SlideShare una empresa de Scribd logo

Oracle Database Security For Developers

Descargar como PPTX, PDF
S
Szymon Skorupinski

Presentation prepared for Oracle Tutorials series held at CERN, focusing on Oracle Database security from users and developers point of view. Apart from basics, there is a discussion about SQL injection attacks with illustrative examples.

Tecnología
1 de 58
Szymon Skorupinski Oracle Tutorials, CERN, Geneva, 30th April 2013
Outline • Users • Privileges • Roles • Encryption • SQL injection
Outline • Users • Privileges • Roles • Encryption • SQL injection
5 Database user • Username along with additional set of attributes • Password and its status • Expired or not • Account status • Locked or unlocked • Authentication method • Default tablespaces for permanent and temporary data storage • Tablespace quotas • Profile
6 User creation (1/2) • Implicit creation of schema • Logical container for database objects • One-to-one relationship with username SYS@DB> CREATE USER orauser1 IDENTIFIED BY "password" DEFAULT TABLESPACE users QUOTA 10M ON users TEMPORARY TABLESPACE temp PROFILE cern_dev_profile PASSWORD EXPIRE ACCOUNT UNLOCK; SYS@DB> GRANT create session TO orauser1;
7 User creation (2/2) $ sqlplus orauser1@db Enter password: ERROR: ORA-28001: the password has expired Changing password for orauser1 New password: Retype new password: Password changed ORAUSER1@DB>
8 Useful user-related views View name Describes USER_USERS Current user USER_TS_QUOTAS Tablespace quotas ALL_OBJECTS All objects accessible to the current user USER_OBJECTS All objects owned by the current user
9 Passwords • Since 11g (finally!) passwords are case-sensitive • For backward compatibility passwords set in previous version become case-sensitive only after change is done • Good password policies • Minimum 8 characters • Cannot be the same as username and too simple • Should differ from previous one by at least 3 characters • Contains at least 3 of these categories • Lowercase letters, uppercase letters, numbers, symbols • Enforced using password verify function which leads us to...
10 Profiles • Named sets of limits on database resources and password access to the database, e.g. • SESSIONS_PER_USER • IDLE_TIME • FAILED_LOGIN_ATTEMPTS • PASSWORD_LIFE_TIME • PASSWORD_REUSE_TIME • PASSWORD_REUSE_MAX • PASSWORD_VERIFY_FUNCTION • PASSWORD_LOCK_TIME • PASSWORD_GRACE_TIME
11 Useful profile-related views View name Describes USER_PASSWORD_LIMITS Password profile parameters that are assigned to the user USER_RESOURCE_LIMITS Resource limits for the current user
Outline • Users • Privileges • Roles • Encryption • SQL injection
13 Privileges • Privilege – right to perform particular type of actions or to access database objects • System privileges – ability to perform particular action on database or on any object of specific type, e.g. • CREATE SESSION, DROP ANY TABLE, ALTER ANY PROCEDURE • And over 100 others more • Be careful when using WITH ADMIN OPTION • Object privileges – ability to perform particular action on a specific schema object, e.g. • SELECT, INSERT, UPDATE, DELETE, EXECUTE • Be careful when using WITH GRANT OPTION
14 System privileges ORAUSER1@DB> SELECT username, privilege FROM user_sys_privs; USERNAME PRIVILEGE ---------------------- ---------------------------------------- ORAUSER1 CREATE TABLE ORAUSER1 CREATE SESSION ORAUSER1@DB> CREATE TABLE todel(id INT); Table created. ORAUSER1@DB> CREATE INDEX todel_idx ON todel(id); Index created. • Not all objects have dedicated system privileges
15 Object privileges (1/2) • User automatically has all object privileges for schema objects contained in his/her schema • Different object privileges are available for different types of schema objects, e.g. • EXECUTE privilege not relevant for tables • Some objects do not have any associated object privileges, e.g. • Indexes, triggers, database links
16 Object privileges (2/2) • Shortcut to grant or revoke all privileges possible for specific object • Still individual privileges can be revoked ORAUSER2@DB> SELECT owner, table_name, privilege FROM user_tab_privs WHERE table_name = 'TODEL'; OWNER TABLE_NAME PRIVILEGE ----------- ------------------ --------------------------------- ORAUSER1 TODEL ALTER ORAUSER1 TODEL DELETE (...) ORAUSER1@DB> GRANT ALL ON orauser1.todel TO orauser2; Grant succeeded.
17 Useful privilege-related views View name Describes [ALL|USER]_COL_PRIVS Column object grants for which the current [user or PUBLIC|user] is owner, grantor or grantee [ALL|USER]_COL_PRIVS_MADE Column object grants for which the current user is object [owner or grantor|owner] [ALL|USER]_COL_PRIVS_RECD Column object grants for which the current [user or PUBLIC|user] is grantee [ALL|USER]_TAB_PRIVS_MADE Object grants [made by the current user or made on the objects owned by current user|made on the objects owned by current user] [ALL|USER]_TAB_PRIVS_RECD Object grants for which the [user or PUBLIC|user] is the grantee [ALL|USER]_TAB_PRIVS Grants on objects where the current [user or PUBLIC|user] is grantee USER_SYS_PRIVS System privileges granted to the current user SESSION_PRIVS Privileges currently enabled for the current user
Outline • Users • Privileges • Roles • Encryption • SQL injection
19 Roles • Role – named group of related privileges • Could be granted to users or to other roles • Predefined or user-created • Since 11g CONNECT role has only CREATE SESSION privilege • Enabled or disabled • Default roles are automatically enabled • Provide selective availability of privileges • Could be password-protected • PUBLIC role • Be careful - all grants to this role are available to every user
