An investigation into the security features of Oracle 10g R2 Enterprise Edition

1
An investigation into the security features of
Oracle 10g R2 Enterprise Edition

• Supervisor Mr J Ebden

2
Database security

• Aaron Newman views database security as composed
  of multiple layers of protection to reduce the
  risk of intrusion just like in a medieval castle.
• This poses a great challenge for the intruder
  thus giving the DBA time to take appropriate
  actions against these malicious users.
• Each layer is specially designed to give the
  highest defence against intrusion

3
Background of project

• The trigger to my project was the white paper
  released by Litchfield D in which he describes
  precisely cursor snarfing, a new security flaw he
  recently discovered on Oracle databases.
• He published another whitepaper called Which
  database is more secure? Oracle vs. Microsoft SQL
  Server in which he reveals the alarming
  security flaws in Oracle.
• Meanwhile Oracle claims that this flaw is trivial
  and rare, it requires some impractical special
  cases for it to be happen.

4
Background cont

• Firewalls can no longer protect databases from
  all intrusion because modern database threats are
  higher than firewalls on the OSI model
• Attackers have found a way of by passing the
  firewalls by using specific search strings in
  search engines that lead them straight to the
  database.

5
The OSI model
6
The approach by Oracle

• Oracle uses the four major methods for their
  database security. These are authentication,
  roles and privileges, auditing and finally data
  integrity.
• These form the desired layered security
  structure, first a user is authenticated, then he
  is authorised to perform some actions which are
  then monitored by auditing.
• Finally, data is protected and accessible to only
  the authorised by data integrity.

7
Authentication

• Verifying that users are who they claim to be,
  these may be a person using a computer, a
  computer itself or a program on a computer.
• Oracle allows 4 login trials before the database
  is blocked and also allows a password to be used
  only for three months to combat authentication
  breaches.
• The database is locked for 30 days or only
  unlocked by the DBA after a day if more than 4
  attempts are exceeded.
• Oracle claims to have a safe password management
  and also enables users to make very strong
  passwords. In addition Oracle does not allow a
  user to use the same password consecutively.

8
Critics of Oracle

• Paul Wright published a whitepaper that describes
  how a hacker can manage to perform a brute force
  attack on the login of the Oracle database
  despite Oracles claim of a login block
• Mark Burnett talks about the effects of login
  block as a way to avoid combating brute force
  attacks.
• An intruder can cause DOS, harvest usernames from
  site, cause a diversion by flooding the help desk
  with support calls and disable an account by
  continually locking it.
• Account lockouts is ineffective against slow
  attacks, attacks that try one password against a
  large list, first time correct guesses, DBA
  accounts.

9
Roles and Privileges.

• Oracle offers different privileges to different
  users
• These are rights to execute particular SQL
  statements e.g. creating tables, executing stored
  procedures.
• To provide easy privilege management and control,
  privileges can be bundled together into a role (
  a group of privileges assigned to a group of
  users or a single user.
• Roles make it easy to monitor and make
  alterations to privileges granted to a group of
  users for security reasons.
• Roles also allow some privileges to be password
  protected which narrows down the search criteria
  in case of a breach.
• Roles can be assigned to other roles and then
  finally to users.

10
Auditing

• This is the monitoring and recording of database
  user actions.
• Audits can be triggered when specified elements
  in an Oracle database are accessed or altered.
• Auditing keeps record of both failed and
  successful attempts on the server.
• One disadvantage in auditing is that there is no
  mechanism to prevent the DBA from tempering with
  the audit output in the case of an attacker
  gaining SYS privileges.

11
Data Integrity

• This is an act of ensuring that data is complete
  and identically maintained during an operation
  such as transfer, storage or retrieval.
• Oracle encrypts data by a process called
  Transparent Data Encryption which restricts data
  retrieval by unauthorised users.
• The encryption and decryption of data is handled
  by the database instead of users and
  applications, even the DBA has no access to data.
• This is the peak of Oracles layered security
  after firewalls, authentication and
  authorisation.
• It can be implemented using simple and easy SQL
  commands.

12
Oracles Software Security Assurance

• A strong guide against security flaws must be
  taken since this has the ability of letting
  intruders by pass even the toughest security
  measure.
• A secure system does not only offer security
  features but also prevents security flaws.
• Oracle claims to have security assurance to
  prevents security flaws
• Contrary to Oracles claims, David Litchfield in
  his whitepaper claims that Oracle does not keep
  record of problems encountered and they do not
  understand them.
• The claim made by Litchfield is strengthened by
  the amount of patches that Oracle has advised DBA
  to install, this has an effect of adding
  complexity to the system.

13
Cont
Number of flaws
Years
14
Summary

• Database security is crucial to the safety of a
  users personal data which includes card numbers,
  bank details and medical details.
• Firewalls on their own can not combat all the
  database security concerns.
• Databases are safe if they are to remain isolated
  from any network.
• Oracle offers a layered security structure like
  that of a medieval castle. There is the outermost
  which uses the network firewalls, then followed
  by authentication and authorisation( roles and
  privileges), auditing and finally data
  encryption.

15
Questions and Answers