An investigation into the security features of Oracle 10g R2 Enterprise Edition

1. An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden

2. Database security • Aaron Newman views database security as composed of multiple layers of protection to reduce the risk of intrusion just like in a medieval castle. • This poses a great challenge for the intruder thus giving the DBA time to take appropriate actions against these malicious users. • Each layer is specially designed to give the highest defence against intrusion

3. Background of project • The trigger to my project was the white paper released by Litchfield D in which he describes precisely cursor snarfing, a new security flaw he recently discovered on Oracle databases. • He published another whitepaper called “Which database is more secure? Oracle vs. Microsoft SQL Server” in which he reveals the alarming security flaws in Oracle. • Meanwhile Oracle claims that this flaw is trivial and rare, it requires some impractical special cases for it to be happen.

4. Background cont… • Firewalls can no longer protect databases from all intrusion because modern database threats are higher than firewalls on the OSI model • Attackers have found a way of by passing the firewalls by using specific search strings in search engines that lead them straight to the database.

5. The OSI model

6. The approach by Oracle • Oracle uses the four major methods for their database security. These are authentication, roles and privileges, auditing and finally data integrity. • These form the desired layered security structure, first a user is authenticated, then he is authorised to perform some actions which are then monitored by auditing. • Finally, data is protected and accessible to only the authorised by data integrity.

7. Authentication • Verifying that users are who they claim to be, these may be a person using a computer, a computer itself or a program on a computer. • Oracle allows 4 login trials before the database is blocked and also allows a password to be used only for three months to combat authentication breaches. • The database is locked for 30 days or only unlocked by the DBA after a day if more than 4 attempts are exceeded. • Oracle claims to have a safe password management and also enables users to make very strong passwords. In addition Oracle does not allow a user to use the same password consecutively.

8. Critics of Oracle • Paul Wright published a whitepaper that describes how a hacker can manage to perform a brute force attack on the login of the Oracle database despite Oracle’s claim of a login block • Mark Burnett talks about the effects of login block as a way to avoid combating brute force attacks. • An intruder can cause DOS, harvest usernames from site, cause a diversion by flooding the help desk with support calls and disable an account by continually locking it. • Account lockouts is ineffective against slow attacks, attacks that try one password against a large list, first time correct guesses, DBA accounts.

9. Roles and Privileges. • Oracle offers different privileges to different users • These are rights to execute particular SQL statements e.g. creating tables, executing stored procedures. • To provide easy privilege management and control, privileges can be bundled together into a role ( a group of privileges assigned to a group of users or a single user. • Roles make it easy to monitor and make alterations to privileges granted to a group of users for security reasons. • Roles also allow some privileges to be password protected which narrows down the search criteria in case of a breach. • Roles can be assigned to other roles and then finally to users.

10. Auditing • This is the monitoring and recording of database user actions. • Audits can be triggered when specified elements in an Oracle database are accessed or altered. • Auditing keeps record of both failed and successful attempts on the server. • One disadvantage in auditing is that there is no mechanism to prevent the DBA from tempering with the audit output in the case of an attacker gaining SYS privileges.

11. Data Integrity • This is an act of ensuring that data is complete and identically maintained during an operation such as transfer, storage or retrieval. • Oracle encrypts data by a process called Transparent Data Encryption which restricts data retrieval by unauthorised users. • The encryption and decryption of data is handled by the database instead of users and applications, even the DBA has no access to data. • This is the peak of Oracle’s layered security after firewalls, authentication and authorisation. • It can be implemented using simple and easy SQL commands.

12. Oracle’s Software Security Assurance • A strong guide against security flaws must be taken since this has the ability of letting intruders by pass even the toughest security measure. • A secure system does not only offer security features but also prevents security flaws. • Oracle claims to have security assurance to prevents security flaws • Contrary to Oracle’s claims, David Litchfield in his whitepaper claims that Oracle does not keep record of problems encountered and they do not understand them. • The claim made by Litchfield is strengthened by the amount of patches that Oracle has advised DBA to install, this has an effect of adding complexity to the system.

13. Cont… Number of flaws Years

14. Summary • Database security is crucial to the safety of a user’s personal data which includes card numbers, bank details and medical details. • Firewalls on their own can not combat all the database security concerns. • Databases are safe if they are to remain isolated from any network. • Oracle offers a layered security structure like that of a medieval castle. There is the outermost which uses the network firewalls, then followed by authentication and authorisation( roles and privileges), auditing and finally data encryption.

15. Questions and Answers