1. An investigation into the security features offered by Oracle 10g Enterprise Edition Author: Keletso Nyathi Supervisor: Mr John Ebden Computer Science Department

2. Project objectives  To study and evaluate the security features on the 10g Enterprise Edition of Oracle  To draw out a conclusion about how secure Oracle databases are.  To suggest possible solutions to database security problems.

3. Introduction  A database is an integrated aggregation of data usually organised to reflect logical or functional relationships among data elements.  Databases have to be protected from illegal users.  Poor database security is a lead contributor to incidents of identity theft.  My project aims at evaluating the security provided by databases against hackers and trying to come up with possible solutions.

4. Background Information  Databases have been made available on the Internet to provide fast querying by users.  The growth of e-commerce has led to increased risks of indirect attack on databases.  Recently David Litchfield claims to have found a new class of attack on Oracle called “Dangling Cursor snarfing” that he uses to hack into the system.  Meanwhile Oracle claims that this class of attack is trivial and highly impractical.

5. Oracle Database current releases Standard Edition One  Ranges from a single user for a small business to distributed environments.  Limited to 2 processors Standard Edition  Supports for large machines and clustering of services with real application clusters.  Licensed to a single server with max of 4 processors Personal Edition  Single user developments and brings the whole of Oracle functionality to a personalised edition  Can run on any number of processors but restricted to single user.

6. Cont… Express Edition  Designed for beginners.  Can be installed on any size of machine with any number of CPUs

7. Cont… Enterprise Edition  Most reliable, secure data management for mission critical applications such as OLTP environments.  Query-intensive-data warehouse demanding internet applications.  Provides functionality to meet availability and scalability requirements of today’s mission- oriented applications for the enterprise.  Contains all of Oracle database components and can be further enhanced with extra packs.  Support all sizes of computers and is not limited to maximum processor count

8. Literature Survey.  A paper by David Litchfield entitled “Dangling Cursor Snarfing: A new class of Attack in Oracle”.  Another paper by David Litchfield entitled “Which Database is more secure? Oracle vs. Microsoft”.  Security course offered by Barry Irwin.  Documentation from Oracle about its security.  Database security as well as hacking techniques from the Internet.  Projects from previous years.

9. Intended Approach  Investigate David Litchfield’s claim against Oracle Database  Investigate some of the security features claimed by Oracle.  For each security feature, I will carry out tests to hack into the database.  Record findings and try to come up with possible solutions in case of failure.  Finally evaluate my findings and draw out a conclusion about the overall security offered by Oracle.

10. Timeline ActivityPeriod Install latest version of Oracle1 week Familiarise with Oracle and its security features4 weeks Literature review on security and hacking tests4 weeks Examine Security in the product including cursor snarfing. 12weeks Make evaluation of findings on Oracle security 6 weeks Summary of findings4 weeks Make a write up of project5 weeks

11. Expected outcomes and possible extensions  Derive a conclusion about how secure Oracle is.  If possible, make informed security suggestions for databases.  Acquire a deep understanding of the weaknesses in database security …………………………………………………………………………………………………  This project can also be carried forward into comparing Oracle against other databases e.g. SQL Server and some open source databases.  Its results might be a clue into finding an effective way to improve database security.

12. Thank you Questions and answers