Overview 1) Introduction 2) DB Security Plan 3) Database Access Control 4) DBMS Security: Patching 5) DB Application: SQL injection, Inference Threats 6) Virtual Private Databases 7) Oracle Label Security 8) Inference Threats 9) Encryption 10) Auditing 11) Datawarehouse
1) Introduction - Motivation • “Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox “Effective Oracle Database 10g Security by Design”, McGraw Hill, 2004. ISBN 0-07-223130-0
1) Introduction - Scope • Database system security must worry about DB + … • Secure Database • Secure applications • Secure DBMS • Secure operating system in relation to database system • Secure web server in relation to database system • Secure network environment in relation to database system
 Knox, David (2004), Effective Oracle Database10g Security by Design, McGraw-Hill. ISBN 0-07-223130-0 •  Afyouni, Hassan A. (2006), Database Security and Auditing, Thompson Course Technology, 0-619-21559-4. •  Litchfield, “The Database Hacker’s Handbook: Defending Database Servers”, http://www.amazon.com/gp/reader/0764578014/ref=sib_dp_pop_toc?ie=UTF8&p=S00C# •  Marlene Theriault & William Heney , http://oreilly.com/catalog/orasec/chapter/ch07.html Oracle Security. •  Charles P. Pfleeger, Shari Lawrence Pfleeger, Security in Computing, Prentice Hall, ISBN-10: 0132390779, October 2006. 4th ed. •  Michael Howard , David LeBlanc, Writing Secure Code, Microsoft Press, 2nd edition, 2003, 2nd edition, ISBN n. 0-7356-1722-8. •  Natan, Ron Ben (2005), Implementing Database Security and Auditing, Elsevier Digital Press, 1-5558-334-2, 2005. •  Finnigan, Pete. Oracle Security Step-by-Step, SANS Press, v. 2, 2004. • Note these are the references from the previous slide • You may also go to http://adbc.kennesaw.edu (Database Courseware) and select the Security Module 1) DB security books
1) Introduction – Product Specific Books • Oracle Advanced Security (previously Advanced Network Option), contains network encryption tools. Depending on the version of Oracle, it is available for no extra cost. It is for the enterprise edition. • Best literature for OAS is Oracle Security Handbook by Marlene Theriault and Aaron Newman, McGraw-Hill.
2) DB Security Plan http://www.oreilly.com/catalog/orasec/chapter/ch07.html
2) DB Security Plan Which is the most complex program/form to implement? If a data type is changed in the Customers table, what programs/forms may need modification? The Orders form accesses how many tables? The Employees table is accessed by how many programs/forms?
2) DB Security Plan • DAC Versus MAC • Access Matrix Model: Harrison-Ruzzo-Ullman • Authorized state: Q = (S, O, A) • Conditions (dependent) • Data • Time • Context • History Subjects Objects
2) DB Security Plan - Document User Administration • Part of the administration process • Reasons to document: • Provide a paper trail • Ensure administration consistency • What to document: • Administration policies, staff and management • Security procedures • Procedure implementation scripts or programs • Predefined roles description
3) DB Access Control • Default Users and Passwords • Users, Passwords • Default users/passwords • sys, system accounts – privileged, change default password • Sa (MS-SQL Server) • scott account – well-known account/password, change it • general password policies (length, domain, changing, protection) • People Having too many privileges • Privileges, Roles, Grant/Revoke • Privileges • System - actions • Objects – data • Roles (pre-defined and user-defined role) • Collections of system privileges (example: DBA role) • Grant / Revoke • Giving (removing ) privileges or roles to (from) users
3) DB Access Control - Default Passwords • Easiest way to log into an Oracle database is to use a default account with a known password [Finnigin] • http://www.petefinnigan.com/default/default_password_checker.htm • This site has scripts that will identify all default users and lets you know if they still have their default passwords. You may download these scripts.
3) DB Access Control - Password Cracking • At http://www.toolcrypt.org/index.html there are tools that you can download to crack the passwords. You need to verify this against the DB, because you can be sure that the hacker has these tools.
3) DB Access Control - Find all Privileges • http://www.petefinnigan.com/find_all_privs.sql • Script to find which privileges have been granted to a particular user. This scripts lists ROLES, SYSTEM privileges and object privileges granted to a user. If a ROLE is found -- then it is checked recursively. • Output can be directed to the screen or to a file.