20 Roles in PL/SQL (1/4) • Disabled in any named definer’s rights PL/SQL block • Enabled in any anonymous or named invoker’s rights PL/SQL block • Anonymous blocks always behave like invoker’s right ones • Definer’s rights routine – executed with privileges of its owner • Default mode when AUTHID clause not specified • Only EXECUTE privilege needed for other users • Invoker’s rights routine – executed with privileges of the invoking user
21 Roles in PL/SQL (2/4) ORAUSER1@DB> SELECT * FROM session_roles; ROLE ------------------------------ CONNECT ORAUSER1@DB> SET SERVEROUTPUT ON ORAUSER1@DB> DECLARE l_role_name VARCHAR2(100); BEGIN SELECT role INTO l_role_name FROM session_roles WHERE rownum = 1; dbms_output.put_line(CHR(10) || l_role_name); END; / CONNECT PL/SQL procedure successfully completed.
22 Roles in PL/SQL (3/4) ORAUSER1@DB> CREATE OR REPLACE PROCEDURE show_session_roles_definer AS l_role_name VARCHAR2(100); BEGIN SELECT role INTO l_role_name FROM session_roles WHERE rownum = 1; dbms_output.put_line(CHR(10) || l_role_name); END; / Procedure created. ORAUSER1@DB> EXEC show_session_roles_definer BEGIN show_session_roles_definer; END; * ERROR at line 1: ORA-01403: no data found (...)
23 Roles in PL/SQL (4/4) ORAUSER1@DB> CREATE OR REPLACE PROCEDURE show_session_roles_invoker AUTHID CURRENT_USER AS l_role_name VARCHAR2(100); BEGIN SELECT role INTO l_role_name FROM session_roles WHERE rownum = 1; dbms_output.put_line(CHR(10) || l_role_name); END; / Procedure created. ORAUSER1@DB> EXEC show_session_roles_invoker CONNECT PL/SQL procedure successfully completed.
24 Roles and DDLs • Depending on the DDL statement, one or more privileges are needed to succeed, e.g. • To create a view on a table belonging to another user • CREATE VIEW or CREATE ANY VIEW • SELECT on this table or SELECT ANY TABLE • But these SELECT privileges cannot be granted through a role! • Views are definer's rights objects • In general, when received through a role • All system and object privileges that permit a user to perform a DDL operation are usable, e.g. • System: CREATE TABLE, CREATE VIEW • Object: ALTER, INDEX • All system and object privileges that allow a user to perform a DML operation that is required to issue a DDL statement are not usable
25 Useful role-related views View name Describes USER_ROLE_PRIVS Roles directly granted to the current user ROLE_ROLE_PRIVS Roles granted to other roles (only roles to which the current user has access are listed) ROLE_SYS_PRIVS System privileges granted to roles (only roles to which the current user has access are listed) ROLE_TAB_PRIVS Object privileges granted to roles (only roles to which the current user has access are listed) SESSION_ROLES All enabled roles for the current user (except PUBLIC)
26 Thinking about security • Never share your passwords • If access is required, separate account with the least privileges needed should be created • Responsibility easy to track with account management • Separation of duties using database accounts • Reader • Writer • Owner
27 Increasing application security • Using views • Privileges needed only for view, not its underlying objects • Security domain used when view is queried is of its definer (owner) • Can provide access to selected columns of base tables • Can provide access to selected rows (value-based security) • Using stored procedures to encapsulate business logic • Privilege to update specific object only through procedure • Possibility to add more constraints, e.g. • Updates allowed only during business hours
Outline • Users • Privileges • Roles • Encryption • SQL injection
29 Encryption (1/2) • Way to increase protection for sensitive data • Encryption using PL/SQL • DBMS_CRYPTO (replacing DBMS_OBFUSCATION_TOOLKIT) • Transparent Data Encryption (TDE) • Oracle Enterprise Edition with Advanced Security option required • No application changes needed • Encryption of data before it’s written to storage • Decryption of data when it’s read from storage • Two modes supported • Tablespace encryption (11g) – hardware acceleration possible • Column encryption (10gR2)
30 Encryption (2/2) • Additional protection for data in transit • Network encryption to protect communication to and from the database • Rejecting connections from clients without encryption • Additional protection for backups • TDE encrypted data remains encrypted • Entire backup and export dump files encryption possibility
Outline • Users • Privileges • Roles • Encryption • SQL injection
32 SQL injection defined • Kind of attack with adding and executing unintended code from untrusted source • Manipulate select statements • Run DML or even DDL • Run stored procedures • Virtually anything could be done in context of connected user privileges • Even more with definer’s right procedures • Caused by • Wrong input handling – not only strings! • Implicit types conversions – dangerous
33 SQL injection prevention (1/2) • Design security into your application from day 1 • Detection very hard and time consuming in post-development phase • Could procedure without any input parameters be injected? Yes... • Use bind variables! • You’ll be secure... • ...and will get better performance and scalability • If not... • „then you must submit your code for review to at least five people who do not like you - they must be motivated to rip your code apart, critically review it, make fun of it - so they find the bugs” - Tom Kyte
34 SQL injection prevention (2/2) • If you really have very good technical reasons not to use binds • Are you sure? • Use DBMS_ASSERT package to sanitize user inputs • Are you 100% sure? • Don’t use implicit types conversions... • ...and don’t rely on defaults • Application logic unintended change besides SQL injections
35 SQL injection – be prepared! • Source: niebezpiecznik.pl
