dec 13 th cs555 presentation1 yiwen wang --“securing the db may be the single biggest action an...
Post on 23-Dec-2015
214 Views
Preview:
TRANSCRIPT
DATABASE SECURITY
Dec 13th CS555 presentation 1
Yiwen Wang
--“Securing the DB may be the single biggest action an organization can take to protect its assets”
David C. Knox
Database Security
Database Security - protection from malicious attempts to steal (view) or modify data.
Importance of Data Bank accounts Credit card, Salary, Income tax data University admissions, marks/grades Land records, licenses Data = crown jewels for organizations Recent headlines:
Personal information of millions of credit card users stolen
Criminal gangs get into identity theft Web applications been hacked due to the database
vulnerabilities
Aspects of database security
1) DB Security Plan2) Database Access Control3) DBMS Security: Patching4) DB Application: SQL injection, Inference Threats5) Virtual Private Databases6) Oracle Label Security7) Inference Threats8) Encryption9) Auditing10) Datawarehouse11) Security Animations
Access Control Default Users and Passwords
Users, Passwords Default users/passwords
sys, system accounts – privileged, change default password Sa (MS-SQL Server) scott account – well-known account/password, change it general password policies (length, domain, changing,
protection) People Having too many privileges
Privileges, Roles, Grant/Revoke Privileges
System - actions Objects – data
Roles (pre-defined and user-defined role) Collections of system privileges (example: DBA role)
Grant / Revoke Giving (removing ) privileges or roles to (from) users
Access Control (Continue)
GRANT privilege_nameON object_nameTO role_name;
REVOKE privilege_nameON object_nameFROM role_name;
Access Control (Continue)
Some important database priveleges: Select Insert Update Delete Index Alter Create database Drop database All Usage
DB application
Applications are often the biggest source of insecurity OWASP Top 10 Web Security Vulnerabilities
1. Unvalidated input2. Broken access control3. Broken account/session management4. Cross-site scripting (XSS) flaws5. Buffer overflows6. (SQL) Injection flaws7. Improper error handling8. Insecure storage9. Denial-of-service10. Insecure configuration management
DatabaseApplicationProgram
SQL Injection
SQL Injection Definition – inserting malicious SQL code
through an application interface Often through web application, but possible with any
interface Typical scenario
Three-tier application (web interface, application, database)
Overall application tracks own usernames and passwords in database (advantage: can manage users in real time)
Web interface accepts username and password, passes these to application layer as parameters
SQL Injection (Continue)
Example: Application Java code contains SQL statement: String query = "SELECT * FROM users table " +
" WHERE username = " + " ‘ " + username + " ‘ " +" AND password = " + " ‘ " + password + " ‘ " ;
Note: String values must be single quoted in SQL, so application provides this for each passed string parameter
Expecting one row to be returned if success, no rows if failure
Common variant – SELECT COUNT(*) FROM …
SQL Injection (Continue)
Attacker enters: any username (valid or invalid) password of: Aa‘ OR ‘ ‘ = ‘
Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘;
Note: WHERE clause => F and F or T => F or T => T AND has higher precedence than OR
All user/pass rows returned to application If application checking for 0 vs. more than 0
rows, attacker is in
SQL Injection Prevention
How to resolve this? First (Attempted) Solution: Check Content
Client code checks to ensure certain content rules are met
Server code checks content as well Specifically – don’t allow apostrophes to be passed Problem: there are other characters that can cause
problems -- // SQL comment character ; // SQL command separator % // SQL LIKE subclause wildcard character
Which characters do you filter (blacklist) / keep (whitelist)?
Reference
Bertino, E., & Sandhu, R. (2005). Database security—concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing, 2(1), 2-18
Defense Information Systems Agency. (2004). Database security technical implementation guide, 7(1). Department of Defense. Retrieved January 31, 2010, from http://www.databasesecurity.com/dbsec/database-stig-v7r1.pdf
Wilhelm Burger Mark J.Burge(2010) Digital Image Processing—An Algorithmic Introduction Using Java
Thank you !
top related