3) DB Access Control - How are privileges granted • DBMS like Oracle has pre-defined roles (ex: DBA) • You may also have user defined roles Example 1) Create Role AcctDept; 2) Grant Select, Update on Orders to AcctDept; 3) Grant AcctDept to Smith, Jones; 4) Grant DBA to Smith; Grant all privileges on Orders to Smith; Grant select on Orders to Public; Revoke delete on Orders from smith;
3) DB Access Control - Disable Account CREATE USER smith identified by s9 default tablespace users; ALTER USER scott ACCOUNT LOCK -- lock a user account ALTER USER scott ACCOUNT UNLOCK; ALTER USER scott PASSWORD EXPIRE; -- Force new pwd
3) DB Access Control - Launch OEM • Choose stand-alone for personal Oracle and login to oracle using a dba user/password
3) DB Access Control - Connect to a Database • On the left side of the screen, double click Network and then Databases to connect to the database you want o manage.
3) DB Access Control - Maintain User Accounts • Once you login, you may create users, roles and profiles as well as granting privileges to them through a GUI interface.
3) DB Access Control - Profiles • PROFILE clause: indicates the profile used for limiting database resources and enforcing password policies. Example: • CREATE PROFILE app_user LIMIT SESSIONS_PER_USER UNLIMITED CPU_PER_SESSION UNLIMITED CPU_PER_CALL 3000 CONNECT_TIME 45 LOGICAL_READS_PER_SESSION DEFAULT LOGICAL_READS_PER_CALL 1000 PRIVATE_SGA 15K COMPOSITE_LIMIT 5000000; • CREATE USER sidney IDENTIFIED BY out_standing1 DEFAULT TABLESPACE demo QUOTA 10M ON demo TEMPORARY TABLESPACE temp QUOTA 5M ON system PROFILE app_user PASSWORD EXPIRE;
3) DB Access Control - Security MS-Access • Two methods for securing a database: • set password to open a database (system security); • user-level security, to limit the parts of the database that a user can read or update (data security).
3) DB Access Control - System Level Security (cont.) User is prompted every time he/she opens the DB DBA Sets password
4) SECURE THE DBMS (Patch) • Possible Holes in DBMS • http://technet.oracle.com/deploy/security/alerts.htm (50+ listed) • Buffer overflow problems in DBMS code • Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others) • Need for continual patching of DBMS • Cost of not patching • Worms, virus, etc. SQL slammer worm
5) DB Applications • “75 percent of hacks happen at the application” – Gartner “Security at the Application Level”. • “The main battlefield between hackers and security professionals have moved from the network layer to the web applications” Eric Marvets, “Microsoft Security Summit”, April 13, 2006, Atlanta, Georgia
5) DB Applications - SQL Injection • Web Application where 1) User inputs text into a textbox 2) Text used to build SQL Query dynamically 3) Malicious input changes the nature of the query Example: user inputs names into textbox Name: Benjamin Franklin ' OR 1=1; SqlStr = “SELECT * FROM EMPLOYEE WHERE EMPLOYEE.Name = ” + userInput SqlStr = SELECT * FROM EMPLOYEE WHERE EMPLOYEE.Name = 'Benjamin Franklin' OR 1 = 1; • Result: every row of the EMPLOYEE table will be returned
SQL Injection - Solution • Similar to Buffer overflow: validate user input.
6) Virtual Private Databases • May be implemented through Views in most Database Management Systems (DBMS) • In Oracle, you may create a policy that will be fired when an operation (Insert, Update, etc.) is performed by a certain user on a certain object.
http://bgoug.org/seminar-Velingrad-oct-2005/Presentations/Presentation_OLS.ppthttp://bgoug.org/seminar-Velingrad-oct-2005/Presentations/Presentation_OLS.ppt Virtual Private Database Technology Virtual Private Database Technology • Data access via Virtual Private Database will perform the following five steps: • User sends SQL to the database server. • The associated table triggers a pre-defined security policy. • The security policy returns a predicate. • The SQL statement is modified according to the security policy. • Secured data returns to user. • Data access via Virtual Private Database will perform the following five steps: • User sends SQL to the database server. • The associated table triggers a pre-defined security policy. • The security policy returns a predicate. • The SQL statement is modified according to the security policy. • Secured data returns to user.
