Tip: If anyone wants to speed up the lecture videos a little,
inspect the page, go to the browser console, and paste this in:
document.querySelector('video').playbackRate = 1.2
1.4 Database Security
Computers are mostly used for storing stuff, and most of that stuff
is in databases…
1.4.1 DBMS
DataBase
Management System
What is a Database?
Structured collection of data, stored for use by one or more
applications
Contains relationships between data items and groups of data
items
Often contains sensitive data that needs to be secured
Query language provides a uniform interface to the database
Database management system (DBMS)
Suite of programs for constructing and maintaining the database
Offers ad-hoc query facilities to multiple users and
applications
16-Databases/f1-crop.png
1.4.2 Relational Databases
Table of data consisting of rows and columns
Each column holds a particular type of data
Each row contains a specific value for each column
Ideally, database has one column where all values are unique,
forming an identifier/key for each row.
This enables the creation of multiple tables linked together by a
unique identifier that is present in all tables
Use a relational query language to access the database
Allows the user to request data that fit a given set of
criteria
Multi-table database with unifying primary key:
Relational Database Elements
Primary key
Uniquely identifies a row
Consists of one or more column names
Foreign key
Links attributes in one table to attributes in another
View/virtual table
Result of a query that returns selected rows and columns from one or
more tables
One of the most prevalent network-based security threats
Designed to exploit the nature of Web application pages and back-end
databases
Sends malicious SQL commands to the database server
Most common attack goal is bulk extraction of data
Depending on the environment, SQL injection can also be exploited
to:
Modify or delete data
Execute arbitrary operating system commands
Launch denial-of-service (DoS) attacks
SQLi overview
1.5.1 Injection technique
The SQLi attack typically works by prematurely terminating a
text string and appending a new command.
Because the inserted command may have additional strings appended to
it before it is executed, the attacker terminates the injected string
with a SQL comment mark, the double-dash: “--”
Subsequent text is ignored at execution time
; terminates/separates commands
1.5.1.1 Example
As a simple example, consider a script that build an SQL query by
combining predefined strings with text entered by a user:
var Shipcity;
ShipCity = Request.form ("ShipCity");
var sql = "select * from OrdersTable
where ShipCity = ' " +
ShipCity + " ' ";
The intention of the above script’s designer is that a user will
enter the name of a city.
Example usage
When the script is executed, the user is prompted to enter a city, and
if the user enters Boston, then the following SQL query is
generated: 'SELECT * FROM OrdersTable WHERE ShipCity = 'Boston’
Example attack
Suppose, however, the user enters the following: 'Boston'; DROP table OrdersTable--’
This results in the following SQL query: 'SELECT * FROM OrdersTable WHERE ShipCity = 'Boston'; DROP table OrdersTable--’
The semicolon is an indicator that separates two
commands
The double dash is an indicator that the remaining text of
the current line is a comment and not to be executed
SQLi Attack Avenues
User input:
Attackers inject SQL commands by providing suitable crafted user
input
Server variables:
Attackers can forge the values that are placed in HTTP and network
headers and exploit this vulnerability by placing data directly into the
headers
Second-order injection:
A malicious user could rely on data already present in the system or
database to trigger an SQL injection attack, so when the attack occurs,
the input that modifies the query to cause an attack does not come from
the user, but from within the system itself
Cookies:
An attacker could alter cookies such that when the application
server builds an SQL query based on the cookie’s content, the structure
and function of the query is modified
Physical user input:
Applying user input that constructs an attack outside the realm of
web requests
1.5.2 Attack Types
In-band
Inferential
Out-of-band
1.5.2.1 In-band Attacks
Uses the same communication channel for injecting SQL code and
retrieving results
The retrieved data are presented directly in application Web page
Include:
Tautology:
This form of attack injects code in one or more conditional
statements so that they always evaluate to true
End-of-line comment:
After injecting code into a particular field, legitimate code that
follows are nullified through usage of end of line comments
Piggybacked queries:
The attacker adds additional queries beyond the intended query,
piggy-backing the attack on top of a legitimate request
1.5.2.2 Tautology Example
Consider the following script, whose intent is to require the
user to enter a valid name and password: '$query = "SELECT info FROM user WHERE name = '$ GET ["name"] 'AND pwd = '$ GET ["pwd"]'";
Suppose the attacker submits ” 'OR \ 1=1--” for the
name field. The resulting query would look like this: SELECT info FROM users WHERE name = ' ' OR 1 = 1 --AND pwd =’
’
The injected code disables the password check (due to the comment
indicator “--”) and turns the entire WHERE clause into a
tautology
The database uses the conditional as the basis for evaluating
each row and deciding which ones to return
The conditional is a tautology, the query evaluates to true for
each row in the table and returns all
1.5.2.3 Inferential Attack
There is no actual transfer of data, but the attacker is able to
reconstruct the information by sending particular requests and observing
the resulting behavior of the Website/database server
Illegal/logically incorrect queries
This attack lets an attacker gather important information about the
type and structure of the back-end database of a Web application
The attack is considered a preliminary, information-gathering step
for other attacks
Blind SQL injection
Allows attackers to infer the data present in a database system even
when the system is sufficiently secure to not display any erroneous
information back to the attacker
1.5.2.4 Out-of-Band Attack
Data are retrieved using a different channel
This can be used when there are limitations on information
retrieval, but outbound connectivity from the database server is
lax
1.5.3 SQLi Countermeasures
Defensive coding (sanitize inputs!)
