Download - DB-14: OpenEdge ® Database Run-time Security Revealed Michael Jacobs Architect, Progress OpenEdge
DB-14: OpenEdge® Database Run-time Security Revealed
Michael JacobsArchitect, Progress OpenEdge
© 2007 Progress Software Corporation2 DB-14: OpenEdge Database Run-time Security Revealed
Agenda
Run-time database security landscape OpenEdge 10 database security Comparing run-time and compile-time Configuring run-time database security
© 2007 Progress Software Corporation3 DB-14: OpenEdge Database Run-time Security Revealed
Database Run-time Security Drivers
Because you have to• Government regulations• Industry standards• Personal data privacy requirements
Legal liability• Imposed $$ penalties
It is all because of the hackers• They have tools• They have the knowledge• They have the motivation
Why motivates us to use run-time database security:
© 2007 Progress Software Corporation4 DB-14: OpenEdge Database Run-time Security Revealed
CSI/FBI Computer Crime & Security Survey
48% detected 1 – 6 security incidents• 68% reported losses due to insider attacks• Average loss ~$168,000
Top reasons for loss• Viruses• Unauthorized access to information• Laptop / mobile hardware theft• Theft of proprietary information
Top security issues • Data protection & application security• Policy & regulatory compliance• Identity theft & leakage of private information
2006 respondents reported :
© 2007 Progress Software Corporation5 DB-14: OpenEdge Database Run-time Security Revealed
(index blocks) OS Files (record blocks)
(cache files)
Database Security
RDBMS
Database UtilitiesDB Server
xDBC Driver
ApplicationA
In a perfect world, the application stack has no security holes:
OS/Network Security
xDBC Driver
ApplicationB
xDBC Driver
ApplicationC
(Black-hathacker)
© 2007 Progress Software Corporation6 DB-14: OpenEdge Database Run-time Security Revealed
(index blocks) OS Files (record blocks)
(cache files)
Database Security
RDBMS
Database UtilitiesDB Server
xDBC Driver
ApplicationA
In reality, the application stack has many vulnerabilities :
OS/Network Security
xDBC Driver
ApplicationB
xDBC Driver
ApplicationC
© 2007 Progress Software Corporation7 DB-14: OpenEdge Database Run-time Security Revealed
Database Run-time Security’s Role
SQL sets the standard for database run-time security• User authentication• Database administration• View, table & column access controls
Database vendors add security features• Multiple user authentication systems• User connection privileges• Role & user-group privileges
Block application-code attacks & inappropriate user access :
© 2007 Progress Software Corporation8 DB-14: OpenEdge Database Run-time Security Revealed
Agenda
Run-time database security landscape OpenEdge 10 database security Comparing run-time and compile-time Configuring run-time database security
© 2007 Progress Software Corporation9 DB-14: OpenEdge Database Run-time Security Revealed
OpenEdge Database Security
SQL PrivilegesSQL Privileges ABL PermissionsABL Permissions
One database – two security systems :SQL Server ABL Core
applicationCRUD
applicationCRUD
applicationISUD
applicationISUD
userauthentication
userauthentication
userauthentication
userauthentication
user accountsuser accounts
userauthorization
userauthorization
userauthorization
userauthorization
Public TablesPublic Tables
SQL TablesSQL Tables
OpenEdge RDBMS
• Database storage engine performs no security operations
• SQL & ABL clients provide all database security
© 2007 Progress Software Corporation10 DB-14: OpenEdge Database Run-time Security Revealed
Comparing ABL & SQL Security Systems
ABL SQLSecurity model GRANT GRANT
Default DBA n/a <db-owner>SYSPROGRESS
Default security administrator
“*” n/a
Default table access “*” <none>
Default field access “*” <none>
© 2007 Progress Software Corporation11 DB-14: OpenEdge Database Run-time Security Revealed
OpenEdge Database Auditing
How do you know the security systems have not been compromised ?
