Secure Coding (PL/SQL)

Similar documents
Fixing Common Problems in Data Storage - A Review

Oracle Database Security

Oracle Security Auditing

Oracle Security Auditing

Hacking and Protecting Oracle DB. Slavik Markovich CTO, Sentrigo

Oracle PL/SQL Injection

Advanced SQL Injection in Oracle databases. Esteban Martínez Fayó

Oracle Security on Windows

Database security tutorial. Part I

An Oracle White Paper June Security and the Oracle Database Cloud Service

Oracle Database 11g: Advanced PL/SQL

Best Practices for Dynamic SQL

AUTOMATIC DETECTION OF VULNERABILITY IN WRAPPED PACKAGES IN ORACLE

1 Changes in this release

Oracle Database: SQL and PL/SQL Fundamentals

SQL Injection in web applications

Oracle Insurance Policy Administration

Database Programming with PL/SQL: Learning Objectives

Oracle Database: SQL and PL/SQL Fundamentals NEW

Oracle Database: Program with PL/SQL

Oracle Database 11g: Program with PL/SQL

Password Management. Password Management Guide HMS 9700

An Oracle White Paper June Migrating Applications and Databases with Oracle Database 12c

An Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

NEW AND IMPROVED: HACKING ORACLE FROM WEB. Sumit sid Siddharth 7Safe Limited UK

Creating PL/SQL Blocks. Copyright 2007, Oracle. All rights reserved.

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

How to Make Your Oracle APEX Application Secure

Migrating Non-Oracle Databases and their Applications to Oracle Database 12c O R A C L E W H I T E P A P E R D E C E M B E R

Oracle Database: Program with PL/SQL

Sentrigo Hedgehog Enterprise Review

Oracle Database: Program with PL/SQL

Oracle Database: Program with PL/SQL

Oracle Database: SQL and PL/SQL Fundamentals

Circumvent Oracle s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms. Alexander Kornbrust 28-July-2005

Duration Vendor Audience 5 Days Oracle Developers, Technical Consultants, Database Administrators and System Analysts

Security Analysis. Spoofing Oracle Session Information

Webapps Vulnerability Report

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

An Oracle White Paper August Oracle Database Auditing: Performance Guidelines

Oracle SQL Developer for Database Developers. An Oracle White Paper June 2007

Oracle Whitepaper April Security and the Oracle Database Cloud Service

Penetration Testing: Advanced Oracle Exploitation Page 1

An Oracle White Paper July Introducing the Oracle Home User in Oracle Database 12c for Microsoft Windows

Oracle Database Security

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

An Oracle White Paper May Oracle Database Cloud Service

Real Life Database Security Mistakes. Stephen Kost Integrigy Corporation Session #715

Hacking Database for Owning your Data

WHITE PAPER. An Introduction to SQL Injection Attacks for Oracle Developers

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Developing SQL and PL/SQL with JDeveloper

DOCUMENTATION MySQL BACKUP & RESTORE OPERATIONS

Achieving Security Compliancy and Database Transparency Using Database Activity Monitoring Systems

Database Server Migration Guide

Oracle Security Tools

Best Practices for Oracle Databases Hardening Oracle /

An Oracle White Paper January Oracle Database Firewall

DOCUMENTATION MICROSOFT SQL BACKUP & RESTORE OPERATIONS

Mitigating Risks and Monitoring Activity for Database Security

Oracle Database: Program with PL/SQL

Installing the IPSecuritas IPSec Client

DOCUMENTATION SYSTEM STATE BACKUP & RESTORE OPERATIONS

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Oracle Database: SQL and PL/SQL Fundamentals NEW

Oracle Health Sciences Network. 1 Introduction. 1.1 General Security Principles

DOCUMENTATION FILE BACKUP

White Paper. Blindfolded SQL Injection

How To Load Data Into An Org Database Cloud Service - Multitenant Edition

HOW TO MAKE YOUR ORACLE APEX APPLICATION SECURE Peter Lorenzen, WM-data a LogicaCMG company

Certified Penetration. Testing Consultant (CPTC)

Top 10 Oracle SQL Developer Tips and Tricks

ODTUG - SQL Injection Crash Course for Oracle Developers

Oracle Database 10g: Program with PL/SQL

Introduction to PL/SQL Programming

Oracle Fusion Middleware

Microsoft Dynamics GP. SmartList Builder User s Guide With Excel Report Builder

Oracle 11g Security. Summary of new features (1) Agenda. Summary of new features (3) Summary of new features (2) Introduction - commercial slide.