36 SQL injection with inputs (1/4) SQL> CREATE TABLE users ( login VARCHAR2(20), pass VARCHAR2(20) ); Table created. SQL> INSERT INTO users VALUES ('admin','pass'); 1 row created. SQL> COMMIT; Commit complete.
37 SQL injection with inputs (2/4) SQL> SELECT 1 allow FROM users WHERE login = 'admin' AND pass = 'fake'; no rows selected SQL> SELECT 1 allow FROM users WHERE login = 'admin' AND pass = 'pass'; ALLOW -------------- 1
38 SQL injection with inputs (3/4) SQL> SELECT 1 allow FROM users WHERE login = '&usr' AND pass = '&pwd'; Enter value for usr: admin Enter value for pwd: fake' or 'a'='a old 1: SELECT 1 allow FROM users WHERE login = '&usr' AND pass = '&pwd' new 1: SELECT 1 allow FROM users WHERE login = 'admin' AND pass = 'fake' or 'a'='a' ALLOW -------------- 1
39 SQL injection with inputs (4/4) SQL> VARIABLE usr VARCHAR2(20); SQL> VARIABLE pwd VARCHAR2(20); SQL> EXEC :usr := 'admin'; PL/SQL procedure successfully completed. SQL> EXEC :pwd := 'fake'' or ''a'' = ''a'; PL/SQL procedure successfully completed. SQL> PRINT pwd PWD -------------------------------- fake' or 'a' = 'a SQL> SELECT 1 allow FROM users WHERE login = :usr AND pass = :pwd; no rows selected
40 SQL injection with inputs (1/7) SQL> CREATE OR REPLACE PROCEDURE add_user (p_login VARCHAR2, p_pass VARCHAR2) AS l_cmd VARCHAR2(1000); BEGIN l_cmd := 'BEGIN INSERT INTO users VALUES (''' || p_login || ''',''' || p_pass || '''); COMMIT; END;'; dbms_output.put_line(l_cmd); EXECUTE IMMEDIATE l_cmd; END; / Procedure created.
41 SQL injection with inputs (2/7) SQL> SET SERVEROUTPUT ON SQL> SELECT * FROM users; LOGIN PASS -------------------- -------------------- admin pass SQL> EXEC add_user('NewLogin','NewPass'); BEGIN INSERT INTO users VALUES ('NewLogin','NewPass'); COMMIT; END; PL/SQL procedure successfully completed.
42 SQL injection with inputs (3/7) SQL> SELECT * FROM users; LOGIN PASS -------------------- -------------------- admin pass NewLogin NewPass
43 SQL injection with inputs (4/7) SQL> EXEC add_user('NewerLogin','NewerPass''); INSERT INTO users VALUES (''FakeUser'', ''FakePass'');--'); BEGIN INSERT INTO users VALUES ('NewerLogin', 'NewerPass'); INSERT INTO users VALUES ('FakeUser', 'FakePass');--'); COMMIT; END; PL/SQL procedure successfully completed.
44 SQL injection with inputs (5/7) SQL> SELECT * FROM users; LOGIN PASS -------------------- -------------------- NewerLogin NewerPass admin pass NewLogin NewPass FakeUser FakePass
45 SQL injection with inputs (6/7) SQL> EXEC add_user('NewestLogin','NewestPass''); EXECUTE IMMEDIATE ''DROP TABLE users'';--'); BEGIN INSERT INTO users VALUES ('NewestLogin','NewestPass'); EXECUTE IMMEDIATE 'DROP TABLE users';--'); COMMIT; END; PL/SQL procedure successfully completed.
46 SQL injection with inputs (7/7) SQL> SELECT * FROM users; SELECT * FROM users * ERROR at line 1: ORA-00942: table or view does not exist
47 SQL injection without inputs (1/10) SQL> CREATE TABLE users ( login VARCHAR2(30), pass VARCHAR2(30), expire TIMESTAMP ); Table created. SQL> ALTER SESSION SET nls_timestamp_format = 'DD-MM-YYYY HH24:MI:SS'; Session altered.
48 SQL injection without inputs (2/10) SQL> INSERT INTO users VALUES ('UserExpired', 'pass1234', localtimestamp - 1); 1 row created. SQL> INSERT INTO users VALUES ('UserNotExpired', '4567pass', localtimestamp + 1); 1 row created. SQL> COMMIT; Commit complete.
49 SQL injection without inputs (3/10) SQL> SELECT * FROM users; LOGIN PASS EXPIRE -------------- -------------- ------------------- UserExpired pass1234 28-04-2013 11:47:28 UserNotExpired 4567pass 30-04-2013 11:47:32
50 SQL injection without inputs (4/10) SQL> CREATE OR REPLACE PROCEDURE list_expired_users AS l_query VARCHAR2(300); l_query_bind VARCHAR2(300); l_time TIMESTAMP; l_cur SYS_REFCURSOR; l_login VARCHAR2(30); BEGIN l_time := localtimestamp; l_query := 'SELECT login FROM users WHERE expire <= ''' || l_time || ''''; l_query_bind := 'SELECT login FROM users WHERE expire <= :b_var';
51 SQL injection without inputs (5/10) dbms_output.put_line('Concatenated query: ' || l_query); OPEN l_cur FOR l_query; LOOP FETCH l_cur INTO l_login; EXIT WHEN l_cur%NOTFOUND; dbms_output.put_line(l_login); END LOOP; CLOSE l_cur;
52 SQL injection without inputs (6/10) dbms_output.put_line('Bind variable query: ' || l_query_bind); OPEN l_cur FOR l_query_bind USING l_time; LOOP FETCH l_cur INTO l_login; EXIT WHEN l_cur%NOTFOUND; dbms_output.put_line(l_login); END LOOP; CLOSE l_cur; END; /
53 SQL injection without inputs (7/10) SQL> SELECT value FROM v$nls_parameters WHERE parameter = 'NLS_TIMESTAMP_FORMAT'; VALUE ----------------------------------------- DD-MM-YYYY HH24:MI:SS SQL> SET SERVEROUTPUT ON
54 SQL injection without inputs (8/10) SQL> EXEC list_expired_users; Concatenated query: SELECT login FROM users WHERE expire <= '29-04-2013 11:53:21' UserExpired Bind variable query: SELECT login FROM users WHERE expire <= :b_var UserExpired PL/SQL procedure successfully completed.
55 SQL injection without inputs (9/10) SQL> ALTER SESSION SET nls_timestamp_format = '"'' UNION SELECT login || '' '' || pass FROM users--"'; Session altered. SQL> SELECT value FROM v$nls_parameters WHERE parameter = 'NLS_TIMESTAMP_FORMAT'; VALUE ------------------------------------------------------ "' UNION SELECT login || ' ' || pass FROM users--" SQL> SELECT localtimestamp FROM dual; LOCALTIMESTAMP ------------------------------------------------------ ' UNION SELECT login || ' ' || pass FROM users--
56 SQL injection without inputs (10/10) SQL> EXEC list_expired_users; Concatenated query: SELECT login FROM users WHERE expire <= '' UNION SELECT login || ' ' || pass FROM users--' UserExpired pass1234 UserNotExpired 4567pass Bind variable query: SELECT login FROM users WHERE expire <= :b_var UserExpired PL/SQL procedure successfully completed.
Questions?
Oracle Database Security For Developers

