DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: - - PowerPoint PPT Presentation

database
SMART_READER_LITE
LIVE PREVIEW

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: - - PowerPoint PPT Presentation

Jan 18, 2024 199 likes •380 views

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1 Levels of DB Security There are 6 levels that impact database security Database Level database users and

slide-1
SLIDE 1

DATABASE SECURITY

CS4750 – Database Systems

  • Prof. Nada Basit

Email: basit@virginia.edu Fall 2020 University of Virginia

1

slide-2
SLIDE 2

Levels of DB Security

 There are 6 levels that impact database security  Database Level

– database users and authorization

 Application Level

– information management and processing

 Operating System Level

– data storage and protection

 Network Level

– data transmission

 Physical Level

– computer equipment protection

 Human Level

– social engineering protection

2

Security is important not only at the database level, but the entire database application. Breaches can happen at any of these levels.

slide-3
SLIDE 3

Application Level

3

slide-4
SLIDE 4

Application Level

 Write programs with security in mind from the beginning!  Guard against SQL injection attacks!  Use prepared statements  Strong typing of applications to prevent type errors!  Expect back a particular type (nothing else)  Catch and handle all errors!  Encrypt data when possible! Don’t use open channels through the

application!

 Programmer/developer accessing code securely: SSH

4

slide-5
SLIDE 5

SQL INJECTION ATTACK VIDEOS

5 This Photo by Unknown Author is licensed under CC BY

slide-6
SLIDE 6

SQL Injection Attack

 Given a SQL query where some portion is blank and left for us to fill

in, we attempt to fill in the query with a string that:

 Matches the correct format  Also contains some extra commands to get data that we should

not be allowed to see

6

slide-7
SLIDE 7

Classic SQL Injection

 Consider the following SQL query:  Such a query is typically used from a web application in order to

authenticate a user

 If the query returns a value it means that inside the database a user

with that set of credentials exists, then the user is allowed to login to the system, otherwise access is denied

 The values of the input fields are generally obtained from the user

through a web form / login screen

7

SELECT * FROM Users WHERE Username='$username' AND Password='$password' https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

slide-8
SLIDE 8

Classic SQL Injection

 Let’s use the same SQL query:  What happens if we insert the following Username and Password

values:

 The query will be:  The query returns a value (or a set of values) because the condition is

always true (OR 1=1). In this way the system has authenticated the user without knowing the username and password!

8

SELECT * FROM Users WHERE Username='$username' AND Password='$password'

$username = 1’ or ‘1’ = ‘1 $password = 1’ or ‘1’ = ‘1

SELECT * FROM Users WHERE Username=‘1' OR '1'='1' AND Password='1' OR '1'='1'

slide-9
SLIDE 9

SQL Injection Attacks

 Using this attack strategy, if not using a prepared statement (for

instance) it means …

 You can type in what ever you want including SQL – this is how

SQL injection attacks happen

 E.g. for UN type in something, for password type in

‘ or 1=1

 The ‘ closes quote (blank string) How often is 1=1? Always true!  Can then be creative afterwards using nested SQL query

9

slide-10
SLIDE 10

Simple attack: guessing the password (brute force… but if you got the time…!)

 The idea is to execute an SQL injection attack that will tell you

something about the actual password

 If you construct a statement that is TRUE, the system will log you in  So ask questions that have a TRUE or FALSE response  Slowly build up to the information that you need! (Hint: use LIKE)  Use LIKE to compare a guess for the password with the actual

  • password. Using regex/pattern matching symbol ‘%’ we build a query

that tacks on a password comparison in the username field

 Type this in both the username and password fields. (# = a comment)

10

SELECT username FROM UsersTbl WHERE username='' AND password='' ...WHERE username='admin' AND password LIKE 'a%' #' AND password='...'

slide-11
SLIDE 11

Simple attack: guessing the password (brute force… but if you got the time…!)

 Use LIKE to compare a guess for the password with the actual

  • password. Using regex/pattern matching symbol ‘%’ we build a query

that tacks on a password comparison in the username field

 Type this in both the username and password fields. (# = a comment)  Let’s assume we know the username is admin, when we submit this,

the query checks if the username is admin and if the additional password comparison is true

 The query ends and the original password check NEVER executes since

it is commented out! (# = a comment)

 After injecting this, we see this results in “Incorrect username or

password”. So we keep trying different characters until we have successfully logged in. If we’re logged in, we know the question is true!

 (Remember, % matches 0 or more characters, if you wanted to match

  • ne character use _ )

For example: ‘_c%’ checks if the 2nd character is a “c”

11

SELECT username FROM UsersTbl WHERE username='' AND password='' ...WHERE username='admin' AND password LIKE 'a%' #' AND password='...'

slide-12
SLIDE 12

SQL Injection Attack Tool: Get Password Activity http://databases.cs.virginia.edu /sqlinject/activity/activity.php

Tool developed by Dr. Nada Basit, Joseph Chen, Alexander Sun, Rohan Koduri, and Vamshi Garikapati

12

slide-13
SLIDE 13

SQL Injection Attack Examples

 SQL injection is not new and has been used quite frequently to attack

websites and companies

 For a list of examples, see:

https://en.wikipedia.org/wiki/SQL_injection#Examples

13

slide-14
SLIDE 14

In Popular Culture

 Unauthorized login to web sites by means of SQL injection forms the

basis of one of the subplots in J.K. Rowling's novel The Casual Vacancy, published in 2012.

 An xkcd cartoon involved a character Robert'); DROP TABLE students;-

  • named to carry out a SQL injection. As a result of this cartoon, SQL

injection is sometimes informally referred to as 'Bobby Tables'.

 In 2014, an individual in Poland legally renamed his business

to Dariusz Jakubowski x'; DROP TABLE users; SELECT '1 in an attempt to disrupt operation of spammers’ harvesting bots.

 Companies House, the UK's official register of companies, has a

company named ; DROP TABLE "COMPANIES";-- LTD

 The 2015 game Hacknet has a hacking program called

SQL_MemCorrupt. It is described as injecting a table entry that causes a corruption error in a SQL database, then queries said table, causing a SQL database crash and core dump.

14

https://en.wikipedia.org/wiki/SQL_injection#In_popular_culture

slide-15
SLIDE 15

15 http://www.xkcd.com/327/ ; https://beta.companieshouse.gov.uk/company/10542519

slide-16
SLIDE 16

SQL INJECTION USEFUL SITE

REVIEW (FYI)

16 This Photo by Unknown Author is licensed under CC BY

slide-17
SLIDE 17

Question:

 Which DB level is the cause of the most DB break-ins?  Database Level  Application Level  Operating System Level  Network Level  Physical Level  Human Level

 Did you have the chance to think about it?

17

slide-18
SLIDE 18

Human Level

 What % of all DB break-ins do you think occur at level 6?  More than 90% happen at the Human level!  An estimated 70% of unauthorized access to information is

committed by internal employees — who are also responsible for more than 95% of intrusions that result in significant financial losses!!

18