Anatomy of a Database Attack

Amichai Shulman, CTO, Imperva Inc.

Database Security

Agenda
Drivers Methods

Basic Tools Obtaining Credentials Privilege Abuse Privilege Elevation Audit Evasion

Prevention
Query Access Control Lists (ACL) Connection Control Database IPS Independent Audit

DSG: Database Security Gateway

Database Attacks
Motivation

The Perfect Criminal Setup

Databases are the core of an organizations operations Disclose organizations confidential information Disclose clients confidential information clients Disrupt operation

Means
VERY simple and accessible tools Some more sophisticated tools are gaining traction

Opportunity
Thick clients Loose internal network security Ill written applications

Database Attacks

The 5 Step Program

Getting the tools Making initial contact Privilege abuse Privilege elevation Covering the tracks

Database Attacks

Basic Tools

The Problem:
Most internal users are not Hackers Some organizations have strict controls over local software installation

The Solution:
Common software packages provide DB front-end front end
E.g. Microsoft Excel Part of any Office deployment

DB client software
E.g. SQL Query Analyzer Default with MS-SQL E.g. Oracle SQL*Plus Default with Oracle Similar client for other database vendors

Database Attacks

Making Initial Contact

Network access
Lax internal network access controls Thick-client applications

Obtain valid credentials

Brute Force Attacks / Exhaustive Search Thick Clients h k Cl
Code contains user name and password Registry contain user name and password g y p

Default Accounts and Passwords Social Engineering

Obtaining Credentials

Brute Force / Exhaustive Search

Basic assumptions:
User names are 6 characters long. Passwords are 6 characters long. Characters space size is approx. 128 = 27 options (all ASCII)

Total username / password combinations: (27)12 = 284 Given a scan speed of 1000
hits/ sec.

Server is practically dedicated to being attacked

Time required:
~274 seconds, ~262 hours, ~258 days 100,000,000,000,000,000,000 years 100 000 000 000 000 000 000 years.

Obtaining Credentials

Brute Force / Exhaustive Search Contd Cont d

Basic assumptions:
User names are 6 characters long. Passwords are 6 characters long. Characters space size is approx. 128 = 27 options (all ASCII)

Total username / password combinations: (27)12 = 284

This is False Comfort!

Methods Exist to 1000 hits/sec. Given a scan speed of Dramatically Cut Time to Success
Server is practically dedicated to being attacked

Time required:
~274 seconds, ~262 hours, ~258 days 100,000,000,000,000,000,000 years 100 000 000 000 000 000 000 years.

Obtaining Credentials

Brute Force / Exhaustive Search

Splitting the attacks to stages. Stage 1: Get the username. Stage 2: Get the password, accordingly. Cut down number of combinations to 243 How?
Look under the hood

Obtaining Credentials

Brute Force / Exhaustive Search

Program Invoke login API call Generate authentication message with user name Respond with password challenge Generate response message with password d Respond with rejection Generate ORA-01017: invalid username/password; logon denied message Handle authentication failure Client driver Server

Bad Password

Obtaining Credentials

Brute Force / Exhaustive Search

Program Invoke login API call Generate authentication message with user name Respond with rejection Generate ORA-01017: invalid username/password; logon denied denied message Handle authentication failure Client driver Server

Bad Username

Obtaining Credentials

Brute Force / Exhaustive Search

Password rules
User: John Password:
johnjohn nhoj john1234 Smith (who happens to be Johns last name) Doe (same)

Users need passwords they can remember Otherwise they write them on postix or notes under their keyboard

Obtaining Credentials

Default Accounts & Passwords

Dozens of default accounts for each database vendor Some are privileged S i il d Most have default passwords Lists Li t on the Internet th I t t E.g. ctxsys
Installed by default b defa lt DBA privileges Have full admin capabilities

Database Attacks
Definition

Privilege Abuse
User has privileges to access database for specific purpose Abuses access privileges to retrieve data in an uncontrolled manner

Example - Thick Client Problems

Order processing application must access credit card information Application ith A li ti with access control must access authentication / t l t th ti ti authorization information

Hard to Protect
Granular and accurate column level and row level access control Tight integration between DBA, programmer and Security Officer during the life cycle of an application

Database Attacks

Privilege Elevation Buffer Overflow

Built-in Functions
E.g. pwdencrypt () Encrypt input text Access cannot be restricted, available to any user Implementation is susceptible to buffer overflow l bl b ff fl
Pwdencrypt crashes system when buffer overflow

Only requires connect privileges y q p g Approx. 10 vulnerabilities in recent years

SQL Statements
Some cannot be restricted Implementation is susceptible to buffer overflow

Alter session set time zone = <long string> time_zone Create database link
Approx. 10 vulnerabilities in recent years

Database Attacks

Privilege Elevation Buffer Overflow

Built-in Stored Procedure and Functions
Can be restricted but some are publicly accessible by default Implemented using external libraries (rather than SQL) Susceptible to buffer overflow

xp_sprintf, ctx_output.start_log
Tens of vulnerabilities in recent years

Database Attacks

Privilege Elevation SQL Injection

Database Stored Procedures
Executed in the security context of their owner (by default)
If created by dba then user running it has dba permissions