Recomendados

User, roles and privileges
User, roles and privilegesUser, roles and privileges
User, roles and privileges
Yogiji Creations
 
Sql grant, revoke, privileges and roles
Sql grant, revoke, privileges and rolesSql grant, revoke, privileges and roles
Sql grant, revoke, privileges and roles
Vivek Singh
 
2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation
Biju Thomas
 
Database administration commands
Database administration commands Database administration commands
Database administration commands
Varsha Ajith
 
Oracle Database 12c - Data Redaction
Oracle Database 12c - Data RedactionOracle Database 12c - Data Redaction
Oracle Database 12c - Data Redaction
Alex Zaballa
 
GLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesGLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New Features
Biju Thomas
 
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should KnowDBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
Alex Zaballa
 
Improve oracle 12c security
Improve oracle 12c securityImprove oracle 12c security
Improve oracle 12c security
Laurent Leturgez
 

Recomendados

User, roles and privileges
User, roles and privilegesUser, roles and privileges
User, roles and privileges
Yogiji Creations
 
Sql grant, revoke, privileges and roles
Sql grant, revoke, privileges and rolesSql grant, revoke, privileges and roles
Sql grant, revoke, privileges and roles
Vivek Singh
 
2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation
Biju Thomas
 
Database administration commands
Database administration commands Database administration commands
Database administration commands
Varsha Ajith
 
Oracle Database 12c - Data Redaction
Oracle Database 12c - Data RedactionOracle Database 12c - Data Redaction
Oracle Database 12c - Data Redaction
Alex Zaballa
 
GLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesGLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New Features
Biju Thomas
 
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should KnowDBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
Alex Zaballa
 
Improve oracle 12c security
Improve oracle 12c securityImprove oracle 12c security
Improve oracle 12c security
Laurent Leturgez
 
2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation
Biju Thomas
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Alex Zaballa
 
Sql ch 15 - sql security
Sql ch 15 - sql securitySql ch 15 - sql security
Sql ch 15 - sql security
Mukesh Tekwani
 
View, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - ThaiptView, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - Thaipt
Framgia Vietnam
 
DOAG - Oracle Database Locking Mechanism Demystified
DOAG - Oracle Database Locking Mechanism Demystified DOAG - Oracle Database Locking Mechanism Demystified
DOAG - Oracle Database Locking Mechanism Demystified
Pini Dibask
 
2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation
Biju Thomas
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation
Biju Thomas
 
ORACLE 9i
ORACLE 9iORACLE 9i
ORACLE 9i
suniljoshi151
 
My sql tutorial-oscon-2012
My sql tutorial-oscon-2012My sql tutorial-oscon-2012
My sql tutorial-oscon-2012
John David Duncan
 
Oracle database locking mechanism demystified (AOUG)
Oracle database locking mechanism demystified (AOUG)Oracle database locking mechanism demystified (AOUG)
Oracle database locking mechanism demystified (AOUG)
Pini Dibask
 
common_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQLcommon_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQL
Shlomi Noach
 
Java Web Programming Using Cloud Platform: Module 3
Java Web Programming Using Cloud Platform: Module 3Java Web Programming Using Cloud Platform: Module 3
Java Web Programming Using Cloud Platform: Module 3
IMC Institute
 
Less06 users
Less06 usersLess06 users
Less06 users
Imran Ali
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Alex Zaballa
 
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
Alex Zaballa
 
Sql views
Sql viewsSql views
Sql views
arshid045
 
Les14[1]Controlling User Access
Les14[1]Controlling User AccessLes14[1]Controlling User Access
Les14[1]Controlling User Access
siavosh kaviani
 
Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2
Koen Van Hulle
 
Introduction4 SQLite
Introduction4 SQLiteIntroduction4 SQLite
Introduction4 SQLite
Stanley Huang
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAs
Alex Zaballa
 
98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt
RahafKhalid14
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot
 

Más contenido relacionado

La actualidad más candente

View, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - ThaiptView, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - Thaipt
Framgia Vietnam
 
Less06 users
Less06 usersLess06 users
Less06 users
Imran Ali
 
Introduction4 SQLite
Introduction4 SQLiteIntroduction4 SQLite
Introduction4 SQLite
Stanley Huang
 