Detection
Run-time prevention
1.5.3.1 Defensive Coding
Manual defensive coding practices:
a common vulnerability exploited by SQLi attacks is
insufficient input validation
One solution is to apply defensive coding practices
Input type checking: e.g., to check that inputs
that match the expected types and formats
Performs pattern matching to try to distinguish normal input from
abnormal input
Parameterized query insertion:
Allowing developers to more accurately specify the structure of an
SQL query
Passing the parameters separately such that any unsanitary user
input is not allowed to modify the query structure
SQL DOM:
A set of classes that enables automated data type validation and
escaping
This approach uses encapsulation of database queries to provide a
safe and reliable way to access databases
1.5.3.2 Detection
Signature based
This technique attempts to match specific attack patterns
Must be constantly updated and may not work against self- modifying
attacks
Anomaly based
Define normal behavior and then detect behavior patterns outside the
normal range
There is a training phase, in which the system learns the range of
normal behavior, followed by the actual detection
Code analysis
Using a test suite to detect SQLi vulnerabilities
The test suite is designed to generate a wide range of SQLi attacks
and assess the response of the system
1.5.3.3 Run-time Prevention
Check queries at run-time to see if they conform to a model of
expected queries
Various automated tools are available for this purpose
1.6 Database Access Control
Database access control system determines:
If the user has access to the entire database or just portions of
it
What access rights the user has (create, insert, delete, update,
read, write)
Can support a range of administrative policies
Centralized administration:
Small number of privileged users may grant and revoke access
rights
Ownership-based administration:
The creator of a table may grant and revoke access rights to the
table
Decentralized administration:
The owner of the table may grant and revoke authorization rights to
other users, allowing them to grant and revoke access rights to the
table
1.6.1 SQL Access Controls
Two commands for managing access rights:
Grant: Used to grant one or more access rights or
can be used to assign a user to a role
Revoke: Revokes the access rights
Typical access rights are:
Select
Insert
Update
Delete
References
The grant command
GRANT
{privileges | role}
[ON
table]
TO
{user | role | PUBLIC}
[IDENTIFIED BY
password]
[WITH
GRANT OPTION]
Example:
GRANT SELECT ON ANY TABLE TO rifclair
REVOKE
{privileges | role}
[ON
table]
FROM
{user | role | PUBLIC}
REVOKE SELECT ON ANY TABLE FROM ricflair
Cascading Authorizations
The grant option enables an access right to cascade through a number
of users
The revocation of privileges also cascaded
Privilege Revocation
1.7 Role-Based Access Control
(RBAC)
Role-based access control eases administrative burden and improves
security
A database RBAC needs to provide the following capabilities:
Create and delete roles
Define permissions for a role
Assign and cancel assignment of users to roles
1.7.1 Categories of Database
Users
Application owner:
An end user who owns database objects as part of an application
End user:
An end user who operates on database objects via a particular
application but does not own any of the database objects
Administrator:
User who has administrative responsibility for part or all of the
database
Microsoft SQL Server Roles
1.8 Inference Attacks
1.8.1 Attack Method
What is an Inference Attack?
The process of performing authorized queries and deducing
unauthorized information from the legitimate responses received
The inference problem arises when the combination of a number of
data items is more sensitive than the individual items, or when a
combination of data items can be used to infer data of a higher
sensitivity
Inference Attacks
Example of an Inference Attack on (Salary-Name)
1.8.2 Inference Detection
Inference detection during database design
Approach removes an inference channel by altering the database
structure or by changing the access control regime to prevent
inference
Techniques in this category often result in unnecessarily stricter
access controls that reduce availability
Inference detection at query time
Approach seeks to eliminate an inference channel violation during a
query or series of queries
If an inference channel is detected, the query is denied or
altered
Some inference detection algorithm is needed for either of these
approaches
Progress has been made in devising specific inference detection
techniques for multilevel secure databases and statistical
databases
+++++++++++++++++++
Cahoot-16.1
1.9 Database Encryption
1.9.1 Remote Encryption
Database Encryption
The database is typically the most valuable information resource
for any organization
Protected by multiple layers of security
Firewalls, authentication, general access control systems, DB
access control systems, database encryption
Encryption becomes the last line of defense in database
security
Can be applied to the entire database, at the record level, the
attribute level, or level of the individual field
Disadvantages to encryption:
Key management:
Authorized users must have access to the decryption key for the data
for which they have access
Inflexibility:
When part or all of the database is encrypted it becomes more
difficult to perform record searching
How to Process Encrypted Query
The user issues an SQL query for fields from one or more records
with a specific value of the primary key
The query processor at the client encrypts the primary key, modifies
the SQL query accordingly, and transmits the query to the server
The server processes the query using the encrypted value of the
primary key and returns the appropriate record or records
The query processor decrypts the data and returns the results
Database Encryption: Decrypt only Locally
Encrypted Query, where database is stored in encrypted form, and thus
queries are made for ciphertext itself, as far as the database is
concerned.
SELECT Ename, Eid, Ephone
FROM Employee
WHERE Did = 15
SELECT Ename, Eid, Ephone
FROM Employee
WHERE Did = 1000110111001110
1.9.2 Indexing on Encrypted
Data
Indexing can improve usability for encryption
However, it can provide information for inference attacks
