cs 61 database systems
play

CS 61: Database Systems Security With great power comes great - PowerPoint PPT Presentation

Dec 10, 2022 •243 likes •542 views

CS 61: Database Systems Security With great power comes great responsibility OR William Lamb, 2nd Spider Mans Viscount Melbourne uncle Ben 2 Source: Wikipedia Agenda 1. MySQL permissions 2. Demo: SQL injection attacks 3.

  1. CS 61: Database Systems Security

  2. With great power comes great responsibility… OR William Lamb, 2nd Spider Man’s Viscount Melbourne uncle Ben 2 Source: Wikipedia

  3. Agenda 1. MySQL permissions 2. Demo: SQL injection attacks 3. Password storage/salt and pepper 4. Password cracking 3

  4. Show user permissions on sunapee 1. Connect to Sunapee 2. Click on Administration (upper left) 3. Click on Users and Privileges 4. Find cs61sp20 • Show permissions grants • Show how to grant permission on a schema 4

  5. Can assign rights to users individually or by role Security authorization Can assign Can create rights to roles, assign individual rights to roles, users then assign users to roles Benefits: Improved operational efficiency – new hires automatically get the rights they need • Increased security – people do not get more rights that would typically need • Increased visibility – easy to see what rights roles have • RBAC: Good idea in principle but has never worked for me! There is no generic person, each person has different responsibilities within dept • People get temporary assignments with other departments, need different rights • (creates a hybrid role) Assignment ends, but rights never changed (even if you set a calendar reminder • and ask them if they still need the rights, they never say no!) 5 Adapted from: https://www.mysqltutorial.org/mysql-roles/

  6. Agenda 1. MySQL permissions 2. Demo: SQL injection attacks 3. Password storage/salt and pepper 4. Password cracking 6

  7. Do not trust user input 7

  8. Consider the following Python code making a SQL call for restaurant details What is wrong with this Python code? Hint: CONCAT is ok, it combines attributes together restaurant = “nobu” #user input from textbox, Nobu is a restaurant cursor = cnx.cursor() query = (" SELECT RestaurantName AS `Restaurant Name`," +" CONCAT ( TRIM (Building),' ', TRIM (Street)) AS Address, " + "Boro " +" FROM Restaurants " +" WHERE RestaurantName LIKE '%" + restaurant +"%’) " +" LIMIT 20" Using Python as example cursor.execute(query) rather than web API so I don’t leave vulnerable API running return cursor Nothing is wrong with this query, provided 8 we can trust the value in restaurant

  9. Adding user input directly into command is a recipe for trouble! What is wrong with this Python code? Hint: CONCAT is ok, it combines attributes together What if the user restaurant = “nobu% ' UNION SELECT 1,2,3 -- ” enters this instead? cursor = cnx.cursor() query = (" SELECT RestaurantName AS `Restaurant Name`," +" CONCAT ( TRIM (Building),' ', TRIM (Street)) AS Address, " + "Boro " +" FROM Restaurants " +" WHERE RestaurantName LIKE '%" + restaurant +"%’) +" LIMIT 20" UNION adds rows from the following SELECT cursor.execute(query) (number of attributes must match in each query) return cursor LIMIT is commented out as a result of user input Query is now: … WHERE RestaurantName LIKE '%nobu%' UNION SELECT 1,2,3 -- LIMIT 20 9

  10. sql_injection.py demonstrates injection vulnerabilities # test if user entry is vulnerable to injection, should see extra row with 1,2,3 if so nobu%' UNION SELECT 1,2,3 -- #find out what schemas are on this database installation nobu%' UNION SELECT schema_name, null, null from information_schema.schemata -- #find tables in a schema nobu%' UNION SELECT table_name, table_schema, null from information_schema.tables where table_schema = 'nyc_inspections' -- #find all non-system tables on database nobu%' UNION (SELECT table_name, table_schema, null from information_schema.tables where table_schema not like '%schema%' and table_schema not like '%mysql%' and table_schema <> 'sys') -- #find attributes for restaurants table in nyc_inspections schema nobu%' UNION (SELECT `column_name`, data_type, character_maximum_length from information_schema.`columns` where table_schema = 'nyc_inspections' and table_name = 'Restaurants') -- 10

  11. Most sites have a Users table, let’s steal all the username and passwords #I’ve created a User’s table in nyc_data # let’s steal the username and passwords of all users! nobu%' UNION SELECT UserName, UserPassword, null from nyc_data.Users -- You’ve been pwned! 11