La actualidad más candente (20)

2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Sql ch 15 - sql security
Sql ch 15 - sql securitySql ch 15 - sql security
Sql ch 15 - sql security
 
View, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - ThaiptView, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - Thaipt
 
DOAG - Oracle Database Locking Mechanism Demystified
DOAG - Oracle Database Locking Mechanism Demystified DOAG - Oracle Database Locking Mechanism Demystified
DOAG - Oracle Database Locking Mechanism Demystified
 
2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation
 
ORACLE 9i
ORACLE 9iORACLE 9i
ORACLE 9i
 
My sql tutorial-oscon-2012
My sql tutorial-oscon-2012My sql tutorial-oscon-2012
My sql tutorial-oscon-2012
 
Oracle database locking mechanism demystified (AOUG)
Oracle database locking mechanism demystified (AOUG)Oracle database locking mechanism demystified (AOUG)
Oracle database locking mechanism demystified (AOUG)
 
common_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQLcommon_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQL
 
Java Web Programming Using Cloud Platform: Module 3
Java Web Programming Using Cloud Platform: Module 3Java Web Programming Using Cloud Platform: Module 3
Java Web Programming Using Cloud Platform: Module 3
 
Less06 users
Less06 usersLess06 users
Less06 users
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
 
Sql views
Sql viewsSql views
Sql views
 
Les14[1]Controlling User Access
Les14[1]Controlling User AccessLes14[1]Controlling User Access
Les14[1]Controlling User Access
 
Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2Vendor session myFMbutler DoSQL 2
Vendor session myFMbutler DoSQL 2
 
Introduction4 SQLite
Introduction4 SQLiteIntroduction4 SQLite
Introduction4 SQLite
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAs
 

Similar a Oracle Database Security For Developers

Administration and Management of Users in Oracle / Oracle Database Storage st...
Administration and Management of Users in Oracle / Oracle Database Storage st...Administration and Management of Users in Oracle / Oracle Database Storage st...
Administration and Management of Users in Oracle / Oracle Database Storage st...
rajeshkumarcse2001
 
Improving oracle12c security
Improving oracle12c securityImproving oracle12c security
Improving oracle12c security
Laurent Leturgez
 
Clase 18 privilegios modificada
Clase 18 privilegios modificadaClase 18 privilegios modificada
Clase 18 privilegios modificada
Titiushko Jazz
 

Similar a Oracle Database Security For Developers (20)

98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
Solving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaSolving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration Dilemma
 
Solving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaSolving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration Dilemma
 
Overview of RedDatabase 2.5
Overview of RedDatabase 2.5Overview of RedDatabase 2.5
Overview of RedDatabase 2.5
 
Db pre
Db preDb pre
Db pre
 
Presentation database security enhancements with oracle
Presentation database security enhancements with oraclePresentation database security enhancements with oracle
Presentation database security enhancements with oracle
 
Controlling User Access -Data base
Controlling User Access -Data baseControlling User Access -Data base
Controlling User Access -Data base
 
03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demo
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle Database
 
Administration and Management of Users in Oracle / Oracle Database Storage st...
Administration and Management of Users in Oracle / Oracle Database Storage st...Administration and Management of Users in Oracle / Oracle Database Storage st...
Administration and Management of Users in Oracle / Oracle Database Storage st...
 
Oracle Database
Oracle DatabaseOracle Database
Oracle Database
 
Improving oracle12c security
Improving oracle12c securityImproving oracle12c security
Improving oracle12c security
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
 
Oracle DBA
Oracle DBAOracle DBA
Oracle DBA
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4j
 
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAsOracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
 
Aioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_featuresAioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_features
 
Clase 18 privilegios modificada
Clase 18 privilegios modificadaClase 18 privilegios modificada
Clase 18 privilegios modificada
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Oracle Database Security For Developers