Security Vulnerability Notice

Dell Statistica. Statistica Document Management System (SDMS) Requirements

Database System Security. Paul J. Wagner UMSSIA 2008

An Oracle White Paper January Oracle Database Firewall

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

Backing up and restoring HP Systems Insight Manager 6.0 or greater data files in a Windows environment

Hacking databases for owning your data. Cesar Cerrudo Esteban Martinez Fayo Argeniss (

How I hacked PacketStorm ( )

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

4. Identify the security measures provided by Microsoft Office Access. 5. Identify the methods for securing a DBMS on the Web.

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

SQL Injection. Slides thanks to Prof. Shmatikov at UT Austin

Advanced SQL Injection

How To Secure An Rsa Authentication Agent

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

Transcription:

Secure Coding (PL/SQL) Securely coding Applications in PL/SQL 1

Legal Notice Oracle Database Security Presentation Published by PeteFinnigan.com Limited 9 Beech Grove Acomb York England, YO26 5LD Copyright 2012 by PeteFinnigan.com i Limitedit No part of this publication may be stored in a retrieval system, reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, scanning, recording, or otherwise except as permitted by local statutory law, without the prior written permission of the publisher. In particular this material may not be used to provide training or presentations of any type or method. This material may not be translated into any other language or used in any translated form to provide training or presentations. Requests for permission should be addressed to the above registered address of PeteFinnigan.com Limited in writing. Limit of Liability / Disclaimer of warranty. This information contained in this material is distributed on an as-is basis without warranty. Whilst every precaution has been taken in the preparation of this material, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions or guidance contained within this course. TradeMarks. Many of the designations used by manufacturers and resellers to distinguish their products are claimed as trademarks. Linux is a trademark of Linus Torvalds, Oracle is a trademark of Oracle Corporation. All other trademarks are the property of their respective owners. All other product names or services identified throughout the material are used in an editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this material. 2

Agenda History Common attacks on PL/SQL Example Hack! keep in real Secure coding in PL/SQL Protecting PL/SQL Adding license features in PL/SQL 3

The Problem Space Secure coding in PLSQL Manifested in insecure existing code Insecure continuing i development practices Often code can provide an easy access to attackers Either remotely (via web or forms based applications) Or locally via database users exploiting poor code Coding Security features in PL/SQL Problem squared (problem*problem) If you code security features (VPD, OLS, Encryption, Password Functions, Application security...) you must secure this code Secure coding Plus security controls Code protection, stop theft, running, reading 4

History http://www.oracle.com/us/support/assurance /coding/index.html Oracles alerts and CPU s have been littered with PL/SQL bugs Oracle started to fix their bugs Oracle test their code (Fuzz, static analysis, manual audit) Oracle train their developers in secure coding http://www.petefinnigan.com/weblog/archives/00001153. htm DBMS_ASSERT used extensively plus binds for dynamic code with database objects (not objects but tables etc) 5

What About Customer Code? Oracle have fixed hundreds (more?) PL/SQL bugs They have training, tools, testing, standards and more BUT usually we have not! We are 10 years behind Oracle in PL/SQL secure coding Most likely We have simple security bugs not found in Oracle code now We use dangerous interfaces We don t check/audit/test our code for security issues We create open DML/DDL/SQL interfaces Not good! 6

Common Problems (1) Injection is the most famous (SQL, PL/SQL, Javascript..) Not a web phenomenon as some think Just as easy in SQL*Plus, in fact easier I wrote the first papers in 2003 (http://www.petefinnigan.com/orasec.htm) Three main modes, in-band, out of band, inference Order of attack, first, second, third, more... Possible because of concatenation Input from parameters, database, even session Inject SQL, DDL, functions, cursor injection, snarfing 7

Common Problems (2) We write code that accesses the filesystem We write code that accesses the networking We use dangerous packages jobs, scheduler... We integrate with C or java We leak data Passwords hard coded ALTER USER...IDENTIFIED BY... Networking Encryption keys 8

Common Problems (3) PL/SQL must also be protected (theft, running, reading) Privileges must be controlled Access to the schema means all bets off Package could be intercepted and parameters stolen Definer rights code is dangerous as it runs as the owner Invoker rights is not totally safe Test access rights with my scripts; who_can.. who_has.. 9