  12. Do not store passwords in plain text! 12

  13. Use prepared statement to avoid user input as part of SQL command Vulnerable Prepared statement restaurant = “nobu” restaurant = “nobu” cursor = cnx.cursor() cursor = cnx.cursor() query = ("SELECT RestaurantName, " query = ("SELECT RestaurantName, " +"Building, " +"Building, ", + "Boro " +"Boro, " +"FROM Restaurants " +"FROM Restaurants " +"WHERE RestaurantName LIKE" +"WHERE RestaurantName LIKE” +"'%" + restaurant +"%’) " +" %s ” +"LIMIT 20”) +"LIMIT 20") cursor.execute(query) cursor.execute(query, ('%'+restaurant+'%’,)) return cursor return cursor User input is included in Prepared statement adds user the SQL query string input as a parameter after Can be abused! command is compiled • 13

  14. Prepared statements add data after compiling, optimizing, and caching High-level overview of SQL execution process UPDATE Users SET UserName = ? AND Password = ? Parse/Compile/ Replace Cache Execute Optimize placeholders Parse Cache Replace placeholders Execute Check syntax Store optimized Prepared statement Query is executed • • • • Check table and query plan in are not complete Data is returned • • columns exist cache statements Malicious data is • If command Have placeholders stored in table, not • • Compile submitted for some values executed Convert query • again, skip prior But, format of • to machine steps (already command is set now code done) Placeholders filled • Optimize with literal values Choose optimal • Place holder data • execution plan doesn’t change command format 14 Adapted from: http://javabypatel.blogspot.com/2015/09/how-prepared-statement-in-java-prevents-sql-injection.html

  15. Even if you use prepared statements, be wary of data in your database! Second-order attack: User enters data with SQL embedded Prepared statement does not run this code, data is stored in table Can’t trust data in database either! Later someone runs a command where user = ‘badguy’ Command executes; here resets admin password 15 Source: https://portswigger.net/web-security/sql-injection

  16. Now we know why the comic on the course web site is funny! 16 Source: https://xkcd.com/327/

  17. Practice Assume a log in form issues the following SQL behind the scenes where user input is used directly in the SQL: SELECT * FROM Users WHERE UserName = ‘username’ AND Password = ‘password’ The site then logs you in if one row is returned by the query What could you enter in the username or password fields to log in as Enter: administrator’ -- ‘administrator’ even if you do not know Command now: the password? SELECT * FROM Users WHERE UserName = ‘administrator’-- 17 AND Password = ‘password’

  18. Agenda 1. MySQL permissions 2. Demo: SQL injection attacks 3. Password storage/salt and pepper 4. Password cracking 18

  19. Review: hashing takes plain text and outputs a fixed-length digest Fixed length Plain text Hash digest of password function password Input: Output: “my secret password” a7303f3eee5f3ff1942bfbb1797ea0af Hash function is a mathematical one-way trap door Cannot find plain text in “reasonable” amount • of time given only the hash digest Or can we? • 19

  20. DO NOT store user passwords in plain text! Do not store passwords in plain text Note: same If adversary steals Hash password passwords, cannot Password read plain-text results in password same hash Instead store hash of password 20

  21. On log in: hash plain text password and compare with database Username: “testuser” Password: “password” Hash user’s plain text password and look for match in database Hash Password Because hash function is deterministic, same password will always result in same digest Hashed password: 5f4dcc3b5aa765d61d8327deb882cf99 Hashes match for testuser User submitted valid password 21

  22. Dictionary attack: try all words in a dictionary looking for a match Username: “testuser” Password: “aardvark” Password: “password” Password: “alice” Password: “anteater” … Assume Hash Password: “password” Change your adversary Password password if in steals Dictionary attack: dictionary! hashed Hash all words in a dictionary, if passwords word hash matches database hash, Hashed password: password is “cracked” 5f4dcc3b5aa765d61d8327deb882cf99 Will not crack if user’s password not in dictionary Crack one, crack all with 22 same password

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR

Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR

Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR Uniform Financial Report (I think) What is a database? 3 What is a database? Collection of data Files, notes, to do list, patient records,

1.13k views • 26 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a need-to-know basis.

