Presentation on theme: "Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox."— Presentation transcript:
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox
Database Security - protection from malicious attempts to steal (view) or modify data.
Bank accounts Credit card, Salary, Income tax data University admissions, marks/grades Land records, licenses Data = crown jewels for organizations Recent headlines: Personal information of millions of credit card users stolen Criminal gangs get into identity theft Web applications been hacked due to the database vulnerabilities
1) DB Security Plan 2) Database Access Control 3) DBMS Security: Patching 4) DB Application: SQL injection, Inference Threats 5) Virtual Private Databases 6) Oracle Label Security 7) Inference Threats 8) Encryption 9) Auditing 10) Datawarehouse 11) Security Animations
Default Users and Passwords Users, Passwords Default users/passwords sys, system accounts – privileged, change default password Sa (MS-SQL Server) scott account – well-known account/password, change it -general password policies (length, domain, changing, protection) People Having too many privileges Privileges, Roles, Grant/Revoke Privileges System - actions Objects – data Roles (pre-defined and user-defined role) Collections of system privileges (example: DBA role) Grant / Revoke Giving (removing ) privileges or roles to (from) users
GRANT privilege_name ON object_name TO role_name; REVOKE privilege_name ON object_name FROM role_name;
Some important database priveleges: Select Insert Update Delete Index Alter Create database Drop database All Usage
Applications are often the biggest source of insecurity OWASP Top 10 Web Security Vulnerabilities 1. Unvalidated input 2. Broken access control 3. Broken account/session management 4. Cross-site scripting (XSS) flaws 5. Buffer overflows 6. (SQL) Injection flaws 7. Improper error handling 8. Insecure storage 9. Denial-of-service 10. Insecure configuration management Database Application Program
SQL Injection Definition – inserting malicious SQL code through an application interface Often through web application, but possible with any interface Typical scenario Three-tier application (web interface, application, database) Overall application tracks own usernames and passwords in database (advantage: can manage users in real time) Web interface accepts username and password, passes these to application layer as parameters
Example: Application Java code contains SQL statement: String query = "SELECT * FROM users table " + " WHERE username = " + " ‘ " + username + " ‘ " + " AND password = " + " ‘ " + password + " ‘ " ; Note: String values must be single quoted in SQL, so application provides this for each passed string parameter Expecting one row to be returned if success, no rows if failure Common variant – SELECT COUNT(*) FROM …
Attacker enters: any username (valid or invalid) password of: Aa‘ OR ‘ ‘ = ‘ Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; Note: WHERE clause => F and F or T => F or T => T AND has higher precedence than OR All user/pass rows returned to application If application checking for 0 vs. more than 0 rows, attacker is in
How to resolve this? First (Attempted) Solution: Check Content Client code checks to ensure certain content rules are met Server code checks content as well Specifically – don’t allow apostrophes to be passed Problem: there are other characters that can cause problems --// SQL comment character ;// SQL command separator %// SQL LIKE subclause wildcard character Which characters do you filter (blacklist) / keep (whitelist)?
Bertino, E., & Sandhu, R. (2005). Database security—concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing, 2(1), 2-18 Defense Information Systems Agency. (2004). Database security technical implementation guide, 7(1). Department of Defense. Retrieved January 31, 2010, from http://www.databasesecurity.com/dbsec/databa se-stig-v7r1.pdf http://www.databasesecurity.com/dbsec/databa se-stig-v7r1.pdf Wilhelm Burger Mark J.Burge(2010) Digital Image Processing—An Algorithmic Introduction Using Java