SQL Server ABL Core
applicationCRUD
applicationCRUD
applicationISUD
applicationISUD
userauthentication
userauthentication
userauthentication
userauthentication
userauthorization
userauthorization
userauthorization
userauthorization
Schema & data Tables
Schema & data Tables
OpenEdge RDBMS
• No SQL or ABL database record operations can bypass auditing
Audit DataAudit Data
Audit subsystemAudit subsystem
Audit RulesAudit Rules policies.xml
© 2007 Progress Software Corporation12 DB-14: OpenEdge Database Run-time Security Revealed
User Authentication
© 2007 Progress Software Corporation13 DB-14: OpenEdge Database Run-time Security Revealed
Shared ABL & SQL User Accounts
Two required fields• user-id (_Userid)
– Maximum length: 12– Illegal characters: < 32 or “#*,!@”
• password (_Password) – ABL: Changed only by the account’s owner– SQL: Changed by DBA or the account’s owner
Password field: fixed-length CRC-16 hash
Beware of default SQL DBA account definitions• <db-owner> (DBA privileges)• SYSPROGRESS (DBA privileges)• PUB (table owner privileges)
_User table accounts :
© 2007 Progress Software Corporation14 DB-14: OpenEdge Database Run-time Security Revealed
ABL & SQL _User Account Behavior
• Without _User accounts– User-id: OS process id– Cannot use –U –P to
connect
• With _User accounts– Default user-id: “”– -U/-P must match _user
account– Can always CONNECT
as default user-id
• Without _User accounts– Default user-id: none– Connect with any user-id
except• “PUB”• “SYSPROGRESS”
(passwords ignored)
• With _User accounts– Default user-id: none– MUST authenticate to
_User account– PUB & SYSPROGRESS
accepted as user-ids
ABL SQL
© 2007 Progress Software Corporation15 DB-14: OpenEdge Database Run-time Security Revealed
ABL Prompting for User-id
ABL Core:run _edit.p.
_edit.prun _prostar.p.
_prostar.prun _login.p.
* Sources found in DLC/src & PSDN development tools download
It all happens inside ABL procedures :
© 2007 Progress Software Corporation16 DB-14: OpenEdge Database Run-time Security Revealed
ABL & SQL User Account Administration
ABL SQL
Create account
CREATE _userrecord statement
CREATE USER
Delete account
DELETE _userrecord statement
DROP USER
Change password
ASSIGN field statement
ALTER USER
Create password
ENCODE () N/A
Similar user account operations :
© 2007 Progress Software Corporation17 DB-14: OpenEdge Database Run-time Security Revealed
Alternative user authentication for ABL only applications :
OpenEdge Database Security
user accounts( _user )
user accounts( _user )
userauthentication
user logincredentials
connectionuser-id
A
SQL ServerABL Core
isvalid?
CLIENT-PRINCIPAL
userauthentication
ABL Application
ABL Core
AuthenticationConfiguration
AuthenticationConfiguration
isvalid?