688 views • 54 slides
Database Systems Database Systems 1 Creating a Database System Design Construction

Database Systems Database Systems 1 Creating a Database System Design Construction

Database Systems Database Systems 1 Creating a Database System Design Construction Application Usage 2 Step 0 Analyze Analyze the domain Learn what things the system is intended to handle. Learn what the constraints of

906 views • 63 slides
Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @

Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @

Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @ Andy_Pavlo // 15- 721 // Spring 2018 DATABASE TALK Oracle In-Memory Database Engine Monday February 26 th @ 4:30pm GHC 4401

709 views • 60 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017 AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a

845 views • 53 slides
Lect ure # 01 ADVANCED DATABASE SYSTEMS Course Introduction &amp; History of Database Systems

Lect ure # 01 ADVANCED DATABASE SYSTEMS Course Introduction &amp; History of Database Systems

Lect ure # 01 ADVANCED DATABASE SYSTEMS Course Introduction &amp; History of Database Systems @ Andy_Pavlo // 15- 721 // Spring 2018 2 WH Y YO U SH O ULD TAKE TH I S CO URSE DBMS developers are in demand and there are many challenging

912 views • 66 slides
Introduction to Database Systems Database Systems Lecture 1 Natasha Alechina www.cs.nott.ac.uk/

Introduction to Database Systems Database Systems Lecture 1 Natasha Alechina www.cs.nott.ac.uk/

Introduction to Database Systems Database Systems Lecture 1 Natasha Alechina www.cs.nott.ac.uk/ ~ nza/ G51DBS In this Lecture Course Information Databases and Database Systems Some History The Relational Model

696 views • 24 slides
Database Management Limitations of Relational Database Designs Systems Provides a set of

Database Management Limitations of Relational Database Designs Systems Provides a set of

Lecture 2 Database Management Limitations of Relational Database Designs Systems Provides a set of guidelines, does not result in a unique database schema Winter 2004 Does not provide a way of evaluating alternative schemas CMPUT

387 views • 17 slides
DATABASE SYSTEMS The very basics of Web programming Database Systems Course BEFORE WE START

DATABASE SYSTEMS The very basics of Web programming Database Systems Course BEFORE WE START

DATABASE SYSTEMS The very basics of Web programming Database Systems Course BEFORE WE START This lecture is an overview of the very complicated world of web programming. If you are a (very) experienced web developer - take a 2.5hr break

1.43k views • 74 slides
Chapter 16: Database System Architectures Centralized Systems ClientServer Systems

Chapter 16: Database System Architectures Centralized Systems ClientServer Systems

' $ Chapter 16: Database System Architectures Centralized Systems ClientServer Systems Parallel Systems Distributed Systems Network Types &amp; % Database Systems Concepts 16.1 Silberschatz, Korth and Sudarshan c

419 views • 14 slides
15-721 ADVANCED DATABASE SYSTEMS Lecture #01 Course Introduction &amp; History of Database

15-721 ADVANCED DATABASE SYSTEMS Lecture #01 Course Introduction &amp; History of Database

15-721 ADVANCED DATABASE SYSTEMS Lecture #01 Course Introduction &amp; History of Database Systems @Andy_Pavlo // Carnegie Mellon University // Spring 2017 Who are the richest people in the world? 3 WHY YOU SHOULD TAKE THIS COURSE

1.21k views • 67 slides
Transaction Processing in Distributed Database Systems Dr Janusz R. Getta School of Computing

Transaction Processing in Distributed Database Systems Dr Janusz R. Getta School of Computing

Transaction Processing in Distributed Database Systems file:///Users/jrg/235-2020-SPRING/SLIDES/WEEK07/16transactiondistributed/16transactiondistributed... CSCI235 Database Systems Transaction Processing in Distributed Database Systems Dr

998 views • 24 slides
Advanced Database Management Systems Database Management Systems Alvaro A A Fernandes School of

Advanced Database Management Systems Database Management Systems Alvaro A A Fernandes School of

Advanced Database Management Systems Database Management Systems Alvaro A A Fernandes School of Computer Science, University of Manchester AAAF (School of CS, Manchester) Advanced DBMSs 2011-2012 1 / 144 Outline Database Management Systems:

2.09k views • 144 slides
from Raw Files into Database Systems Presenter: Hefu Chai Motivation Problems with database

from Raw Files into Database Systems Presenter: Hefu Chai Motivation Problems with database

Invisible loading: Access-Driven Data Transfer from Raw Files into Database Systems Presenter: Hefu Chai Motivation Problems with database systems High time -to-first-analysis Large scientific datasets and social networks

490 views • 30 slides
Distributed Relational Database Systems Dr Janusz R. Getta School of Computing and Information

Distributed Relational Database Systems Dr Janusz R. Getta School of Computing and Information

Distributed Relational Database Systems file:///Users/jrg/235-2020-SPRING/SLIDES/WEEK07/15distributeddatbase/15distributeddatabase.html#1 CSCI235 Database Systems Distributed Relational Database Systems Dr Janusz R. Getta School of Computing

