con1559_kodinov-oow15 con1559 what's new in mysql security
TRANSCRIPT
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 1/31
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 2/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
What’s New
in MySQL 5.7 SecurityGeorgi “Joro” KodinovTeam LeadMySQL Server General Team
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 3/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Safe Harbor StatementThe following is intended to outline our general product direction. It is inteninformation purposes only, and may not be incorporated into any contract.commitment to deliver any material, code, or functionality, and should not in making purchasing decisions. The development, release, and timing of anfunctionality described for Oracle’s products remains at the sole discretion
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 4/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
•
Former banking IT manager• Veteran software developer
• Leading the MySQL server general developm
• With MySQL since 2006
• Working out of Plovdiv, Bulgaria
• @gkodinov, [email protected]
About Me
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 5/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Agenda
Overview of the new features
Questions and answers
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 6/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
So What’s Newin 5.7 Security ?
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 7/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
New MySQL 5.7 Security Features at a Glance
MySQL firewall
Secure by default
Enterprise encryption
Better account management
Refactoring and housekeeping
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 8/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
MySQL Firewall
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 9/31Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
MySQL Server
MySQL FirewallOperation
SELECT 1+2 SELECT 1+2
SELECT 1+2 OR ..Deny
Firewall Plugin
SELECT ?+?
USE ?
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 10/31Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
MySQL FirewallAnatomy
Firewall Plugin
SELECT ?+?
USE ?
Engine
• Compares incoming querieswith the allowed list
• Works on normalizedstatements
• Multiple modes
• Audit log plugin
Statemen
• Entirely in me• Initialized from•
Content visiblINFORMATION
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 11/31Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
MySQL Firewall
• Helps preventing SQL Injection• Can learn to pass-through wide variety of apps
• No need to re-parse
• Easy to install and uninstall
• Works on SQL Statements
Benefits
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 12/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Secure By Default
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 13/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
MySQL 5.6 and older MySQL 5.7
•
A development setup• Wide open
• Must take extra step(s) to secure
What You Get Post-MySQL Installation ?
•
Obvious security proble• Open for authorized us
• Can take steps to relax
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 14/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Why Secure by Default ?
• More and more sensitive information stored in computers
• People increasingly dependent on information
• Helps new users avoid common mistakes
• Decreases MySQL attack surface
• Security compromises are explicit acts by the DBAs
• Low usability impact if applied carefully
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 15/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
WARNING !
No absolute states in secur
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 16/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Secure By Default
• Random account passwords on install• Deploy without tests and demos
• No anonymous accounts
• Limit the scope of the FILE privilege
• Stricter permissions on installation files
Highlights
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 17/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Enhanced SSL Support
• The server comes fully equipped for SSL connections * – Generate self signed certificates on site
• Libmysql based clients will attempt SSL by default
• Client option to enforce SSL
•
Server option to require secure transport for all connections – SSL, shared memory, UNIX sockets
Highlights
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 18/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Enterprise Encryption
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 19/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
What is Enterprise Encryption ?
• A plugin, interfacing the OpenSSL library• Allows generation and handling of RSA, DSA and DH key pairs
– SET @priv = CREATE_ASYMMETRIC_PRIV_KEY(‘RSA’, 1024);
– SET @pub = CREATE_ASYMMETRIC_PUB_KEY(‘RSA’, @priv);
• Allows encryption, signing and cyrptographic hashes
– SET @digest = CREATE_DIGEST(‘SHA512’, ‘cleartext’);
– SET @sig = ASYMMETRIC_ENCRYPT(‘RSA’, @digest, @priv);
• Key generators use standard PEM format (compatible with exte
At a glance
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 20/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Simple Example: Handling Sensitive InformationUsing MySQL Enterprise Encryption
Enterprise Encryption
Private KeyPublic Key
The App
Network
DatabaseSensitive Information
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 21/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Better User Account Management
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 22/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Comfortable User Account Management
•Fully functional ALTER USER
• IF [NOT] EXISTS clause to user account statements
• Temporarily disable user accounts
• Authentication plugin that disables logins
• Time-based password expiration policy• “Offline” server mode
• User account names now 32 characters long
Highlights
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 23/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Refactoring and Housekeeping Work
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 24/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Remove Support for “old”, Pre-4.1 Passwords
•Known to be insecure since mysql-4.1 !
• Responsible for a lot of “spaghetti code”
• Finally out in 5.7 !
• Incompatible changes in mysql.user system table structure
What’s new in Refactoring ?
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 25/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Treat Passwords as Any Other Authentication Data
•Why ? – All authentication plugins must be equal
– Passwords are just one form of authentication
• How ?
– Merge mysql.user.password into mysql.user.authentication_string
– Extend the authentication API to support converting between storage aformats
– Clean up stray global plugin related variables and functions
• PASSWORD() @@old_passwords
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 26/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Deprecate ENCODE()/DECODE()
•Old insecure, home grown algorithms
• Replaced by AES based functions
What’s new in Refactoring ?
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 27/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Refactor the ACL Code
•Isolated the ACL code into a sub-directory
• Split the huge sql_acl.cc into smaller logical groups of code
What’s new in Refactoring ?
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 28/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Remove Server Package’s Perl Dependencies
•mysql_secure_install converted to a C program
• mysql_install_db converted to a C program and deprecated
• mysql_upgrade now doesn’t need to call external binaries
• Why is this relevant to security ?
–
No longer need to pass passwords to the external utilities – No worries that the utilities may use different configuration files
– Allowed extra hardening: e.g. remove the multiple “root” user account
– Allows unattended installation
What’s new in Refactoring ?
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 29/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Questions andAnswers
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 30/31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
8/17/2019 CON1559_Kodinov-OOW15 CON1559 What's New in MySQL Security
http://slidepdf.com/reader/full/con1559kodinov-oow15-con1559-whats-new-in-mysql-security 31/31