Computer System Security andManagement

D0004E Database security

Jörgen S Öfjäll

Database Security

• Databases store data and provide information to their users.• Database Security: protection of sensitive data and mechanisms that

allow users to retrieve information in a controlled manner.• Difference to Operating System Security: Database Security control

access to information more than access to data.• Focus on principals requesting access to database.

Database Attack Goals

• Exact data: the values stored in the database• Bounds: lower or upper bounds on a numerical value like a salary can

already be useful information• Negative results: e.g. if a database contains numbers of criminal

convictions, then the information that a particular person does not have zero convictions is sensitive.• Existence: the existence of data may already be sensitive information;• Probable value: being able to guess some information from the results

of other queries.

Design Requirements

• Precision: protect sensitive information while revealing as much non-sensitive information as possible.• Internal consistency: the entries in the database obey some

prescribed rules.• E.g., stock levels cannot fall below zero.• or personal number must have correct control sum

• External consistency: the entries in the database are correct.• E.g., stock levels given in the database match stock levels in the warehouse;

however, the database management system (DBMS) alone cannot keep the database in a consistent state.• This property is also called accuracy.

Popular Database types

• Relation database• Multidimensional databases (OLAP = Online analytical processing)

• MOLAP (Multidimensional)• ROLAP (Relational)• HOLAP (Hybrid)

• NoSQL • Column store• Document• Key-Value Store• Graph

• In Memory database• Relational• NoSQL

Relational Databases

• A relational database is a database that is perceived by its users as a collection of tables (and tables only).• A relation R is a subset of D1 x..x Dn where D1, … , Dn are the

domains on n attributes.• The elements in the relation are n-tuples (v1, … , vn) with vi # Di; the

value of the i-th attribute has to be an element from Di.• Elements in a tuple are often called fields.• A special null value indicates that a field does not contain any value.

Relations

Relations

• Relations are sets – no duplicates.• Every tuple must be uniquely identifiable.• Primary Keys!

Types of Relations

• Base relations (real relations): named, autonomous relations; exist in their own right, are not derived from other relations, and have ‘their own’ stored data.• Views: named, derived relations, defined in terms of other named

relations; no stored data of their own.• Snapshots: named, derived relations, defined in terms of other

named relations; have stored data of their own.• Query results: may or may not have a name; no persistent existence

in the database per se.

Relations

• Foreign keys

Integrity Rules

• Entity Integrity Rule: no component of the primary key of a base relation is allowed to accept nulls.• Referential Integrity Rule: the database must not contain

unmatched foreign key values.• Application specific integrity rules:• Field checks: to prevent errors on data entry.• Scope checks.• Consistency checks.

SQL

• Structured Query Language (SQL): standard language for describing how information in a relational database can be retrieved and updated.• SQL operations:• SELECT: retrieves data from a relation.• UPDATE: update fields in a relation.• DELETE: deletes tuples from a relation.• INSERT: adds tuples to a relation.

SQL StandardYear Name Alias Comments

1986SQL-86 SQL-87 First formalized by ANSI.

1989SQL-89 FIPS 127-1 Minor revision, in which the major addition were integrity constraints. Adopted as FIPS 127-1.

1992SQL-92 SQL2, FIPS 127-2 Major revision (ISO 9075), Entry Level SQL-92 adopted as FIPS 127-2.

1999SQL:1999 SQL3Added regular expression matching, recursive queries (e.g. transitive closure), triggers, support for procedural and control-of-flow statements, non-scalar types, and some object-oriented features (e.g. structured types). Support for embedding SQL in Java (SQL/OLB) and vice-versa (SQL/JRT).

2003SQL:2003 SQL 2003Introduced XML-related features (SQL/XML), window functions, standardized sequences, and columns with auto-generated values (including identity-columns).

