Need

Security curriculum is relatively light in database

systems area
Focus currently on protecting information through network

configuration, systems administration, application security

Need to specifically consider database system security
issues

What is most valuable data, systems, or network?

Goals

Understand security issues in a general database

system environment
Consider database security issues in context of general
security principles and ideas
Focus on Oracle as a common DBMS, but realize there
are similar issues for other DBMSs

Database system security is more than

securing the database
Secure database
Secure DBMS
Secure applications
Secure operating system (in relation to
database system)
Secure web server (in relation to database
system)
Secure network environment (in relation to
database system)

Traditional database security topics and

issues

Users and Passwords

Default users/passwords
Oracle: sys, system accounts privileged, with default
passwords
Oracle: scott account well-known account and
password, part of public group
e.g. public can access all_users table
Need for general password policies (length,

domain, changing, protection, )

Need for general account policies (who gets, what
level of privilege, when expires, )

Privileges and Roles

Privileges
System on actions (e.g. selecting, deleting, creating, )
Object on data objects (e.g. on particular table)
Roles
Collections of system privileges
Advantage: easier management
Disadvantage: tend to give more privilege than needed
Commonly heard Oracle user request: Just give me
DBA role to make it work and well figure out the exact
privilege I need later.
Grant / Revoke
Giving (removing )privileges or roles to (from) users
Problem often done haphazardly
Need for continual management of privileges and roles
Need for policies on privilege/role management

Possible Holes in DBMS

Oracle: (50+ listed)

Types of exploits
Buffer overflow problems in DBMS code
Miscellaneous attacks (Denial of Service, source
code disclosure of JSPs, others)

Similar information available for DB2, SQL

Server, PostgreSQL, MySQL,
Oracle: UTL_FILE package in PL/SQL

allows read/write access to files in directory

specified in utl_file_dir parameter in init.ora

possible access through symbolic links

Need for continual patching of DBMS

Encourage awareness of DBMS vulnerability issues
Continuous vigilance is essential
Cost of not patching can be huge

SQL Slammer Worm

fast propagation max scan rate of 55 million
systems/second
affected approximately 80,000 systems, significant
segments of Internet
376 byte UDP packet that exploited a buffer overflow
vulnerability
patch had long been available
significant effects on business database servers
Credit verification, Phone systems, Banks/ATMs

Use security features of DBMS

Oracle: Virtual Private Databases (VPDs)

Support for fine-grain data security (e.g. multiple

clients can have data in same schema without

knowing other data is there)

Oracle: Oracle Label Security

Use of VPDs to achieve row-level security, controlled

from Policy Manager tool under Enterprise Manager

Implement auditing

Good policy: develop a comprehensive audit

system for database activity tracking
DBMS tools, user-developed tools (e.g. using triggers)
Oracle: can write to OS as well as into database for

additional security, accountability for all working with

databases

Access to database system is often through

applications
Example: SQL Injection Attack through web front end

Scenario: Software system tracks own usernames and

passwords in database
Client application accepts username and password, passes
as parameters
An SQL query is built dynamically, combining SQL text pieces
in the server application and the client-supplied parameters
DBMS executes query on system user table, checks for valid
user/password combination in this table
DBMS returns 0, 1 or more user/password rows to application
Application checks result and allows or denies access
accordingly

Application Java code contains SQL statement:

String query = "SELECT * FROM users_table " +

" WHERE username = " + " " + username + " "

+
" AND password = " + " " + password + " " ;
- SQL strings must be single quoted

Application is expecting one (valid) row to be returned if

success, no rows if failure
Attacker enters arbitrary username: anyname, but special
password of: Aa OR =
Dynamically-constructed query becomes:
SELECT * FROM users_table
WHERE username = anyname
AND password = Aa OR = ;
Where clause: F AND F OR T => F OR T => T !
All user rows returned to application
If application checking for 0 vs. more than 0 rows, attacker is in
Need to check application input generally not good to allow
special characters in through client-side parameters

Application Security in the Enterprise Environment

Tactic: Use of Proxy Applications

J2EE
.NET
Large number of interactions between application environment and
database systems
Assume network filtering most problem traffic
Application can control fine-grain behavior, application protocol
security

Security Patterns (from J2EE Design Patterns Applied)

Single-Access Point Pattern

single point of entry into system

Check Point Pattern

centralized enforcement of authorization when requesting resources

Role Pattern
disassociation of users and privileges for easier management

Interaction of DBMS and OS

Oracle on Windows

Secure administrative accounts

Control registry access
Need good account policies
Others

Oracle on Linux/Unix
Choose different account names than standard

suggestions
Restrict use of the account that owns Oracle software
Secure temporary directory
Some Oracle files are SUID (root)
Command line SQL*Plus with user/pass parameters
appears under ps output
Others

Interaction of Oracle and Web Server

Apache now provided within Oracle as its
application server, started by default
Apache issues

Standard configuration has some potential problems

See Oracle Security Handbook for more discussion
Ensure secure communication from web clients to web
server
Use MaxClients to limit possible connections, avoid Denial
of Service attacks
Others

Internet Information Server (IIS) issues

Integration with other MS products (e.g. Exchange Server)

Known vulnerabilities
Others

Web is often front-end / gateway to DBMS

DBMS/database should be black-box to
user
Attacker can force errors trying to gain
information
Which error message should be displayed
when asking for an incorrectly named
Java Server Page?

Interaction of DBMS and Network

DBMS server should be behind firewall

Good to separate DB and web servers (mitigate losses if hacked)
DB server should be behind firewall, web server usually in DMZ
Oracle: Connections normally initiated on port 1521, but port is then

dynamically selected management of port access is made more

difficult
Anyone with Oracle client software who knows your host IP/name
and database instance name can configure client to connect to
your database instance

Oracle Advanced Security (OAS) product

Features for:
Authentication
Integrity
Encryption use of SSL

Other Network Issues To Consider

Possibility of hijacking a privileged user connection
Various sniffing and spoofing issues

Database system security is more than

securing the database

Secure
Secure
Secure
Secure
Secure
Secure

database
DBMS
applications
operating system
web server
network environment

General security principles apply in database

system security

Security is a process, not a product

Security chain is only as strong as its weakest link
Best security defense utilizes multiple layers