6) VPD - Grant Execute on DBMS_RLS • CONNECT TO ORACLE AS SYSDBA SQL> connect sys as sysdba Enter password: ****** Connected. SYSDBA creates a user called SECMAN (Security manager) SQL> create user secman identified by s default tablespace users; SYSDBA GRANTS EXECUTE ON DBMS_RLS TO SECMAN so this user can create the VPD SQL> grant dba to secman; SQL> grant execute on dbms_rls to secman; CONNECT AS SECMAN SQL> connect secman/s;
VPD - Definition Ex.: SELECT * FROM Emp; -- becomes SELECT * FROM Emp where Emp.Name = User;
http://bgoug.org/seminar-Velingrad-oct-2005/Presentations/Presentation_OLS.ppthttp://bgoug.org/seminar-Velingrad-oct-2005/Presentations/Presentation_OLS.ppt Virtual Private Database Technology A VPD security model uses the Oracle dbms_rls package (RLS stands for row-level security) to implement the security policies and application contexts. This requires a policy that is defined to control access to tables and rows
6) VPD – Update Example Connecting Policy, Table and Function UPDATE mn668b14.Employees set ext = 777; 1 row updated.
6) VPD - Security Policy -- create security policy BEGIN DBMS_RLS.drop_policy (object_schema => 'MN668B14', object_name => ' EmployeeUpdateOrderView', policy_name => 'EMP_UPDATE_ORDERS_POLICY'); END; BEGIN dbms_rls.add_policy ( object_schema => 'MN668B14', object_name => ' EmployeeUpdateOrderView ', policy_name => 'EMP_ORDERS_UPDATE__POLICY’, function_schema => 'MN668B14', policy_function => 'EMPUSER_ONLY', statement_types => 'SELECT,UPDATE,INSERT,DELETE', update_check => TRUE ); END;
6) VPD - Summary • VPD security provides a new way to control access to Oracle data. • One Schema, several virtual schemas. • Dynamic nature of a VPD. At runtime, DBMS modifies SQL statement to add security. Burleson, Donald (2003), "Establish security policy with Oracle virtual private database", http://www.dba-oracle.com/art_builder_vpd.htm
7) Oracle Label Security (OLS) • simulates multilevel db. • Adds a field for each row to store the row’s sensitive label. • Access is granted (or denied) comparing user’s identity and security clearance label with row’s sensitive label.
7) OLS and Multilevel Security • Information has different classifications • Users have different security clearances • Purpose: separate data based on its classification • Mandatory Access Control (MAC): security enforced by system and not by the user. • Polyinstantiation: multiple rows with same PK. Instances distinguished by security level.
7) Problem with Multilevel Security • It is really multiple instantiations of single-level DBMS, which strongly degrades performance. • Examples: Trusted Oracle, DB2 for z/OS, Informix OnLine/Secure, Sybase secure system
7) Oracle Label Security: • simulates multilevel db. • Adds a field for each row to store the row’s sensitive label. • Access is granted (or denied) comparing user’s identity and security clearance label with row’s sensitive label. • Label contains LEVEL, GROUP and COMPARTMENT
7) OLS & VPD • Like VPD, OLS creates Policies • A policy is a name that associates labels, rules, and authorizations. • DBA defines a set of labels for data and users, along with authorizations for users and program units, that defines all access to objects.
7) OLS LABEL has 3 Components • level : mandatory, simple hierarchy • compartment optional, non-hierarchical • group optional, tree level hierarchy • OLS compares the user security clearance with the sensitivity label assigned to the data. • IF a label contains all 3 components, THEN the security clearance of the user >= the data sensitivity level, contain all compartments and at least one group.
7) OLS - More on 3 components • label has 3 components: • a single level (sensitivity) ranking • zero or more horizontal compartments • zero or more hierarchical groups
7) OLS – Column added • When an Oracle Label Security policy, a column is added to the table that is protected by the policy. This policy label column contains the label information for each data row. • DBA can choose to display or hide this column