2006SQL:2006 SQL 2006

ISO/IEC 9075-14:2006 defines ways in which SQL can be used in conjunction with XML. It defines ways of importing and storing XML data in an SQL database, manipulating it within the database and publishing both XML and conventional SQL-data in XML form. In addition, it enables applications to integrate into their SQL code the use of XQuery, the XML Query Language published by the World Wide Web Consortium (W3C), to concurrently access ordinary SQL-data and XML documents.[37]

2008SQL:2008 SQL 2008 Legalizes ORDER BY outside cursor definitions. Adds INSTEAD OF triggers. Adds the TRUNCATE statement.[38]

2011SQL:2011

SQL Query

SELECT Which attributes?

FROM Which table(s)?

WHERE What is condition that theresulting tuples satisfy?

SQL Query Example

SQL Security Model

• Discretionary access control using privileges and views, based on:• users: authenticated during logon;• actions: include SELECT, UPDATE, DELETE, and INSERT;• objects: tables, views, columns (attributes) of tables and views;

• Users invoke actions on objects; the DBMS decides whether to permit the requested action.• When an object is created, it is assigned an owner; initially only the

owner has access to the object; other users have to be issued with a privilege:

(granter, grantee, object, action).

Granting & Revoking Privileges• Privileges managed with GRANT and REVOKE.

GRANT SELECT, UPDATE (Day,Flight)ON TABLE DiaryTO Art, Zoe

• Selective revocation of privileges:REVOKE UPDATEON TABLE DiaryFROM Art

• Right to delegate privileges given through GRANT option:GRANT SELECTON TABLE DiaryTO ArtWITH GRANT OPTION

Roles

• All Privileges that can be grated to users to can also be grated to roles. • A user can be given access to a role and then inherit all of its rights.• It is a way to group user to different functions.• A tool to handle grants to a lot of database objects.

Access Control through Views

• Views: derived relations, created byCREATE VIEW view_name [ ( column [, column ] ... ) ]AS subquery[ WITH CHECK OPTION ]

• Many security policies better expressed by privileges on views than by privileges on base relations.• Access conditions described through subquery in the view definition:

CREATE VIEW business_trips ASSELECT * FROM DiaryWHERE Status = `business'WITH CHECK OPTION;

Views Advantages

• Views are flexible and allow access control policies to be defined at a level of description that is close to the application requirements.• Views can enforce context-dependent and datadependent

security policies.• Views can implement controlled invocation.

More ExamplesCREATE VIEW Top_of_the_Class ASSELECT * FROM Students WHERE Grade <

(SELECT Grade FROM StudentsWHERE Name = current_user());

CREATE VIEW My_Journeys ASSELECT * FROM DiaryWHERE Customer = current_user());

display journeys bookedby the customer usingthe view.

displays students whose gradeaverage is less than that of theperson using the view

CHECK Option

• INSERT and UPDATE can interfere with view-based access control.• Views may not be updatable because they do not contain the

information that is needed to maintain the integrity of the corresponding base relation.• E.g., a view that does not contain the primary key of an underlying base

relation cannot be used for updates.

• Blind writes: updates that overwrite an existing entry. • For views defined WITH CHECK OPTION, UPDATE and INSERT can only

write entries to the database that meet the definition of the view.• Blind writes possible if CHECK option is omitted.

Views Disadvantages

• Access checking may become complicated and slow. Lead to bad query plans • Views need to be checked for ‘correctness’; do they really capture the

security policy?• Completeness and consistency are not achieved automatically, views

may overlap or may fail to capture the entire database.• Are views more suitable for user- or data-focused policies?

Statistical Database Security

• Statistical database: information retrieved by means of statistical (aggregate) queries on attributes (columns) of a table.• Aggregate functions in SQL:

• COUNT: the number of values in a column,• SUM: the sum of the values in a column,• AVG: the average of the values in a column,• MAX: the largest value in a column,• MIN: the smallest value in a column.

• Query predicate of a statistical query: specifies the tuples used for computing the aggregate,• Query set: tuples matching the query predicate.

