Database security issues PETRA BILIĆ ALEXANDER SPARBER

Transcription

1 Database security issues PETRA BILIĆ ALEXANDER SPARBER

2 Introduction Database security is one aspect of computer security It uses different information security controls to protect databases Information security controls appropriate to databases: Access control Auditing Authentication Encryption Integrity controls Backups Application security

3 Database security threats: privilege abuse database platform vulnerabilities SQL injection weak audit trail denial of service weak authentication backup data exposure database communication protocol vulnerabilities SQL rootkits

4 Privilege Abuse Idea: Access Control Restrict users to minimum required SQL operations and data Define access control mechanisms for each user (ACL) Issues Excessive Privilege Abuse Legitimate Privilege Abuse Privilege Elevation

5 Excessive Privilege Abuse impossible to keep access control list up to date lack of time lack of information Result: Large groups of users are granted generic default access privileges that far exceed specific job requirements May be abused for malicious purpose.

6 Excessive Privilege Abuse ACL semantics are too limited select * from AdminUsers where username='john' and password='secret' vs select username, password from AdminUsers

7 Prevention: Query-Level Access Control Query-Level Access Control select * from AdminUsers where username =? and password =? Normal Usage select * from AdminUsers where username = john and password = smith Detected Abuse select username, password from AdminUsers select * from AdminUsers where username = john and password = idontknow or 1=1 Use automated tool

8 Legitimate Privilege Abuse abuse of legitimate database privileges for unauthorized purposes Copy large amount of information from database: to trade data for money to have easier access vulnerable to Trojans, laptop theft, etc.

9 Prevention: Context based Database Access augment access control with context of query Take into consideration usage attributes: Client location (IP address, GPS location) Client type (application) Additional identity attributes (Operating System, OS username) Time of day Take into consideration the consequence Size of result set Query-Level Access Control

10 Privilege Elevation database platform software vulnerabilities stored procedures, built-in functions, protocol implementations, and even SQL statements Get administrator access privileges find out password convert access privileges from those of an ordinary user Prevention: Use strong authentication Keep software up to date Use query-level access control

11 Inference When users are able to piece together information at one security level to determine a fact from a higher security level. No good solution: Polyinstantiation Live with inference Flight ID Cargo Hold Content s Classification 1254 A Boots Unclassified 1254 B Guns Unclassified 1254 C Atomic Bomb Top Secret 1254 D Butter Unclassified

12 SQL rootkit (database rootkit) Operating Systems and Databases are quite similar in the architecture. Both of them have: Users Processes Executables Symbolic Jobs Links

13 Rootkits are stealthy tools used by hackers to control operating systems Completely unknown to the user, a hacker may install a rootkit by exploiting a vulnerability or cracking a password The rootkit may then be used to hide processes, redirect application I/O, alter specific application programming interfaces or, simply, take over user operating system

14 To install a simple database rootkit is very easy task, and once it s installed it can be very difficult to uncover It can be used to capturing passwords, stealing data, tampering with user accounts, or performing similar nefarious activities A SQL Server rootkit can take many disguises, but in its simplest form it can be a function whose logic has been subtly altered to return different results

15 There are several ways to implement SQL rootkits: Modify the (database) object itself Change the execution path Change the SQL statement via VPD PL/SQL Native

16 Detecting rootkits Generate a baseline of the repository or get the baseline from the vendor Compare the repository against a baseline Check the results of the comparison Checksums must be calculated externally because the internal MD5-checksum could be tampered

17 SQL Standard language for relational database management systems It consist of two main parts: DML and DDL Differences in syntax Description ORACLE MS SQL Server String length LENGTH DATALENGTH

18 SQL injection SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application Very common and very popular attack because of his simplicity With SQL injection attacker is trying to insert his malicious SQL code into some database and force her to execute given command The average web application is attacked at least four times per month by SQL injection techniques.

19 Point of attack The attacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it

20 SQL injection attack Two main steps: a) Discovering how the application handles bad inputs b) Start the real attack Asuming: SELECT field FROM table WHERE = $ ;

21 Discovering how the application handles bad inputs SELECT field FROM table WHERE = hacker@database.com ; If the attacker submit that there are 2 possibilities: 1. The application will first sanitize the input 2. The application will take the input from the attacker and immediately run it as part of the SQL

22 Start the real attack SELECT field FROM table WHERE field = something OR x = x ; Attacker could get prove that he is able to manipulate the query to his own ends.

23 SELECT field FROM table WHERE field = x AND is NULL; -- ; The purpose of this query was to use a proposed field name ( ) in the constructed query and find out if the SQL is valid or not If attacker get any kind of valid response like is not recognized it means that he guessed the name of the field correctly

24 SELECT , password, userid, name FROM table WHERE = x AND 1=(SELECT COUNT(*) FROM tabname); -- ; Purpose of this query is to find out is the name of the table is valid Includes a lot of guessing

25 SELECT , password, userid, name FROM users WHERE = x AND users. IS NULL; -- ; This query is executed in order to assure that table users is the table that is used in query This query only works for tables that are actually part of this query, not on any table that exists in database

26 Attacker can try find some users: SELECT , password, userid, name FROM users WHERE = x OR name LIKE %Bob% ; or drop entire table: SELECT , password, userid, name FROM users WHERE = x ; DROP TABLE users; -- ;

27 SQL injection prevention Access the database using an account with the least privileges necessary Install the database using an account with the least privileges necessary Ensure that data is valid Do a code review to check for the possibility of second-order attacks Use parameterised queries Use stored procedures Ensure that error messages give nothing away about the internal architecture of the application or the database

28