ValidateCLIENT-
PRINCIPALY
Proof ofABL user
authentication
© 2007 Progress Software Corporation18 DB-14: OpenEdge Database Run-time Security Revealed
User Authorization
© 2007 Progress Software Corporation19 DB-14: OpenEdge Database Run-time Security Revealed
All Tables Have an Owner
“PUB” (SQL server & ABL user-id) • Data tables
– ABL clients: Create, Read, Update, & Delete– SQL clients: Insert, Select, Update, & Delete
• Meta schema tables– ABL clients: Create, Read, Update, & Delete– SQL clients: Select
“SYSPROGRESS” (private user-id for SQL server)• ABL clients: none• SQL clients: Select
“<sql-client>” (supported only by SQL server)• SQL clients: Insert, Select, Update, & Delete• ABL clients: none
Both ABL & SQL clients respect table “ownership” :
© 2007 Progress Software Corporation20 DB-14: OpenEdge Database Run-time Security Revealed
ABL Core Database Security
Administered via _schema record CRUD operations :
F1F1 F2F2 F3F3 F4F4 F5F5 F6F6 F7F7
Table DataTable Data
_File Permissions
_File Permissions
_Field recordPermissions
_Field recordPermissions
_Can-create
_Can-write
_Can-read
_Can-delete
_Can-read
_Can-write
* Sometimes meta-schema table & field permissions lie
assign
findforcreatedelete
© 2007 Progress Software Corporation21 DB-14: OpenEdge Database Run-time Security Revealed
SQL Server Database Security
Administered via GRANT/REVOKE SQL statements :
F1F1 F2F2 F3F3 F4F4 F5F5 F6F6 F7F7
Table DataTable Data
_systabauth Privileges
_systabauth Privileges
_syscolauth Privileges
_syscolauth Privileges
insert update select delete
updateupdate
Selective column update only
alter
selectinsertupdatedelete
© 2007 Progress Software Corporation22 DB-14: OpenEdge Database Run-time Security Revealed
create update read delete
updateupdate
SQL Server Database Security
Wrapper for a mixture of selected rows & columns :
F1F1 F2F2 F3F3 F4F4 F5F5 F6F6 F7F7
Table DataTable Data
_systabauthPrivileges
_systabauthPrivileges
_syscolauthPrivileges
_syscolauthPrivileges
insert update select delete
updateupdate
View Privileges
View Privileges
selectinsertupdatedelete
alter
No read access by exclusion
© 2007 Progress Software Corporation23 DB-14: OpenEdge Database Run-time Security Revealed
Database Administration
© 2007 Progress Software Corporation24 DB-14: OpenEdge Database Run-time Security Revealed
SQL Standard Database Administration
DBA has all database privileges*
Table’s “owner” has all table & column privileges
A user must have a privilege before they can GRANT that privilege to others
The grantor of a privilege can REVOKE that privilege
A privilege may be GRANTED without the ability to grant it to any other user
* Except OpenEdge Auditing SoD (Separation of Duty)
© 2007 Progress Software Corporation25 DB-14: OpenEdge Database Run-time Security Revealed
ABL Security Administrator Revealed
ABL Security Administrator is NOT A DBA
ABL Security Administrator controls• Table & field access via _Can-* permissions
• User account creation & deletion
• ABL client & database security options
Security Administrator’s user-account list is replicated in many places• See PSDN open-source development tools
– src/prodict/user/_usradmn.p
© 2007 Progress Software Corporation26 DB-14: OpenEdge Database Run-time Security Revealed
Agenda
Run-time database security landscape OpenEdge 10 database security Comparing run-time and compile-time Configuring run-time database security
© 2007 Progress Software Corporation27 DB-14: OpenEdge Database Run-time Security Revealed
Compile-time Versus Run-time Security
LowerHigherSecurity risk from user impersonation & rogue r-code
NoYesApplication security context
> compile time< run-timeRun-time impact
DynamicFixedTable & column access
DynamicFixed Connection’s user-id
Run-timeCompile-time
© 2007 Progress Software Corporation28 DB-14: OpenEdge Database Run-time Security Revealed
OE DatabaseServer
ABL Corecompiler
OpenEdge Database Security
Public Data
user accounts( _user )
Permissions
user logincredentials
ABL .r-code contains only the permitted CRUD operations :
dynamic buffer
static buffer
.rcode(RU)
useraccess?
connectionuser-id
userauthentication
.psource(CRUD)
(RU)
(RU)
(CRUD)
Permitted recordoperations
All record operations
Checks user-id to permitted operations
© 2007 Progress Software Corporation29 DB-14: OpenEdge Database Run-time Security Revealed
OE DatabaseServer
ABL Corerun-time
OpenEdge Database Security
Public Data
user accounts( _user )
Permissions
user logincredentials
Default ABL Core run-time permission checking :
dynamic buffer
static buffer
.rcode(RU)
useraccess?