  • 1.
  • 2. Szymon Skorupinski Oracle Tutorials, CERN, Geneva, 30th April 2013
  • 3. Outline • Users • Privileges • Roles • Encryption • SQL injection
  • 4. Outline • Users • Privileges • Roles • Encryption • SQL injection
  • 5. 5 Database user • Username along with additional set of attributes • Password and its status • Expired or not • Account status • Locked or unlocked • Authentication method • Default tablespaces for permanent and temporary data storage • Tablespace quotas • Profile
  • 6. 6 User creation (1/2) • Implicit creation of schema • Logical container for database objects • One-to-one relationship with username SYS@DB> CREATE USER orauser1 IDENTIFIED BY "password" DEFAULT TABLESPACE users QUOTA 10M ON users TEMPORARY TABLESPACE temp PROFILE cern_dev_profile PASSWORD EXPIRE ACCOUNT UNLOCK; SYS@DB> GRANT create session TO orauser1;
  • 7. 7 User creation (2/2) $ sqlplus orauser1@db Enter password: ERROR: ORA-28001: the password has expired Changing password for orauser1 New password: Retype new password: Password changed ORAUSER1@DB>
  • 8. 8 Useful user-related views View name Describes USER_USERS Current user USER_TS_QUOTAS Tablespace quotas ALL_OBJECTS All objects accessible to the current user USER_OBJECTS All objects owned by the current user
  • 9. 9 Passwords • Since 11g (finally!) passwords are case-sensitive • For backward compatibility passwords set in previous version become case-sensitive only after change is done • Good password policies • Minimum 8 characters • Cannot be the same as username and too simple • Should differ from previous one by at least 3 characters • Contains at least 3 of these categories • Lowercase letters, uppercase letters, numbers, symbols • Enforced using password verify function which leads us to...
  • 10. 10 Profiles • Named sets of limits on database resources and password access to the database, e.g. • SESSIONS_PER_USER • IDLE_TIME • FAILED_LOGIN_ATTEMPTS • PASSWORD_LIFE_TIME • PASSWORD_REUSE_TIME • PASSWORD_REUSE_MAX • PASSWORD_VERIFY_FUNCTION • PASSWORD_LOCK_TIME • PASSWORD_GRACE_TIME
  • 11. 11 Useful profile-related views View name Describes USER_PASSWORD_LIMITS Password profile parameters that are assigned to the user USER_RESOURCE_LIMITS Resource limits for the current user
  • 12. Outline • Users • Privileges • Roles • Encryption • SQL injection
  • 13. 13 Privileges • Privilege – right to perform particular type of actions or to access database objects • System privileges – ability to perform particular action on database or on any object of specific type, e.g. • CREATE SESSION, DROP ANY TABLE, ALTER ANY PROCEDURE • And over 100 others more • Be careful when using WITH ADMIN OPTION • Object privileges – ability to perform particular action on a specific schema object, e.g. • SELECT, INSERT, UPDATE, DELETE, EXECUTE • Be careful when using WITH GRANT OPTION
  • 14. 14 System privileges ORAUSER1@DB> SELECT username, privilege FROM user_sys_privs; USERNAME PRIVILEGE ---------------------- ---------------------------------------- ORAUSER1 CREATE TABLE ORAUSER1 CREATE SESSION ORAUSER1@DB> CREATE TABLE todel(id INT); Table created. ORAUSER1@DB> CREATE INDEX todel_idx ON todel(id); Index created. • Not all objects have dedicated system privileges
  • 15. 15 Object privileges (1/2) • User automatically has all object privileges for schema objects contained in his/her schema • Different object privileges are available for different types of schema objects, e.g. • EXECUTE privilege not relevant for tables • Some objects do not have any associated object privileges, e.g. • Indexes, triggers, database links
  • 16. 16 Object privileges (2/2) • Shortcut to grant or revoke all privileges possible for specific object • Still individual privileges can be revoked ORAUSER2@DB> SELECT owner, table_name, privilege FROM user_tab_privs WHERE table_name = 'TODEL'; OWNER TABLE_NAME PRIVILEGE ----------- ------------------ --------------------------------- ORAUSER1 TODEL ALTER ORAUSER1 TODEL DELETE (...) ORAUSER1@DB> GRANT ALL ON orauser1.todel TO orauser2; Grant succeeded.
  • 17. 17 Useful privilege-related views View name Describes [ALL|USER]_COL_PRIVS Column object grants for which the current [user or PUBLIC|user] is owner, grantor or grantee [ALL|USER]_COL_PRIVS_MADE Column object grants for which the current user is object [owner or grantor|owner] [ALL|USER]_COL_PRIVS_RECD Column object grants for which the current [user or PUBLIC|user] is grantee [ALL|USER]_TAB_PRIVS_MADE Object grants [made by the current user or made on the objects owned by current user|made on the objects owned by current user] [ALL|USER]_TAB_PRIVS_RECD Object grants for which the [user or PUBLIC|user] is the grantee [ALL|USER]_TAB_PRIVS Grants on objects where the current [user or PUBLIC|user] is grantee USER_SYS_PRIVS System privileges granted to the current user SESSION_PRIVS Privileges currently enabled for the current user
  • 18. Outline • Users • Privileges • Roles • Encryption • SQL injection
  • 19. 19 Roles • Role – named group of related privileges • Could be granted to users or to other roles • Predefined or user-created • Since 11g CONNECT role has only CREATE SESSION privilege • Enabled or disabled • Default roles are automatically enabled • Provide selective availability of privileges • Could be password-protected • PUBLIC role • Be careful - all grants to this role are available to every user
  • 20. 20 Roles in PL/SQL (1/4) • Disabled in any named definer’s rights PL/SQL block • Enabled in any anonymous or named invoker’s rights PL/SQL block • Anonymous blocks always behave like invoker’s right ones • Definer’s rights routine – executed with privileges of its owner • Default mode when AUTHID clause not specified • Only EXECUTE privilege needed for other users • Invoker’s rights routine – executed with privileges of the invoking user