618 views • 31 slides
21 Database Recovery Intro to Database Systems Andy Pavlo AP AP 15-445/15-645 Computer

21 Database Recovery Intro to Database Systems Andy Pavlo AP AP 15-445/15-645 Computer

21 Database Recovery Intro to Database Systems Andy Pavlo AP AP 15-445/15-645 Computer Science Carnegie Mellon University Fall 2019 2 CRASH RECOVERY Recovery algorithms are techniques to ensure database consistency, transaction

4.72k views • 44 slides
Human-Pepper Interaction Mayte Lzaro, Luca Iocchi Who is Pepper? Pepper is a robot

Human-Pepper Interaction Mayte Lzaro, Luca Iocchi Who is Pepper? Pepper is a robot

Human-Pepper Interaction Mayte Lzaro, Luca Iocchi Who is Pepper? Pepper is a robot developed by Softbank robotics Human-like 1.2m tall Arms/head/body movement Gestures Emotions Holonomic mobile base

430 views • 13 slides
Pepper: An Elastic Web Server Farm for Cloud based on Hadoop Subramaniam Krishnan, Jean

Pepper: An Elastic Web Server Farm for Cloud based on Hadoop Subramaniam Krishnan, Jean

Pepper: An Elastic Web Server Farm for Cloud based on Hadoop Subramaniam Krishnan, Jean Christophe Counio Yahoo! Inc. MAPRED 1 st December 2010 Agenda Motivation Design Features Applications Evaluation Conclusion

523 views • 24 slides
Atomtronics: Probing Mesoscopic Transport with Ultracold Atoms Kunal K. Das Kutztown University

Atomtronics: Probing Mesoscopic Transport with Ultracold Atoms Kunal K. Das Kutztown University

Atomtronics: Probing Mesoscopic Transport with Ultracold Atoms Kunal K. Das Kutztown University of Pennsylvania Supported by NSF Outline I: Atomtronics and Mesoscopic Transport - A brief Review II: Atomtronics Transport - The Wavepacket

708 views • 57 slides
CSPSAT Projects and My Research Topics . Takehide Soh March 18, 2014 at NII Takehide Soh

CSPSAT Projects and My Research Topics . Takehide Soh March 18, 2014 at NII Takehide Soh

Outline . CSPSAT Projects and My Research Topics . Takehide Soh March 18, 2014 at NII Takehide Soh CSPSAT Projects and My Research Topics Outline . Self Introduction . . . 2008.04-2011.11 1 SOKENDAI, Ph.D., in Inoue Lab. Studied

689 views • 22 slides
Get your port on! porting to Native Client as of Pepper 18 Colt &quot;MainRoach&quot; McAnlis

Get your port on! porting to Native Client as of Pepper 18 Colt &quot;MainRoach&quot; McAnlis

Get your port on! porting to Native Client as of Pepper 18 Colt &quot;MainRoach&quot; McAnlis 3.05.2012 Getting Started gonacl.com It works! Native Client runs C++ code in a web page No plug-in required The Gist C++ code GCC / G++ NEXE

588 views • 34 slides
IMAGE FILTERING INEL 6088 Computer Vision References: Chapter 4 Jain et al, Chapter 3 Davies 2.3

IMAGE FILTERING INEL 6088 Computer Vision References: Chapter 4 Jain et al, Chapter 3 Davies 2.3

IMAGE FILTERING INEL 6088 Computer Vision References: Chapter 4 Jain et al, Chapter 3 Davies 2.3 Convolutions and Point Spread Functions 39 at perfectly good algorithm strategies that mysteriously turn out not to work well in practice! 2.3

556 views • 28 slides
707.009 Foundations of Knowledge Management g g Overview and Motivation Markus

707.009 Foundations of Knowledge Management g g Overview and Motivation Markus

Knowledge Management Institute 707.009 Foundations of Knowledge Management g g Overview and Motivation Markus Strohmaier Univ. Ass. / Assistant Professor Knowledge Management Institute Graz University of Technology, Austria e-mail:

661 views • 42 slides
Chapter 3 Tight-frame Applications 1 Outline 1. Inpainting 1. Inpainting 2. Impulse Noise

Chapter 3 Tight-frame Applications 1 Outline 1. Inpainting 1. Inpainting 2. Impulse Noise

Chapter 3 Tight-frame Applications 1 Outline 1. Inpainting 1. Inpainting 2. Impulse Noise Removal 2. Impulse Noise Removal 3. Inpainting in the Transformed Domain 3. Inpainting in the Transformed Domain 2 1 Inpainting 3 Notations

376 views • 36 slides

More recommend