connectionuser-id
userauthentication
.rcode
(CRUD)
Not checkedat run-time
Checkedat run-time
© 2007 Progress Software Corporation30 DB-14: OpenEdge Database Run-time Security Revealed
OE DatabaseServer
ABL Corerun-time
OpenEdge Database Security
Public Data
user accounts( _user )
Permissions
user logincredentials
ABL Core with optional run-time permission checking :
dynamic buffer
static buffer
.rcode(RU)
useraccess?
connectionuser-id
userauthentication
All operationschecked at run-time
.rcode
(CRUD)
© 2007 Progress Software Corporation31 DB-14: OpenEdge Database Run-time Security Revealed
Agenda
Run-time database security landscape OpenEdge database security Comparing run-time and compile-time Configuring run-time database security
© 2007 Progress Software Corporation32 DB-14: OpenEdge Database Run-time Security Revealed
Configuring Database Security
ABL & SQL application security(Adds contextual application security to the database’s built-in security features)
OpenEdge database run-time security(Protects database from rogue application-code and users)
OS file system permissions(Protects database’s utilities, configuration, and data files from other OS processes)
The best database security comes from multiple layers :
© 2007 Progress Software Corporation33 DB-14: OpenEdge Database Run-time Security Revealed
OpenEdge Database Security Options
1. Database administration2. Database user connection
3. Table & column/field access
4. Database auditing
Many security options available to fit your application :
© 2007 Progress Software Corporation34 DB-14: OpenEdge Database Run-time Security Revealed
Security Starts with User Accounts
A place to start“Database contain private or confidential data?”
YES: I should configure database user accounts 1 or more _user administrator accounts 1 or more _user accounts for data access Eliminate built-in default-user accounts
“_user accounts required for individual users?” If SQL server is used:
YES If SQL is not used:
can use application’s user accounts via the CLIENT-PRINCIPAL object
When are database user accounts required ?
© 2007 Progress Software Corporation35 DB-14: OpenEdge Database Run-time Security Revealed
Database Administration Security Steps
1. Connect SQL explorer as any user-id and find the database’s “db-owner”
SELECT * from SYSPROGRESS.SYSDBAUTH;
2. It is the user-id that is not “SYSPROGRESS”
3. Reconnect SQL explorer with the “db-owner” user-id
4. Create a common ABL/SQL DBA account
CREATE USER ‘MYDBA’, ‘dba-pwd’;
GRANT RESOURCE, DBA to MYDBA;
If SQL Server installed, configure it’s DBA security first :
© 2007 Progress Software Corporation36 DB-14: OpenEdge Database Run-time Security Revealed
Database Administration Security Steps
1. Connect SQL Explorer as MYDBA
2. Create user accounts with known passwords
CREATE USER ‘SYSPROGRESS’, ‘pwd’;
CREATE USER ‘<db-owner>’, ‘pwd’;
CREATE USER ‘PUB’, ‘pwd’;
Lockout built-in SQL DBAs & table owners :
© 2007 Progress Software Corporation37 DB-14: OpenEdge Database Run-time Security Revealed
Database Administration Security Steps
Use Data Administration tool to deny PUBLIC Security Administrator access
1. Define common ABL [ & SQL] administration user account [“MYDBA”] Admin->Security->Edit User list…
2. Set the security administrator list to“MYDBA” * Admin->Security->Security Administrators…
Define ABL Security Administrator :
* Best practices indicate two user accounts defined
© 2007 Progress Software Corporation38 DB-14: OpenEdge Database Run-time Security Revealed
Database Schema Administration
ABL client cannot change SQL user privileges
SQL client cannot change ABL user permissions
Define your own ABL-DBA by granting• Grant PUBLIC (“*”) to _File._Can-read • Grant _Can-create, _Can-write, _Can-delete
to ABL Security Administrator account list forschema security
“_File._File” “_File._sec-role”“_File._Field” “_File._sec-granted-role”“_File._Index” “_File._sec-authentication-domain“_File._Index-field” “_File._sec-authentication-system
© 2007 Progress Software Corporation39 DB-14: OpenEdge Database Run-time Security Revealed
Enable Advanced ABL Security Features
