database
play

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: - PowerPoint PPT Presentation

Jan 18, 2024 •199 likes •380 views

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1 Levels of DB Security There are 6 levels that impact database security Database Level database users and

  1. DATABASE SECURITY CS4750 – Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1

  2. Levels of DB Security  There are 6 levels that impact database security  Database Level – database users and authorization  Application Level – information management and processing  Operating System Level – data storage and protection  Network Level – data transmission  Physical Level – computer equipment protection  Human Level – social engineering protection Security is important not only at the database level, but the entire database application. Breaches can happen at any of these levels. 2

  3. Application Level 3

  4. Application Level  Write programs with security in mind from the beginning!  Guard against SQL injection attacks !  Use prepared statements  Strong typing of applications to prevent type errors!  Expect back a particular type (nothing else)  Catch and handle all errors!  Encrypt data when possible! Don’t use open channels through the application!  Programmer/developer accessing code securely: SSH 4

  5. SQL INJECTION ATTACK VIDEOS 5 This Photo by Unknown Author is licensed under CC BY

  6. SQL Injection Attack  Given a SQL query where some portion is blank and left for us to fill in, we attempt to fill in the query with a string that:  Matches the correct format  Also contains some extra commands to get data that we should not be allowed to see 6

  7. Classic SQL Injection  Consider the following SQL query: SELECT * FROM Users WHERE Username='$username' AND Password='$password'  Such a query is typically used from a web application in order to authenticate a user  If the query returns a value it means that inside the database a user with that set of credentials exists, then the user is allowed to login to the system, otherwise access is denied  The values of the input fields are generally obtained from the user through a web form / login screen 7 https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

  8. Classic SQL Injection  Let’s use the same SQL query: SELECT * FROM Users WHERE Username='$username' AND Password='$password'  What happens if we insert the following Username and Password values: $username = 1’ or ‘1’ = ‘1 $password = 1’ or ‘1’ = ‘1  The query will be: SELECT * FROM Users WHERE Username=‘ 1' OR '1'='1' AND Password='1' OR '1'='1'  The query returns a value (or a set of values) because the condition is always true (OR 1=1). In this way the system has authenticated the user without knowing the username and password! 8

  9. SQL Injection Attacks  Using this attack strategy, if not using a prepared statement (for instance) it means …  You can type in what ever you want including SQL – this is how SQL injection attacks happen  E.g. for UN type in something, for password type in ‘ or 1=1  The ‘ closes quote (blank string) How often is 1=1? Always true!  Can then be creative afterwards using nested SQL query 9

  10. Simple attack: guessing the password (brute force… but if you got the time…!) SELECT username FROM UsersTbl WHERE username='' AND password=''  The idea is to execute an SQL injection attack that will tell you something about the actual password  If you construct a statement that is TRUE, the system will log you in  So ask questions that have a TRUE or FALSE response  Slowly build up to the information that you need! (Hint: use LIKE )  Use LIKE to compare a guess for the password with the actual password. Using regex/pattern matching symbol ‘ % ’ we build a query that tacks on a password comparison in the username field ...WHERE username='admin' AND password LIKE 'a%' #' AND password='...'  Type this in both the username and password fields. (# = a comment) 10

  11. Simple attack: guessing the password (brute force… but if you got the time…!) SELECT username FROM UsersTbl WHERE username='' AND password=''  Use LIKE to compare a guess for the password with the actual password. Using regex/pattern matching symbol ‘ % ’ we build a query that tacks on a password comparison in the username field ...WHERE username='admin' AND password LIKE 'a%' #' AND password='...'  Type this in both the username and password fields. (# = a comment)  Let’s assume we know the username is admin , when we submit this, the query checks if the username is admin and if the additional password comparison is true  The query ends and the original password check NEVER executes since it is commented out! (# = a comment)  After injecting this, we see this results in “ Incorrect username or password ”. So we keep trying different characters until we have successfully logged in. If we’re logged in, we know the question is true!  (Remember, % matches 0 or more characters, if you wanted to match one character use _ ) For example: ‘_c%’ checks if the 2 nd character is a “c” 11