  • 21. 21 Roles in PL/SQL (2/4) ORAUSER1@DB> SELECT * FROM session_roles; ROLE ------------------------------ CONNECT ORAUSER1@DB> SET SERVEROUTPUT ON ORAUSER1@DB> DECLARE l_role_name VARCHAR2(100); BEGIN SELECT role INTO l_role_name FROM session_roles WHERE rownum = 1; dbms_output.put_line(CHR(10) || l_role_name); END; / CONNECT PL/SQL procedure successfully completed.
  • 22. 22 Roles in PL/SQL (3/4) ORAUSER1@DB> CREATE OR REPLACE PROCEDURE show_session_roles_definer AS l_role_name VARCHAR2(100); BEGIN SELECT role INTO l_role_name FROM session_roles WHERE rownum = 1; dbms_output.put_line(CHR(10) || l_role_name); END; / Procedure created. ORAUSER1@DB> EXEC show_session_roles_definer BEGIN show_session_roles_definer; END; * ERROR at line 1: ORA-01403: no data found (...)
  • 23. 23 Roles in PL/SQL (4/4) ORAUSER1@DB> CREATE OR REPLACE PROCEDURE show_session_roles_invoker AUTHID CURRENT_USER AS l_role_name VARCHAR2(100); BEGIN SELECT role INTO l_role_name FROM session_roles WHERE rownum = 1; dbms_output.put_line(CHR(10) || l_role_name); END; / Procedure created. ORAUSER1@DB> EXEC show_session_roles_invoker CONNECT PL/SQL procedure successfully completed.
  • 24. 24 Roles and DDLs • Depending on the DDL statement, one or more privileges are needed to succeed, e.g. • To create a view on a table belonging to another user • CREATE VIEW or CREATE ANY VIEW • SELECT on this table or SELECT ANY TABLE • But these SELECT privileges cannot be granted through a role! • Views are definer's rights objects • In general, when received through a role • All system and object privileges that permit a user to perform a DDL operation are usable, e.g. • System: CREATE TABLE, CREATE VIEW • Object: ALTER, INDEX • All system and object privileges that allow a user to perform a DML operation that is required to issue a DDL statement are not usable
  • 25. 25 Useful role-related views View name Describes USER_ROLE_PRIVS Roles directly granted to the current user ROLE_ROLE_PRIVS Roles granted to other roles (only roles to which the current user has access are listed) ROLE_SYS_PRIVS System privileges granted to roles (only roles to which the current user has access are listed) ROLE_TAB_PRIVS Object privileges granted to roles (only roles to which the current user has access are listed) SESSION_ROLES All enabled roles for the current user (except PUBLIC)
  • 26. 26 Thinking about security • Never share your passwords • If access is required, separate account with the least privileges needed should be created • Responsibility easy to track with account management • Separation of duties using database accounts • Reader • Writer • Owner
  • 27. 27 Increasing application security • Using views • Privileges needed only for view, not its underlying objects • Security domain used when view is queried is of its definer (owner) • Can provide access to selected columns of base tables • Can provide access to selected rows (value-based security) • Using stored procedures to encapsulate business logic • Privilege to update specific object only through procedure • Possibility to add more constraints, e.g. • Updates allowed only during business hours
  • 28. Outline • Users • Privileges • Roles • Encryption • SQL injection
  • 29. 29 Encryption (1/2) • Way to increase protection for sensitive data • Encryption using PL/SQL • DBMS_CRYPTO (replacing DBMS_OBFUSCATION_TOOLKIT) • Transparent Data Encryption (TDE) • Oracle Enterprise Edition with Advanced Security option required • No application changes needed • Encryption of data before it’s written to storage • Decryption of data when it’s read from storage • Two modes supported • Tablespace encryption (11g) – hardware acceleration possible • Column encryption (10gR2)
  • 30. 30 Encryption (2/2) • Additional protection for data in transit • Network encryption to protect communication to and from the database • Rejecting connections from clients without encryption • Additional protection for backups • TDE encrypted data remains encrypted • Entire backup and export dump files encryption possibility
  • 31. Outline • Users • Privileges • Roles • Encryption • SQL injection
  • 32. 32 SQL injection defined • Kind of attack with adding and executing unintended code from untrusted source • Manipulate select statements • Run DML or even DDL • Run stored procedures • Virtually anything could be done in context of connected user privileges • Even more with definer’s right procedures • Caused by • Wrong input handling – not only strings! • Implicit types conversions – dangerous
  • 33. 33 SQL injection prevention (1/2) • Design security into your application from day 1 • Detection very hard and time consuming in post-development phase • Could procedure without any input parameters be injected? Yes... • Use bind variables! • You’ll be secure... • ...and will get better performance and scalability • If not... • „then you must submit your code for review to at least five people who do not like you - they must be motivated to rip your code apart, critically review it, make fun of it - so they find the bugs” - Tom Kyte
  • 34. 34 SQL injection prevention (2/2) • If you really have very good technical reasons not to use binds • Are you sure? • Use DBMS_ASSERT package to sanitize user inputs • Are you 100% sure? • Don’t use implicit types conversions... • ...and don’t rely on defaults • Application logic unintended change besides SQL injections
  • 35. 35 SQL injection – be prepared! • Source: niebezpiecznik.pl
  • 36. 36 SQL injection with inputs (1/4) SQL> CREATE TABLE users ( login VARCHAR2(20), pass VARCHAR2(20) ); Table created. SQL> INSERT INTO users VALUES ('admin','pass'); 1 row created. SQL> COMMIT; Commit complete.
