILE package in PL/SQL q allows read/write access to files in directory specified in utl_file_dir 3 parameter in init.ora possible access through symbolic links 3 Need for continual patching of DBMS  Encourage awareness of issues, continuous vigilance q Cost of not patching q SQL Slammer Worm 3

Slide 6: Secure Application Development Access to Oracle Database or Environment Through Applications  Example: SQL Injection Attack through Web Application  Application tracks own usernames and passwords in database q Client accepts username and password, passes as parameters q Application Java code contains SQL statement: q 3 String query = "SELECT * FROM users_table " + " WHERE username = " + " ‘ " + username + " ‘ " + " AND password = " + " ‘ " + password + " ‘ " ; Expecting one row to be returned if success, no rows if failure q Attacker enters any username, password of: Aa ‘ OR ‘ ‘ = ‘ q Query becomes: SELECT * FROM users_table WHERE username = q ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; // F or T => T All user rows returned to application q If application checking for 0 vs. more than 0 rows, attacker is in q

Slide 7: Secure Application Development Application Security in the Enterprise Environment  J2EE q .NET q Use of Proxy Applications  Assume network filtering most evil traffic q Application can control fine-grain behavior, application protocol q security Security Patterns (from J2EE Design Patterns Applied)  Single-Access Point Pattern q single point of entry into system 3 Check Point Pattern q centralized enforcement of authentication and authorization 3 Role Pattern q disassociation of users and privileges 3

Slide 8: Secure Operating System Interaction of Oracle and OS  Windows q Secure administrative accounts 3 Control registry access 3 Need good account policies 3 Others… 3 Linux/Unix q Choose different account names than standard suggestions 3 Restrict use of the account that owns Oracle software 3 Secure temporary directory 3 Some Oracle files are SUID (root) 3 Command line SQL*Plus with user/pass parameters appears under 3 ps output Others… 3

Slide 9: Secure Web Server Interaction of Oracle and Web Server  Apache now provided within Oracle as its application  server, started by default Apache issues  Standard configuration has some potential problems q See Oracle Security Handbook for more discussion 3 Ensure secure communication from web clients to web server q Use MaxClients to limit possible connections q Others… q Internet Information Server (IIS) issues  Integration with other MS products (e.g. Exchange Server) q Known vulnerabilities q Others… q

Slide 10: Secure Network Interaction of Oracle and Network  Oracle Advanced Security (OAS) product q Features for: 3 • Authentication • Integrity • Encryption – use of SSL Oracle server generally behind firewall q Good to separate DB and web servers 3 Connections normally initiated on port 1521, but then dynamically 3 selected Other Network Issues To Consider q Possibility of hijacking a sys/sysmgr connection 3 Various sniffing and spoofing issues 3

Slide 11: Miscellaneous Issues Newer Oracle Security Features  Virtual Private Databases (VPDs) q Oracle Label Security q Auditing  Good policy: develop a comprehensive audit system for database q activity tracking Can write to OS as well as into database for additional security, 3 accountability for all working with databases

Slide 12: Lab Exercise Overall Security Examination of Oracle in Networked  Environment 1) Database: Set up Oracle client, test known database for: q Privileged access through sys or system accounts 3 Public access through scott, other known/discovered usernames 3 2) DBMS: Check for known vulnerabilities q Check overall system level, patch level 3 Test for specific problems from Oracle list 3 3) Application: q Test for SQL Injection, other application weaknesses 3 Similar types of tasks for OS, Web Server, Network components q Task: develop summary report, including specifics for all areas q

Slide 13: References “Oracle Security Handbook” by Theriault and Newman;  Osborne/Oracle Press, 2001. “Oracle Database Administration: The Essential  Reference”, Kreines and Laskey; O’Reilly, 1999. “Investigation of Default Oracle Accounts”,  http://www.pentest-limited.com/user-tables.pdf