  12. SQL Injection Attack Tool: Get Password Activity http://databases.cs.virginia.edu /sqlinject/activity/activity.php Tool developed by Dr. Nada Basit, Joseph Chen, Alexander Sun, Rohan Koduri, and Vamshi Garikapati 12

  13. SQL Injection Attack Examples  SQL injection is not new and has been used quite frequently to attack websites and companies  For a list of examples, see: https://en.wikipedia.org/wiki/SQL_injection#Examples 13

  14. https://en.wikipedia.org/wiki/SQL_injection#In_popular_culture In Popular Culture  Unauthorized login to web sites by means of SQL injection forms the basis of one of the subplots in J.K. Rowling 's novel The Casual Vacancy , published in 2012.  An xkcd cartoon involved a character Robert'); DROP TABLE students;- - named to carry out a SQL injection. As a result of this cartoon, SQL injection is sometimes informally referred to as 'Bobby Tables'.  In 2014, an individual in Poland legally renamed his business to Dariusz Jakubowski x'; DROP TABLE users; SELECT '1 in an attempt to disrupt operation of spammers’ harvesting bots .  Companies House , the UK's official register of companies, has a company named ; DROP TABLE "COMPANIES";-- LTD  The 2015 game Hacknet has a hacking program called SQL_MemCorrupt. It is described as injecting a table entry that causes a corruption error in a SQL database, then queries said table, causing a SQL database crash and core dump. 14

  15. http://www.xkcd.com/327/ ; https://beta.companieshouse.gov.uk/company/10542519 15

  16. SQL INJECTION USEFUL SITE REVIEW (FYI) 16 This Photo by Unknown Author is licensed under CC BY

  17. Question:  Which DB level is the cause of the most DB break-ins ?  Database Level  Application Level  Operating System Level  Network Level  Physical Level  Human Level  Did you have the chance to think about it? 17

  18. Human Level  What % of all DB break-ins do you think occur at level 6?  More than 90% happen at the Human level!  An estimated 70% of unauthorized access to information is committed by internal employees — who are also responsible for more than 95% of intrusions that result in significant financial losses!! 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on the Menu Bar DC/Win Database Utilities Options Vary Depending on Database Two Types of Databases Sequel (SQL) Database Access Database

460 views • 6 slides
Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation Organization =How to implement a database system and have fun doing it ;-) 01: Introduction Boris Glavic Slides: adapted from a course taught by

198 views • 7 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a need-to-know basis.

688 views • 54 slides
NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk What is an RDBMS? A PostgreSQL database is not just kept in a big file, like a spreadsheet. A program called the database server, or RDBMS,

323 views • 14 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017 AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a

845 views • 53 slides
Goals Database Administration All large and small databases need database Database

Goals Database Administration All large and small databases need database Database

PHP Miscellaneous $db->insert_id IT420: Database Management and Retrieves the ID generated for an Organization AUTO_INCREMENT column by the previous INSERT query Return value: Managing Multi-user The ID generated for an

140 views • 11 slides
Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @

Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @

Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @ Andy_Pavlo // 15- 721 // Spring 2018 DATABASE TALK Oracle In-Memory Database Engine Monday February 26 th @ 4:30pm GHC 4401

709 views • 60 slides
This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting Revoking Views Database Systems SQL Insertion Attacks Michael Pound Further Reading The Manga Guide to Databases, Chapter 5 Database

285 views • 7 slides
Your Database Experts PRESENTATION MAP 3. About our company 4. Nearshoring Database

Your Database Experts PRESENTATION MAP 3. About our company 4. Nearshoring Database

Your Database Experts PRESENTATION MAP 3. About our company 4. Nearshoring Database Consulting was founded in 2009 as an outsourcing and Oracle Database 5. Forms to APEX migration specialised education centre with in-house

850 views • 19 slides
National Address Database National Address Database What is a National Address Database?

National Address Database National Address Database What is a National Address Database?