1. Update to release 10.1A+
2. If not creating a new 10.1B+ database, update security schema definitions
$ proutil db –C updateschema
OR enable OpenEdge auditing
$ prostrct add db audit-areas.st$ proutil db –C enableauditing area data-area-name indexarea index-area-name [disableindexes]
© 2007 Progress Software Corporation40 DB-14: OpenEdge Database Run-time Security Revealed
ABL Connection Security
Optionally block blank-user id connections Database Administration utility’s menu Admin->Database Options …
Disallow Blank UserID*(*Requires 1 _user account & -U/-P connection)
Pick your ABL access-control design• All database connections use the user’s login id
• Application connects to the database using– A single database user-id
(1 user w. all permissions for all data tables)– A role or group account
(each application user-id has exactly 1 role )
© 2007 Progress Software Corporation41 DB-14: OpenEdge Database Run-time Security Revealed
Binding R-code to the OpenEdge Database
Low level security option, but viable for some use-cases
Simple secret-key hash value• Embedded in database • Compiled into r-code• Checked by ABL core at run-time
Not recommended where:• ABL is customized at production site• Database’s used in multiple applications• Update application with subset of .r-code modules
DBAUTHKEY in case run-time security not achievable :
© 2007 Progress Software Corporation42 DB-14: OpenEdge Database Run-time Security Revealed
Two ABL Permissions Security Strategies
Use the application development defaults• On [schema] tables where data is PUBLIC • Deny user access to tables with restricted data *• Deny default blank user-id access to all tables & fields
Admin->Security->Disallow Blank Userid Access …
Use the industry recommended GRANT model• If your application uses SQL server security• Tables that contain restricted-access tables or fields• Default table/field access is System Administrators• Add (grant) & remove (revoke) selective user accounts
* Not an recommended security practice
Choose which suits your application the best :
© 2007 Progress Software Corporation43 DB-14: OpenEdge Database Run-time Security Revealed
Turn on run-time checking via the data administration tool’s dialog Admin->Database Options …
Use Runtime Permissions Checking
Update application’s code error checking (if required)
Tip: use ABL CAN-DO() to test permission list
find _File where _File._File-Name = “Customer”.if CAN-DO(_File._Can-Delete, user_id) then DELETE Customer.
ABL Run-time Database Security
Enabling ABL run-time permission checking :
© 2007 Progress Software Corporation44 DB-14: OpenEdge Database Run-time Security Revealed
Controlling Run-time Permission Checking
If permission denied, raises STOP event Enclose statement in a block with ON STOP
DO ON STOP UNDO , LEAVE : FIND customer WHERE CustNum = m_iCustNum NO-ERROR.END.IF ( ERROR-STATUS:ERROR AND INDEX(ERROR-STATUS:GET-MESSAGE(1), “permission denied”) <> 0) THEN RETURN ERROR “Customer table read access denied”.…
© 2007 Progress Software Corporation45 DB-14: OpenEdge Database Run-time Security Revealed
ABL Permission Secrets
A Security Administrator is NOT treated special• Table access• Field access• Granting/revoking other Security Administrators
Each _Can-* permission field must have one of• One Security Administrator account • PUBLIC (“*”)
Never, never, never leave a _Can-* permission list blank
Three Security Administrator rules you never forget :
© 2007 Progress Software Corporation46 DB-14: OpenEdge Database Run-time Security Revealed
ABL Permission Secrets
Order dependent, comma separated list of account names (no white-space!)
Add account name to grant access, remove account names to revoke access
Use “!” to explicitly deny access to an account
Use “*” for wild-card multiple user account match– PUBLIC access (all accounts)– Can use “xxx_*” or “*_xxxx” for account names
with the same prefix or suffix
ABL _Can-* permission list rules :
© 2007 Progress Software Corporation47 DB-14: OpenEdge Database Run-time Security Revealed
ABL Permission List Examples
Deny blank user grant access to no accounts
“!”