  • 37. 37 SQL injection with inputs (2/4) SQL> SELECT 1 allow FROM users WHERE login = 'admin' AND pass = 'fake'; no rows selected SQL> SELECT 1 allow FROM users WHERE login = 'admin' AND pass = 'pass'; ALLOW -------------- 1
  • 38. 38 SQL injection with inputs (3/4) SQL> SELECT 1 allow FROM users WHERE login = '&usr' AND pass = '&pwd'; Enter value for usr: admin Enter value for pwd: fake' or 'a'='a old 1: SELECT 1 allow FROM users WHERE login = '&usr' AND pass = '&pwd' new 1: SELECT 1 allow FROM users WHERE login = 'admin' AND pass = 'fake' or 'a'='a' ALLOW -------------- 1
  • 39. 39 SQL injection with inputs (4/4) SQL> VARIABLE usr VARCHAR2(20); SQL> VARIABLE pwd VARCHAR2(20); SQL> EXEC :usr := 'admin'; PL/SQL procedure successfully completed. SQL> EXEC :pwd := 'fake'' or ''a'' = ''a'; PL/SQL procedure successfully completed. SQL> PRINT pwd PWD -------------------------------- fake' or 'a' = 'a SQL> SELECT 1 allow FROM users WHERE login = :usr AND pass = :pwd; no rows selected
  • 40. 40 SQL injection with inputs (1/7) SQL> CREATE OR REPLACE PROCEDURE add_user (p_login VARCHAR2, p_pass VARCHAR2) AS l_cmd VARCHAR2(1000); BEGIN l_cmd := 'BEGIN INSERT INTO users VALUES (''' || p_login || ''',''' || p_pass || '''); COMMIT; END;'; dbms_output.put_line(l_cmd); EXECUTE IMMEDIATE l_cmd; END; / Procedure created.
  • 41. 41 SQL injection with inputs (2/7) SQL> SET SERVEROUTPUT ON SQL> SELECT * FROM users; LOGIN PASS -------------------- -------------------- admin pass SQL> EXEC add_user('NewLogin','NewPass'); BEGIN INSERT INTO users VALUES ('NewLogin','NewPass'); COMMIT; END; PL/SQL procedure successfully completed.
  • 42. 42 SQL injection with inputs (3/7) SQL> SELECT * FROM users; LOGIN PASS -------------------- -------------------- admin pass NewLogin NewPass
  • 43. 43 SQL injection with inputs (4/7) SQL> EXEC add_user('NewerLogin','NewerPass''); INSERT INTO users VALUES (''FakeUser'', ''FakePass'');--'); BEGIN INSERT INTO users VALUES ('NewerLogin', 'NewerPass'); INSERT INTO users VALUES ('FakeUser', 'FakePass');--'); COMMIT; END; PL/SQL procedure successfully completed.
  • 44. 44 SQL injection with inputs (5/7) SQL> SELECT * FROM users; LOGIN PASS -------------------- -------------------- NewerLogin NewerPass admin pass NewLogin NewPass FakeUser FakePass
  • 45. 45 SQL injection with inputs (6/7) SQL> EXEC add_user('NewestLogin','NewestPass''); EXECUTE IMMEDIATE ''DROP TABLE users'';--'); BEGIN INSERT INTO users VALUES ('NewestLogin','NewestPass'); EXECUTE IMMEDIATE 'DROP TABLE users';--'); COMMIT; END; PL/SQL procedure successfully completed.
  • 46. 46 SQL injection with inputs (7/7) SQL> SELECT * FROM users; SELECT * FROM users * ERROR at line 1: ORA-00942: table or view does not exist
  • 47. 47 SQL injection without inputs (1/10) SQL> CREATE TABLE users ( login VARCHAR2(30), pass VARCHAR2(30), expire TIMESTAMP ); Table created. SQL> ALTER SESSION SET nls_timestamp_format = 'DD-MM-YYYY HH24:MI:SS'; Session altered.
  • 48. 48 SQL injection without inputs (2/10) SQL> INSERT INTO users VALUES ('UserExpired', 'pass1234', localtimestamp - 1); 1 row created. SQL> INSERT INTO users VALUES ('UserNotExpired', '4567pass', localtimestamp + 1); 1 row created. SQL> COMMIT; Commit complete.
  • 49. 49 SQL injection without inputs (3/10) SQL> SELECT * FROM users; LOGIN PASS EXPIRE -------------- -------------- ------------------- UserExpired pass1234 28-04-2013 11:47:28 UserNotExpired 4567pass 30-04-2013 11:47:32
  • 50. 50 SQL injection without inputs (4/10) SQL> CREATE OR REPLACE PROCEDURE list_expired_users AS l_query VARCHAR2(300); l_query_bind VARCHAR2(300); l_time TIMESTAMP; l_cur SYS_REFCURSOR; l_login VARCHAR2(30); BEGIN l_time := localtimestamp; l_query := 'SELECT login FROM users WHERE expire <= ''' || l_time || ''''; l_query_bind := 'SELECT login FROM users WHERE expire <= :b_var';
  • 51. 51 SQL injection without inputs (5/10) dbms_output.put_line('Concatenated query: ' || l_query); OPEN l_cur FOR l_query; LOOP FETCH l_cur INTO l_login; EXIT WHEN l_cur%NOTFOUND; dbms_output.put_line(l_login); END LOOP; CLOSE l_cur;
  • 52. 52 SQL injection without inputs (6/10) dbms_output.put_line('Bind variable query: ' || l_query_bind); OPEN l_cur FOR l_query_bind USING l_time; LOOP FETCH l_cur INTO l_login; EXIT WHEN l_cur%NOTFOUND; dbms_output.put_line(l_login); END LOOP; CLOSE l_cur; END; /
  • 53. 53 SQL injection without inputs (7/10) SQL> SELECT value FROM v$nls_parameters WHERE parameter = 'NLS_TIMESTAMP_FORMAT'; VALUE ----------------------------------------- DD-MM-YYYY HH24:MI:SS SQL> SET SERVEROUTPUT ON
  • 54. 54 SQL injection without inputs (8/10) SQL> EXEC list_expired_users; Concatenated query: SELECT login FROM users WHERE expire <= '29-04-2013 11:53:21' UserExpired Bind variable query: SELECT login FROM users WHERE expire <= :b_var UserExpired PL/SQL procedure successfully completed.
  • 55. 55 SQL injection without inputs (9/10) SQL> ALTER SESSION SET nls_timestamp_format = '"'' UNION SELECT login || '' '' || pass FROM users--"'; Session altered. SQL> SELECT value FROM v$nls_parameters WHERE parameter = 'NLS_TIMESTAMP_FORMAT'; VALUE ------------------------------------------------------ "' UNION SELECT login || ' ' || pass FROM users--" SQL> SELECT localtimestamp FROM dual; LOCALTIMESTAMP ------------------------------------------------------ ' UNION SELECT login || ' ' || pass FROM users--
  • 56. 56 SQL injection without inputs (10/10) SQL> EXEC list_expired_users; Concatenated query: SELECT login FROM users WHERE expire <= '' UNION SELECT login || ' ' || pass FROM users--' UserExpired pass1234 UserNotExpired 4567pass Bind variable query: SELECT login FROM users WHERE expire <= :b_var UserExpired PL/SQL procedure successfully completed.