Useful for restricted access to privileged functions

Some Susceptible to SQL Injection

Pass SQL statement as parameter to stored procedures
E.g. grant db to scott E t dba t tt

Executes SQL statement in the context of the owner

e.g. e g SYS

Susceptible system stored procedures publicly available

Database Attacks

Privilege Elevation - Network Protocol Attacks g

Proprietary network protocols to communicate between clients and server li t d
Complex Obscure, Obscure (almost) no public documentation Backwards compatibility

Allow for different types of attacks

Circumventing authentication DoS Buffer B ff overflow fl

Attacker only needs network access to server Little research on the subject (mainly login messages)

Database Attacks

Audit Evasion

Many databases not audited so audit evasion not an issue Often only security failures are audited Of l f l d d
Most of the previously mentioned attacks will not be audited

Attacker can tamper with audit if have elevated privileges

Attacker that gains elevated privileges DBA or other legitimate user with elevated privileges

Some vulnerabilities in auditing mechanism

Database Security

Assessment, Audit, and Protection

Database Security Assessment A t
Profile usage Identify vulnerabilities
Internal Users

Data Center Proprietary Data

Audit
Log database activities (incl. DBA) (incl

Protection
Alert on attacks and policy violations Block on attacks and policy violations Stops platform attacks

Database Attacks

Database Protection
Query Access Control Lists (ACL) Connection Control
Time of Day Client application restrictions Failed logins

Database IPS Independent Audit

Database Protection

Query Access Control Lists

Models Database Usage Structure
Profile queries and business activities Profile privileged operations usage Profile access to system objects y j

(ACLs)

Monitor and Protect Based on Usage Dynamics

Verifies real-time usage vs. policy Alert on deviations from policy

Learns as Usage Expands or Changes

Notifies Administrators as changes occur

Database Protection

Query Access Control Lists

Profile Usage per User Automated User Security Policy
Business Activities Queries Stored Procedures Privileged Operations O ti System Objects

(ACLs)

Database Protection
Real-Time Verification of Usage Alert on Policy Violation
Business Activities Queries Stored Procedures Privileged Operations System Objects

Query Access Control Lists

(ACLs)

Database Protection

Connection Control - Time of Day y

Suspicious usage pattern Misuse of credentials Credentials theft

Database Protection

Connection Control - Time of Day y

Database Protection

Connection Control - Time of Day - Contd y

Database Protection

Connection Control - Time of Day - Contd y

Database Protection

Connection Control - Time of Day Contd Cont d

Alert on Policy Violation

Database Protection

Connection Control - Time of Day Contd Cont d

Alert on Policy Violation

Database Protection

Connection Control - Time of Day Contd Cont d

Alert on Policy Violation

Database Protection - Connection Control

Client Application Restrictions

Misuse of thick client login and passwords Alert on use other applications (e.g. free query tool)

Database Protection - Connection Control

Client Application Restrictions Contd Cont d

Misuse of thick client login and passwords Alert on use other applications (e.g. free query tool)

Database Protection - Connection Control

Client Application Restrictions Contd Cont d

Misuse of thick client login and passwords Alert on use other applications (e.g. free query tool)

Database Protection - Connection Control

Client Application Restrictions Contd Cont d

Alert on Policy Violation (Option to block in real time)

Database Protection - Connection Control

Client Application Restrictions Contd Cont d

Alert on Policy Violation (Option to block in real time)

Database Protection - Connection Control

Client Application Restrictions Contd Cont d

Alert on Policy Violation (Option to block in real time)

Database Protection

Database IPS

Known Vulnerabilities
Detect attempt to exploit known vulnerabilities Use a frequently updated signature database Must target platform vulnerabilities

Protocol Validation
No RFC C Rules are set based on protocol semantics and behavior of common clients

Database Protection

Independent Audit
Database Security Gateway
Audit outside database server No affect on database
No ff t N effect on performance f No effect on stability
Internal Users Data Center Proprietary Data and Critical Servers

Segregation of duties
Audit trail cannot be tampered by privileged database user

SecureSphere Database Security Gateways

Resilience
Not affected by database vulnerabilities

SecureSphere Management Server

Database Protection

Database Security Gateway

Following the January 2006 publication of Oracles CPU, Gartner analyst Rich Mogull said administrators should:
Immediately shield these systems as well as possible, using firewalls, intrusion prevention systems and other technologies.

Apply available patches as rapidly as possible.

Use alternative security tools, such as activity-monitoring technologies, to detect unusual activity. d l

Pressure Oracle to change its security management practices

Source: Gartner quoted in CNet News.com January 24, 2006

Database Protection
Assessment

Database Security Gateway

Models Database Usage g Dynamic Profiling learns from traffic Automatically generates security policy Support manual adjustments t policy S t l dj t t to li Identifies Usage Vulnerabilities
Internal Users Data Center Proprietary Data and Critical Servers

Audit
Logs all activity (incl. DBA) Identifies activities that matter in real time

SecureSphere Database Security Gateways

Protection
Alerts (blocks) attacks and policy violations Stops platform attacks Database server software Operating system

SecureSphere Management Server

Thank Y Th k You
Imperva, Inc.
3400 Bridge Parkway, Suite 101, Redwood Shores CA 94065 Sales: +1-866-926-4678 www.imperva.com