Deny blank user & fred, grant access to all other accounts
“!,!fred,*”
Grant access to blank user-id and all accounts
“*”
Pure GRANT model (denies blank user-id)
“fred,wilma,MYDBA”
Grant any accountstarting with “dba_”
“barney,dba_*,MYDBA”
List denieduser accounts
first
SQL equivalent GRANT model
Illegal, nobody has access!!!
Interesting use of account
name groups* More examples in Bonus slides
SQL equivalent PUBLIC access
© 2007 Progress Software Corporation48 DB-14: OpenEdge Database Run-time Security Revealed
ABL Permission Combinations
FIND, GET, FOR-EACH type statements• _File._Can-Read
EQ, GT, LT, … field access• _File._Can-Read, _Field._Can-Read
CREATE record statement• _File._Can-Read, _File._Can-Create,
_File._Can-Write, _Field._Can-Write (required fields)
ASSIGN record field values• _File._Can-Read, _File._Can-Write, _Field._Can-Write
DELETE record statement• _File._Can-Read, _File._Can-Delete
ABL permissions enforced at lower-level :
© 2007 Progress Software Corporation49 DB-14: OpenEdge Database Run-time Security Revealed
Keeping SQL and ABL in Sync
_Can-read _Can-write
(view)UPDATE
Column/field
_Can-create _Can-read
_Can-write _Can-delete
INSERTSELECTUPDATEDELETE
Table
N/A
INSERTSELECTUPDATEDELETE
View
ABLSQL
Similar user access controls to PUB tables & columns :
© 2007 Progress Software Corporation50 DB-14: OpenEdge Database Run-time Security Revealed
Privilege & Permission WARNING!
Grant/revoke operations do not check account name presence
Account’s SQL privileges & ABL permissions are NOT removed when account is deleted(including DBA & Security Administrator)
• If new account created with same name, it inherits all the old account’s privileges & permissions(also can be used as a recovery tool)
Beware of orphan privileges and permissions:
© 2007 Progress Software Corporation51 DB-14: OpenEdge Database Run-time Security Revealed
In Summary
More pressures to include database run-time security as intrusions become more sophisticated
OpenEdge 10.1+ has added additional security features
OpenEdge 10.1+ RDBMS can meet your database’s run-time security needs
© 2007 Progress Software Corporation52 DB-14: OpenEdge Database Run-time Security Revealed
For More Information, go to…
PSDN• OpenEdge SQL Authorization
Documentation:• OpenEdge Database Management: Database
Administration• OpenEdge Database Management: SQL Reference• OpenEdge Development Collection: Progress 4GL
Referenced
© 2007 Progress Software Corporation53 DB-14: OpenEdge Database Run-time Security Revealed
Relevant Exchange Sessions
DEV-4: OpenEdge in an LDAP World COMP-7: Securing your Swiss Cheese
Environment DEV-8: A statefull application in a stateless
world DB-8: Jump-starting Your OpenEdge
Auditing Solution DB-19: OpenEdge Authentication without
the _User table
© 2007 Progress Software Corporation54 DB-14: OpenEdge Database Run-time Security Revealed
Questions?
© 2007 Progress Software Corporation55 DB-14: OpenEdge Database Run-time Security Revealed
Thank you foryour time
© 2007 Progress Software Corporation56 DB-14: OpenEdge Database Run-time Security Revealed
Bonus ABL Permission List Examples
Table “lock-out”, dump & load to recover
“”
Deny fred, grant access to all other accounts
“!fred,fred,*”
Grant access to fred and all accounts
“fred,!fred,*”
Pure GRANT model (denies blank user-id)
“fred,wilma,MYDBA”
Grant model, deny PUBLIC access
“fred,wilma,MYDBA,!*”
Grant model, grant blank user-id as middle account
“fred,,wilma,MYDBA”
Grant model, grant blank user-id as first account
“,fred,wilma,MYDBA”