Demo Show creditcard Show decryption function Show cannot be accessed by orauser, describe Desc orablog.cust Exec cust( Finnigan) Exec cust( ) Exec cust( x union select username from all_users-- ) Exec cust( x cust(x union select name_on_card ccdec(pan) from orablog.creditcard-- ) We can exec a function not allowed and also read data not allowed any access point in a schema can be used to read any data in that schema This example is different to normal exploits that grant dba to... 10

Finding Security Issues - sink create or replace procedure cust(pv_name in varchar2) is lv_stmt varchar2(2000); type c_ref is ref cursor; c c_ref; name creditcard.name_on_card%type; Begin lv_stmt:='select name_on_card from creditcard ' end; 'where last_name = ''' pv_name ''''; open c for lv_stmt; loop fetch c into name; if(c%notfound) then exit; end if; dbms_output.put_line('name:=[' name ']'); end loop; close c; / Sink 11

Finding Security Issues - Source create or replace procedure cust(pv_name in varchar2) is lv_stmt varchar2(2000); type c_ref is ref cursor; c c_ref; name creditcard.name_on_card%type; Begin lv_stmt:='select name_on_card from creditcard ' end; 'where last_name = ''' pv_name ''''; open c for lv_stmt; loop fetch c into name; if(c%notfound) then exit; end if; dbms_output.put_line('name:=[' name ']'); end loop; close c; / Source 12

Finding Security Issues - Problem create or replace procedure cust(pv_name in varchar2) is lv_stmt varchar2(2000); type c_ref is ref cursor; c c_ref; name creditcard.name_on_card%type; Begin lv_stmt:='select name_on_card from creditcard ' end; 'where last_name = ''' pv_name ''''; open c for lv_stmt; loop fetch c into name; if(c%notfound) then exit; end if; dbms_output.put_line('name:=[' name ']'); end loop; close c; / Problem, need to follow data from source to sink plus check for filters, assignments and more; plus the problem ( ) is in the string assignment not the sink 13

Wider Issue The source is a wider issue as we need to understand who can execute the code who_can_access.sql We need to know which packages/views etc use the vulnerable code dep.sql + who_can_access.sql The bigger issue is definer rights code select authid from dba_procedures; Definer rights code means we can exploit any other code in that schema (i.e. Run it) and access any data in that schema 14

Reviewing Code We can use new_code_a.sql to find sinks Execute immediate Dbms_sql Dbms_sys_sql Open for We can use new_code.sql to find problems strings, concat(), etc SQL>@new_code Can limit to a single schema Focus on definer rights code 15

Reviewing Code (2) There are other sources besides parameters!!! For instance SQL Does not show private func/proc Find sources start with same packages/schema SQL> select object_name,package_name,argument_name from dba_arguments 2 where data_type='varchar2' and owner='orablog'; OBJECT_NAME PACKAGE_NAME ARGUMENT_NAME ------------------------------ ------------------------------ ------------------- DECRYPT ORABLOG_CRYPTO ENCRYPT ORABLOG_CRYPTO CC MONTHNAME DAYNAME CUST PV NAME _ CHAR_LENGTH IN_CHAR CCEN CC CCDEC 8 rows selected. SQL> 16

Reviewing Code (3) Tainted data! The hard part is mapping sources in packages/procedures/functions to concatenated strings and dthen sink points Data has to be flowed from entrance to variable to variable to concat statement to sink Further analysis is then needed when a vulnerable source is found Who can access that package/procedure/function Who can change the table sourced data Who can change the Session sourced data Proper flow analysis is needed Fortify et-al are options 17

Secure Coding Practice Identify vulnerable code see above! Fix all occurrences not just those located Define secure coding standards Oracle, Feuerstein, O Reilly Train your developers in your standards Don t use, concat(), do use dbms_assert, filter (white list not black list) Use bind variables where possible Manually check code code review Simple SQL like my new_code.sql and new_code_a.sql 18

Secure Coding Cont d Professional tools expensive Fuzzing dangerous - http://www.slaviks-blog.com/wpcontent/uploads/2009/01/fuzzor.sql Don t use dangerous packages Don t access the OS, network Don t hard code data such as passwords and keys Ensure that access is limited to the code source Ensure run time access is limited A whole schema must be secure otherwise its not secure 19

Protecting PL/SQL There are two issues to solve: Stopping understanding of IPR or theft of IPR Stopping code being stolen and run elsewhere The problem with database code is anyone can read it The problem with database code is that anyone can steal it and try and run it elsewhere Solutions therefore should stop: Reading Theft and/or un-authorised running Implies Solution to remove meaning minimal solutions available Licensing type features none available 20