Security Challenge

• The database contains data that are individually sensitive; direct access -> not permitted.• Statistical queries to the database are permitted, but these queries

will read individual data items.• It thus becomes possible to infer information;• In a statistical database, there must be some information flow from

the data to their aggregate

Attacks

• Aggregation: sensitivity level of an aggregate computed over a group of values may differ from the sensitivity levels of the individual elements; e.g., an aggregate may be sensitive information derived from a collection of less sensitive business data.• Inference problem: derivation of sensitive information from non-sensitive

data:• Direct Attack: aggregate computed over a small sample so that information about

individual data items is leaked.• Indirect Attack: combine information relating to several aggregates;• Tracker Attack: a particularly effective type of indirect attack;• Linear System Vulnerability: use algebraic relations between query sets to

construct equations which yield the desired information.

Example Relation

Direct Attack

Q1 : SELECT COUNT(*)FROM StudentsWHERE Sex = 'F' AND Program = 'CS‘

Q2 : SELECT AVG(Grade Ave.)FROM StudentsWHERE Sex = 'F' AND Program = 'CS'

Returns count 1

Returns 70: averagefor a single student

Tracker Attack

Q3 : SELECT COUNT(*)FROM StudentsWHERE Programme = 'CS‘

Q4 : SELECT COUNT(*)FROM StudentsWHERE Programme = 'CS' AND Sex = 'M‘

Q5 : SELECT AVG(Grade Ave.)FROM StudentsWHERE Program = 'CS‘

Q6 : SELECT AVG(Grade Ave.)FROM StudentsWHERE Program = 'CS' AND Sex = 'M'

Returns count 4

Returns count 3

Returns average 61

Returns average 58Carol’s grade average:4 x 61 – 3 x 58 = 70

Countermeasures

• Suppress obviously sensitive information.• Disguise the data:

• Randomly swap entries in the database so that an individual query will give a wrong result although the statistical queries still would be correct;

• Add small random perturbations to query result so that the value returned is close to the real value but not quite correct.

• Drawback: reduced precision and usability.

• Better design of the database schema.• Check logs for suspicious patterns of queries.• Audit • (OLAP database engine)

SQL Injection

• SQL injection attack involves the alteration of SQL statements that are used within a application through the use of attacker-supplied data. • Insufficient input validation and improper construction of SQL

statements in applications can expose them to SQL injection attacks.

XKCD– Exploits of a Mom (http://xkcd.com/327/ )

Ramifications of Successful SQL Injection Attacks• Authentication Bypass:

This attack allows an attacker to log on to an application, potentially with administrative privileges, without supplying a valid username and password.

• Information Disclosure: This attack allows an attacker to obtain, either directly or indirectly, sensitive information in a database.

• Compromised Data Integrity: This attack involves the alteration of the contents of a database.

• Compromised Availability of Data: This attack allows an attacker to delete information with the intent to cause harm or delete log or audit information in a database.

• Remote Command Execution: Performing command execution through a database can allow an attacker to compromise the host operating system.

SQL Injection Example

<form action="/cgi-bin/login" method=post>

Username: <input type=text name=username>

Password: <input type=password name=password>

<input type=submit value=Login>

SQL Injection Example

HTTP POST request is sent:

username=submittedUser&password=submittedPassword

Submitted information is used as part of the following SQL statement:

SELECT * FROM Users WHERE (username = 'submittedUser‘ AND password = 'submittedPassword');

SQL Injection Example

What happens if following HTTP POST request is sent?

username=admin%27%29+--+&password=+

SQL Injection Example

SELECT * FROM Users WHERE (username = 'admin') -- and password = ' ');

The string of two dash characters (--) that appears in the crafted input is very important; it indicates to the database server that the remaining characters in the SQL statement are a comment and should be ignored.

End result:Attacker is able to login to application with admin right and bypassing password check.

