the presentation describes a lot of very technical details about row level security, possibble security breaches in relational databases like Oracle and Postgres. A lot of examples how to protect data is shown.

1. Место Row Level Security в высоконагруженном проекте
Hardcore Edition
Александр Токарев
RuOUG

2. Agenda
1. Row Level Security
2. RLS approaches
3. Our case
4. Lessons learned
5. Q&A

3. RLS security myths

4. RLS
1. Enable row-level access control
2. Simplify application development
3. Centralize security management

5. Security requirements
We need new security now!
Initial requirements
1. Users should see only own data
One year after development started:
1. GDPR audit
2. SOX audit
3. 5 severe security violations = 20 new rules

6. Security requirements
1. Minimal application changes
2. Low impact to performance
3. Centralized security management
4. All applications should be affected
5. Implementation should be fast
=
Oracle Virtual Private Database
RLS in DBMS

7. RLS location
1. Application server
2. Database server
3. Mixture

8. Application server
1. Modify queries to DB
+ performance, agile
- hand-made
2. Filter fetched data
+ supported by frameworks
- extra app/db server traffic, complicated search, paging, etc

9. DB server
1. Security views
+ performance
- issues with DML
2. Stored procedures API
+ performance
- out of fashion
3. Embedded row level security
+ full of myths
- full of myths

10. Mixture
Client 1
Client 2
Client X
Application
server

11. RLS location
1. Application server
+ high level language
- access via application server only
2. Database server
+ performance, close to data
- too much myths
3. Mixture
+ very scalable
- complicated implementation

12. DBMS RLS myths
1. Bad performance
2. Complicated implementation
3. Easy to hack
4. No interaction with UI
5. Exists in old database engines only
6. Only for 2-tier applications

13. Our project architecture
Oracle
main
Oracle
DG
Application
server
Application
server
Load
balancer
Client
browser
10000 RPS
4000 users
InMemory
cluster
Application
server
GCC
Apache
Solr
CRM
20 Reports per second
100 users
60 Reports
per second
300 users
20 Reports per second
100 users
100 RPS

14. Access types
1. User observes own records only
2. Users observes records shared with him by others user
3. User observes records for given permitted customer list
.
.
.
20. User observes records for given permitted record type list

15. Security source
Customer
Security DB
Microsoft
Active Directory
Oracle
main
Oracle
DG
Application
server
Application
server
Load
balancer
Client
browser
InMemory
cluster
Application
server
GCC
Apache
Solr
CRM
300 roles per user300 000 permissions
mappings

16. VPD glossary
• Context – key-value pair storage
• Security object – object controlled by VPD
• Security predicate – SQL string appended to query
• Policy function – PL/SQL populating predicate
• Policy – metadata which glues all together

17. VPD internals
sql
VPD policy
checker
Security predicate
producer
Query
rewriter
Query plannerData

18. Context

19. Policy function

20. Predicate testing

21. “Created by username” policy

22. “Created by username” policy

23. “Created by username” policy

24. “Created by username” policy

25. “Created by username” policy

26. ACL policy
1. Based on AD groups only
2. AD groups store permission mappings
3. Mostly IN or EXISTS/NOT EXISTS predicates
division_type_code in (‘BRANCH’, ‘DEPO’, ‘ARCH’)
Not exists (
select 1
from restricted_user_measures m
where m.measure_id = customer.measure_id
)

27. “Created by username” policy 3 Tier

28. “Created by username” policy 3 Tier

29. “Created by username” policy 3 Tier
Invoke just after got connection

30. Application changes
AD user Tableau made login
The same in Java!

31. DBMS RLS myths
1. Bad performance
2. Complicated implementation
3. Easy to hack
4. No interaction with UI
5. Exists in old database engines only
6. Only for 2-tier applications

32. Development process failure
1. Developers see no data
2. DBAs see no data
3. Only started applications see data

33. Development process failure

34. Development process fix

35. Development process Prod

36. Development process Dev

37. External systems interaction pain
1. Customer security DB – DB links are prohibited
Solution: dedicated ETL job – 5 minute delay
2. Active Directory – no access from Oracle
Solution: pass all user roles to context from Java

38. Debug Policy fine
– Filter predicate in execution plan
– View v$vpd_policy

39. Debug failure Policy broken

40. Debug failure Policy broken
1. No information in execution plan
2. No information in v$vpd_policy
3. Queries fails with

41. Debug failure Policy broken

42. DBMS RLS myths
1. Bad performance
2. Complicated implementation
3. Easy to hack
4. No interaction with UI
5. Exists in old database engines only
6. Only for 2-tier applications