White House Initiative Open Government Partnership National Action Plan National Address Database National Address Database What is a National Address Database? How does it work? Why do we need a National Address Database? What

374 views • 18 slides
Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR

Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR

Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR Uniform Financial Report (I think) What is a database? 3 What is a database? Collection of data Files, notes, to do list, patient records,

1.13k views • 26 slides
Database Management Limitations of Relational Database Designs Systems Provides a set of

Database Management Limitations of Relational Database Designs Systems Provides a set of

Lecture 2 Database Management Limitations of Relational Database Designs Systems Provides a set of guidelines, does not result in a unique database schema Winter 2004 Does not provide a way of evaluating alternative schemas CMPUT

387 views • 17 slides
Database Design October 24, 2008 Database Design Outline Database Design E-R diagrams

Database Design October 24, 2008 Database Design Outline Database Design E-R diagrams

Database Design October 24, 2008 Database Design Outline Database Design E-R diagrams Represent logical structure simply, clearly Rectangles : entity sets Ellipses : attributes Diamonds : relationship sets Lines : linking elements Double

794 views • 54 slides
Introduction to Physical Database Design Elmasri/Navathe ch 16 and 17 Padron-McCarthy/Risch ch 21

Introduction to Physical Database Design Elmasri/Navathe ch 16 and 17 Padron-McCarthy/Risch ch 21

DATABASE DESIGN I - 1DL300 Fall 2010 An introductory course on database systems http://www.it.uu.se/edu/course/homepage/dbastekn/ht10/ Manivasakan Sabesan Uppsala Database Laboratory Department of Information Technology, Uppsala University,

372 views • 34 slides
A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E

A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E

A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E D F I G H J L M K O R N P S Q D2 D1 D3 D4 A T T E S T A T T E S T Testing Exposing externally visible internal stats /

485 views • 34 slides
Database APIs Elmasri/Navathe ch 12 Padron-McCarthy/Risch ch 20 Silvia Stefanova Department of

Database APIs Elmasri/Navathe ch 12 Padron-McCarthy/Risch ch 20 Silvia Stefanova Department of

DATABASE DESIGN I - 1DL300 Spring 2012 An Introductory Course on Database Systems http://www.it.uu.se/edu/course/homepage/dbastekn/vt12/ Erik Zeitler Uppsala Database Laboratory Department of Information Technology, Uppsala University,

515 views • 13 slides
TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda

TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda

TM TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda Background Passwords and configuration files Threats Web applications Keeping up to date Policy and process Operating system

842 views • 28 slides
k k text text The same key is used to encrypt the document before sending and decrypt it at

k k text text The same key is used to encrypt the document before sending and decrypt it at

Cryptographic methods: Why use cryptography? Can offer genuinely secure solutions to Brian Candler important security problems Updated by Hervey Allen Some governments forbid it Confidentiality Can I be sure no-one else can see my

845 views • 11 slides
SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin Husk Petr Velan Jan Vykopal Introduction HTTP is the new IP and we want keep an eye on it. Large-scale monitoring of HTTP traffic was problematic:

500 views • 17 slides
What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera , Paul van Oorschot 1 Secure Shell (SSH) Protocol to enable remote logins and network services over an unsecured network. Typically used for

537 views • 27 slides
Deterrence in the 21 st Century? Dan Altman Assistant Professor Georgia State University

Deterrence in the 21 st Century? Dan Altman Assistant Professor Georgia State University

Is the Fait Accompli the Primary Challenge for Deterrence in the 21 st Century? Dan Altman Assistant Professor Georgia State University December 12 th , 2018 Why the Fait Accompli Matters Nuclear powers have fought each other twice: China vs.

467 views • 23 slides
CSE 115 Introduction to Computer Science I FINAL EXAM Tuesday, December 11, 2018 7:15 PM -

CSE 115 Introduction to Computer Science I FINAL EXAM Tuesday, December 11, 2018 7:15 PM -

CSE 115 Introduction to Computer Science I FINAL EXAM Tuesday, December 11, 2018 7:15 PM - 10:15 PM SOUTH CAMPUS (Factor in travel time!!) CONFLICT? E-mail documentation to: alphonce@buffalo.edu Subject: CSE115 FINAL EXAM CONFLICT no

898 views • 43 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris

Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris

Moving FLASK to BSD Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris Vance Information Systems Security Operation, SPARTA, Inc. Vance_20060301_01 Overview Overview Security Frameworks A

610 views • 22 slides

More recommend