Database Security - Department of Computer Science

Report
Yiwen Wang
--“Securing the DB may be the single biggest
action an organization can take to protect its
assets”
David C. Knox
Dec 13th CS555 presentation
1

Database Security - protection from malicious
attempts to steal (view) or modify data.






Bank accounts
Credit card, Salary, Income tax data
University admissions, marks/grades
Land records, licenses
Data = crown jewels for organizations
Recent headlines:
 Personal information of millions of credit card users stolen
 Criminal gangs get into identity theft
 Web applications been hacked due to the database
vulnerabilities
1) DB Security Plan
2) Database Access Control
3) DBMS Security: Patching
4) DB Application: SQL injection, Inference Threats
5) Virtual Private Databases
6) Oracle Label Security
7) Inference Threats
8) Encryption
9) Auditing
10) Datawarehouse
11) Security Animations


Default Users and Passwords
 Users, Passwords
 Default users/passwords
 sys, system accounts – privileged, change default password
 Sa (MS-SQL Server)
 scott account – well-known account/password, change it
- general password policies (length, domain, changing,
protection)
People Having too many privileges
 Privileges, Roles, Grant/Revoke
 Privileges
 System - actions
 Objects – data
 Roles (pre-defined and user-defined role)
 Collections of system privileges (example: DBA role)
 Grant / Revoke
 Giving (removing ) privileges or roles to (from) users
GRANT privilege_name
ON object_name
TO role_name;
REVOKE privilege_name
ON object_name
FROM role_name;











Some important database priveleges:
Select
Insert
Update
Delete
Index
Alter
Create database
Drop database
All
Usage


1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Applications are often the biggest source of insecurity
OWASP Top 10 Web Security Vulnerabilities
Unvalidated input
Broken access control
Broken account/session management
Cross-site scripting (XSS) flaws
Buffer overflows
(SQL) Injection flaws
Improper error handling
Insecure storage
Denial-of-service
Insecure configuration management
Application
Program
Database

SQL Injection

Definition – inserting malicious SQL code through
an application interface
 Often through web application, but possible with any
interface

Typical scenario
 Three-tier application (web interface, application, database)
 Overall application tracks own usernames and passwords in
database (advantage: can manage users in real time)
 Web interface accepts username and password, passes these
to application layer as parameters

Example: Application Java code contains SQL
statement:
 String query = "SELECT * FROM users table " +
" WHERE username = " + " ‘ " + username + " ‘ " +
" AND password = " + " ‘ " + password + " ‘ " ;



Note: String values must be single quoted in SQL, so
application provides this for each passed string
parameter
Expecting one row to be returned if success, no rows
if failure
Common variant – SELECT COUNT(*) FROM …

Attacker enters:
 any username (valid or invalid)
 password of: Aa‘ OR ‘ ‘ = ‘


Query becomes: SELECT * FROM users_table
WHERE username = ‘anyname‘ AND password =
‘Aa‘ OR ‘ ‘ = ‘ ‘;
Note: WHERE clause => F and F or T => F or T => T
 AND has higher precedence than OR
All user/pass rows returned to application
 If application checking for 0 vs. more than 0 rows,
attacker is in


How to resolve this?

First (Attempted) Solution: Check Content
 Client code checks to ensure certain content rules are
met
 Server code checks content as well
 Specifically – don’t allow apostrophes to be passed
 Problem: there are other characters that can cause
problems
 - ;
 %
// SQL comment character
// SQL command separator
// SQL LIKE subclause wildcard character
 Which characters do you filter (blacklist) / keep
(whitelist)?



Bertino, E., & Sandhu, R. (2005). Database
security—concepts, approaches, and challenges.
IEEE Transactions on Dependable and Secure
Computing, 2(1), 2-18
Defense Information Systems Agency. (2004).
Database security technical implementation guide, 7(1).
Department of Defense. Retrieved January 31, 2010,
from
http://www.databasesecurity.com/dbsec/databa
se-stig-v7r1.pdf
Wilhelm Burger Mark J.Burge(2010) Digital Image
Processing—An Algorithmic Introduction Using Java
Thank you !

similar documents