43. Performance degradation
1. Query plans hard parse – 3x more
2. Get connection from pool – 3x more
3. Query execution time – up to 2x more
4. Context switches – up to 2x more

44. Plan to fix
1. Get connect from pool
2. Securities predicates
3. Hard parse
4. Wild execution plans
5. Cache
6. Denormalization

45. Get connection pain
1. Java – get AD roles
2. Java – filter security roles
3. Java – send to Oracle as input parameter:
- AD user name
- AD roles list
4. Oracle – VPD predicates magic
80%
0.4 sec

46. Get connection pain
120-300 AD roles!

47. Connection pain solution
1. Do not pass AD roles from Java side
2. Connect to AD from Oracle DBMS
3. Use DBMS_LDAP package
0.4 seconds => 0.08 seconds!

48. Policy evaluation mitigation
sql
VPD policy
checker
Security predicate
producer
Query
rewriter
Query plannerData

49. Security predicate cache
sql
VPD policy
checker
Security predicate
producer
Query
rewriter
Query plannerData
Predicate
cache

50. Policy types
1. Dynamic
Predicate is produced each call
2. Static
Predicate produced once
3. Context-sensitive
Predicate produced if security context is changed

51. Policy types
1. Static
when predicate string is constant
ad_user = sys_context(‘security_ctx’, ‘ad_user’)
2. Context-sensitive
when predicate string is built from context
environment_code in (‘SANDBOX’, ‘PROD’, ‘HOME’)
Taken from context

52. Static policy

53. Context-sensitive policy

54. Hard parse resolution

55. Hard parse resolution

56. Hard parse resolution

57. Hard parse resolution
50% hard parse eliminated!

58. Bad query plans basic resolution

59. Bad ACL query plans resolution
Dreams
1. Use InMemory structures – plsql collections
2. Fast
3. No disk I/O
Reality
1. PL/SQL context switches – low performance
2. No options for cardinality estimate – bad plans
3. Very hard to debug

60. Bad ACL query plans resolution

61. Bad ACL query plan resolution
1. I/O is tiny
2. Proper plans/statistics via Dynamic Sampling
3. Indexing support
4. Small changes in policies

62. Bad ACL query plan resolution
300% performance profit!

63. Fixed ACL pain
DBA complains:
- UNDO size grow
- REDO volume grow
- Overloaded disks

64. Fixed ACL pain

65. Fixed ACL pain resolution
Less 30x times!

66. Fixed ACL pain resolution
DBAs are happy!

67. VPD and Result Cache

68. VPD and Result Cache
Call 1
Call 2

69. VPD and Result Cache

70. VPD and Result Cache
Call 1
Call 2

71. VPD and Result Cache

72. VPD and Result Cache

73. VPD and Result Cache

74. VPD and Result Cache

75. VPD and Result Cache
Nothing changes!

76. VPD and Result Cache

77. VPD and Result Cache
Try to not use result cache with VPD!

78. ACL inlining
2 ACL types:
1. By ID
1000-2000 IDs
2. By types
2-10 types

79. ACL inlining
2-10 records

80. ACL inlining
Take from context

81. ACL inlining issues
Not all values + wrong syntax
Someone cuts predicates!

82. ACL inlining issues
Policies more 4000 bytes
Still doesn’t work!

83. ACL inlining issues
Default – 256!

84. ACL inlining issues

85. ACL inlining
Pros
1. Extremely fast
2. No extra DB objects
Cons
1. More hard parse
2. Tricky to populate IN clause
50% performance profit!

86. Cursor invalidation

87. Cursor invalidation

88. Cursor invalidation
Known issue!
Our plan – do nothing!
Exactly our optimization approach 
Many rows

89. Securities right denormalization
ATokarev,VPetrov,MSovina

90. Securities predicates
LIKE = FULL scan mostly!
Denormalization not very efficient in Oracle!
1. Ingestion degradation up to 10%
2. Additional maintenance
3. Sudden deterioration

91. Cache
Per-username based caches:
1. VPD calls
2. AD groups values
3. ACL values*
*8 ACLs – no dedicated cache per ACL
InMemory PL/SQL

92. Caching parameters
N Code Current
value
Purpose
1 VPD_CACHE N Should be invoke vpd.connect if user hasn’t changed
2 ACL_CACHE N Do we need call Active Directory
3 AD_CACHE Y Cache access control list population
4 AD_EXPIRING 300 Lifetime in seconds
5 VPD_EXPIRING 600 Lifetime in seconds
6 ACL_EXPIRING 120 Lifetime in seconds
Was changed ~8 times in Production!