Defending Against SQL Injection Attacks• Comprehensive data sanitization – filter ALL user input

• Blacklisting• Whitelisting

• Fortifying SQL Statements• Use Stored procedures • Parameterized queries

• Hide SQL generated errors for the end user / Attacker• Use a web application firewall.

• Example: ModSecurity opensource module for Apache, Microsoft IIS, and nginx web servers

SQL Injection Parameterized query example

String sql = "select * from Users where (username = ? and password = ?)";

PreparedStatement preparedStmt = connection.prepareStatement(sql);

preparedStmt.setString(1, submittedUsername);

preparedStmt.setString(2, submittedPassword);

results = preparedStmt.executeQuery();

SQL Injection Hide SQL Errors for userscom.mysql.jdbc.exceptions.MySQLSyntaxErrorException: Table 'sqlInjectionTest.test' doesn't exist

at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:936) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2985) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1631) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1723) at com.mysql.jdbc.Connection.execSQL(Connection.java:3277) at com.mysql.jdbc.Connection.execSQL(Connection.java:3206) at com.mysql.jdbc.Statement.executeQuery(Statement.java:1232) at sqlInjectionBefore.main(before.java:28)

SQL Injectionmore reading• Bobby Tables: A guide to preventing SQL injection

http://bobby-tables.com/• OWASP: SQL Injection

http://www.owasp.org/index.php/SQL_injection • How To: Protect From SQL Injection in ASP.NET

http://msdn.microsoft.com/en-us/library/ms998271.aspx • Using Prepared Statements in Java

http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html • Cisco TAC Security Podcast Episode #16 - Mitigating a SQL attack with ASA,

IPS and IOS Firewallhttps://supportforums.cisco.com/docs/DOC-14890

Securing the house Database System Security Checklist1. Install only what is required2. Lock and Expire Default User Accounts3. Change Default User Passwords

a. Change default passwords of administrative usersb. Change default passwords of all usersc. Enforce password management

4. Enable Data Dictionary Protection a. Restrict access (as much as possible) to regular users to system views

Securing the house Database System Security Checklist5. Practicing the principle of least privilege

a. Grant necessary privileges onlyb. Revoke unnecessary privileges from the public user groupc. Grant a role to users only if they need all privileges of the roled. Restrict permissions on run-time facilities

Do not assign all permissions to any database server run-time facility such as the Java Virtual Machine or .NET runtime

6. Enforce access controls effectively and authenticate clients stringentlya. Authenticate client properly b. Don’t trust the clients

Example: Do not allow REMOTE_OS_AUTHENT =TRUE

Securing the house Database System Security Checklist7. Restrict Operating System Access

a. Limit the number of operating system users.b. Limit the privileges of the operating system accounts to the least privileges

needed for the user’s tasks.(administrative, root-privileged or DBA)

8. Restrict Network Accessa. Use a firewallb. Never poke a hole through a firewallc. Monitor who accesses your systemsd. Check network IP addresses (use blacklisting or whitelisting) e. Encrypt network traffic

Securing the house Database System Security Checklist9. Harden the operating system

a. Disabling all unnecessary operating system servicesb. Close all default UDP and TCP ports for the disabled services

10. Apply all security patches11. And install new security patches as soon as possible

Default Oracle Password StatisticsDatabase account

Default Password

Exists in Database %

DefaultPassword %

SYS CHANGE_ON_INSTALL 100% 3%

SYSTEM MANAGER 100% 4%

DBSNMP DBSNMP 99% 52%

OUTLN OUTLN 98% 43%

MDSYS MDSYS 77% 18%

ORDPLUGINS ORDPLUGINS 77% 16%

ORDSYS ORDSYS 77% 16%

XDB CHANGE_ON_INSTALL 75% 15%

DIP DIP 63% 19%

WMSYS WMSYS 63% 12%

CTXSYS CTXSYS 54% 32%