Should protect our code? Oracles Wrap 10g > We can use wrap.exe It can be unwrapped - http://www.codecrete.net/unwrapit 21

Oracle Wrap pre 10g SQL> @unwrap_c unwrap_c: Release 1.4.0.0.0 - Production on Wed Oct 10 09:01:35 2012 Copyright (c) 2004-2012 PeteFinnigan.com Limited. All rights reserved. NAME OF OBJECT TO CHECK [P1]: TEST_PROC1 OWNER OF OBJECT TO CHECK [SYS]: TYPE OF THE OBJECT [PROCEDURE]: OUTPUT METHOD Screen/File [S]: FILE NAME FOR OUTPUT [priv.lst]: OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]: create or replace procedure TEST_PROC1( PV_NUM in NUMBER, PV_VAR in VARCHAR2, PV_VAR3 in out INTEGER) is L_NUM NUMBER:=3; L_VAR NUMBER; J NUMBER:=1; LV VARCHAR2(32767); procedure NESTED( PV_LEN in out NUMBER) is X NUMBER; begin 22

Oracle Wrap 10g and higher wrap is not good, algorithm is weak Unix compress, base64 and look up Oracle9i wrap is harder to unwrap https://www.blackhat.com/presentations/bh-usa-06/bh- US-06-Finnigan.pdf Unwrappers are available rewrap unwrap10 softdream online sites http://sourceforge.net/projects/plsqlunwrapper/ Plus many private ones but,mostly 10g are available not 9i 23

Protect IPR So what can we do? Wrap code Obfuscate code Add license type features Add tamperproofing Add watermarks or birthmarks We can have code check itself! More? 24

Obfuscation Obfuscate the PL/SQL code PFCLObfuscate (http://www.pfclobfuscate.com/2012/04/welcome-to- t /2012/04/ l t pfclobfuscate/) compact, character sets, length, comment removal, controls, string obfuscation, scripting, code insert, hide packages, much more features... http://krisrice.blogspot.co.uk/2012/02/sql-developer-31-and- obfuscation.html - SQL Developer - simple variable obfuscation, base64 binary values, long Semantic Designs PL/SQL obfuscator, obfuscates variables, compact, comment removal - http://www.semdesigns.com/products/obfuscators/plsqlobfus cationexample.html 25

Stop Theft License features Limit how code will run Tamperproofing Detect if code has been modified Checksum Skype as an example Watermarking Uniquely identify all releases to detect who lost the code! 26

License Features License features could have many forms No one is doing this except me? Types Time/ date based Place DBID, DBNAME, Network adaptor, Server, hardware, number of CPU s... Person based Context based where in code, Privilege based/enabled Combinations of course i.e. Run on Tuesday between 6 and 8 pm when user is FRED and role BLOB is enabled and DB is PROD and... 27

Tamperproofing We can use many techniques Checksums simplest; test canary values Code can checksum itself / cross check Stack based checks code runs in right place -- test rules here to ensure this is called from sqlexec code owa_util.who_called_me(lv_owner,lv_name,lv_lineno,lv_caller_t); dbms_output.put_line('owner [' lv_owner ']'); dbms_output.put_line(name line('name [' lv [ lv_name name ']'); dbms_output.put_line('lineno [' lv_lineno ']'); dbms_output.put_line('caller_t [' lv_caller_t ']'); if(lv_owner='xxexec' and lv_name='read' and lv_lineno=5 and lv_caller_t='procedure') then dbms_session.set_role('secapp'); else raise_application_error(-20001, 'You are not authorised to connect.'); end if; 28

Security Solutions Implemented in PL/SQL The ultimate issue If a security solution is in PL/SQL Password function VPD predicate function FGA handler function Encryption... We must use the techniques described Protect IPR, Tamperproof, Control permissions Protect Source code 29

Finally My Own Research Using unwrapping for good not bad Take your PL/SQL Add license code (currently manual auto soon) Add tamper code Obfuscate to hide meaning Wrap with 9i undoc param allows new SQL code, newer PL/SQL has to be dynamic or not protected Stops unwrappers working Most secure PL/SQL? I think so Risk: Support / optimisations? use carefully? 30

Conclusions PL/SQL can be exploited Learn to code securely Audit your own PL/SQL for weaknesses Protect your IPR Stop theft with license ideas Gather it all up in security features in PL/SQL 31

Questions? Any Final Questions? 32

Secure Coding (PL/SQL) Securely coding Applications in PL/SQL 33

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information