93. Caching conclusion
1. Agreed with business and Security Team
2. Data-driven:
– On/off
– Expiration time

94. Final performance metrics
1. Query plans hard parse – 10%
2. Get connection from pool – 5%
3. Query execution time – up to 20%
4. Context switches – eliminated

95. DBMS RLS myths
1. Bad performance
2. Complicated implementation
3. Easy to hack
4. No interaction with UI
5. Exists in old database engines only
6. Only for 2-tier applications

96. RLS side channel attacks
1. Security predicates/caches/context sniffing
Identify data by security filters content
2. Fake user name calls
Direct connect to DB via superuser as an application user
3. Hand-crafted queries
Tricky queries based on a particular DB issues
4. Dump analysis
- SGA
- Library cache
- Data files

97. Security predicate sniffing
Events
1. 10053 – Cost Based Optimizer decisions
2. 10730 – VPD predicates
3. 10060 – All Predicates
4. 43905 – Result Cache

98. Security predicate sniffing mitigation
1. Close an access to VPD-related views:
- V$VPD_POLICY
- %_POLICIES
- %_POLICY_ATTRIBUTES
- %_POLICY_CONTEXTS
- %_POLICY_GROUPS
2. Close an access to DB trace files
3. Use context – not direct values
4. Use session level temporary tables for cache

99. Fake user name attack
1. Connect to DB directly
2. Process as though application:

100. Fake user name mitigation

101. Fake user name mitigation

102. Fake user name mitigation

103. Fake user name mitigation

104. Fake user name risk
Next day
Login statement is stolen

105. Fake user name mitigation

106. Fake user mitigation
Next minute
Login is stolen

107. Fake user name mitigation

108. Hand-crafted queries

109. Hand-crafted queries
Iterative inference attack

110. Hand-crafted queries
1. result-cache PL/SQL functions
2. others tricks

111. Hand-crafted queries

112. VPD column level security hacking 1

113. VPD column level security hacking 1

114. VPD column level security hacking 1

115. VPD column level security hacking 1
NULL

116. VPD column level security hacking 1

117. VPD column level security hacking 1

118. VPD column level security hacking 1

119. VPD column level security hacking 1

120. VPD Iterative inference attack
Failed in 12.1!
Works in 11.4!

121. DBMS RLS myths
1. Bad performance
2. Complicated implementation
3. Easy to hack
4. No interaction with UI
5. Exists in old database engines only
6. Only for 2-tier applications

122. RLS in Oracle
About 70 policies from default Oracle installation!

123. RLS in others DB

124. RLS in Postgres

125. RLS in Postgress

126. RLS in Postgres ACL

127. RLS in Postgres ACL

128. RLS in Postgres ACL
Very efficient in Postgres!
Overall performance – 15% degradation

129. DBMS RLS myths
1. Bad performance
2. Complicated implementation
3. Easy to hack
4. No interaction with UI
5. Exists in old database engines only
6. Only for 2-tier applications

130. DBMS RLS pros
1. Works automagicaly
2. Tiny client code modification
3. Security rules are equal for all clients
4. No options to bypass common security hacks
5. Security management centralization
6. Works on Oracle Standby database

131. DBMS RLS cons
1. Works automagicaly
2. Sophisticated debug
3. Complicated interaction with external
systems
4. SQL knowledge required
5. Interaction with UI impossible
6. Copy-paste if there are many databases

132. DBMS RLS myths
1. Bad Unpredictable performance
2. Complicated implementation debug
3. Easy A lot of efforts to hack
4. No interaction with UI
5. Exists in old database engines only
6. Only for 2-tier applications

133. When use DBMS RLS
1. Fast tech debt resolution
2. Different applications use direct DB connection
3. Newly implemented applications
4. SOX, GDPR, ISO/IEC 27001/27002,
FedRAMP/FISMA, SOC, HIPAA и PCI DSS
compliance requirements

134. When not to use DBMS RLS
1. Applications uses application server only
2. Sophisticated microservices architecture
3. Very old applications
4. High-loaded OLTP applications

135. Lessons learned
1. Plan security in advance
2. Use data-driven caching
3. Denormalize data
4. Invent simple policies
5. Care about hackers
6. RLS in DBMS works fine
7. Even in Postgres 

136. THANK YOU
WE ARE HIRING!
Alexander Tokarev
Database expert
DataArt
atokarev@dataart.com
https://github.com/shtock
RuOUG