1 / 38

Protecting Your Database: Preventing SQL Injection Attacks

Learn about database security, relational databases, SQL injection attacks, attack avenues, countermeasures, and access control systems. Safeguard your valuable data today!

lphilips
Download Presentation

Protecting Your Database: Preventing SQL Injection Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lecture 9Database Security modified from slides of Lawrie Brown

  2. Databases • structured collection of data stored for use by one or more applications • contains the relationships between data items and groups of data items • can sometimes contain sensitive data • database management system (DBMS) • suite of programs for constructing and maintaining the database • ad hoc query facilities to multiple users and applications • Query language • provides a uniform interface to the database

  3. DBMS Architecture

  4. Relational Databases • table of data consisting of rows and columns • each column holds a particular type of data • each row contains a specific value for each column • ideally has one column where all values are unique, forming an identifier/key for that row • enables the creation of multiple tables linked together by a unique identifier that is present in all tables • use a relational query language to access the database • request data that fit a given set of criteria

  5. Relational Database Elements • relation / table / file • tuple / row / record • attribute / column / field

  6. Relational Database Example

  7. Relational Database Example

  8. Structured Query Language (SQL) • originally developed by IBM in the mid-1970s • standardized language to define, manipulate, and query data in a relational database • several similar versions of ANSI/ISO standard

  9. SQL Injection Attacks (SQLi) • One of the most prevalent and dangerous network-based security threats • Designed to exploit the nature of Web application pages • Sends malicious SQL commands to the database server Most common attack goal is bulk extraction of data Depending on the environment SQL injection can also be exploited to: • Modify or delete data • Execute arbitrary operating system commands • Launch denial-of-service (DoS) attacks

  10. Injection Technique

  11. SQLi Attack Avenues • User input • Attackers inject SQL commands by providing suitable crafted user input • Server variables • Attackers can forge the values that are placed in HTTP and network headers and exploit this vulnerability by placing data directly into the headers • Second-order injection • A malicious user could rely on data already present in the system or database to trigger an SQL injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from within the system itself • Cookies • An attacker could alter cookies such that when the application server builds an SQL query based on the cookie’s content, the structure and function of the query is modified • Physical user input • Applying user input that constructs an attack outside the realm of web requests

  12. Inband Attacks • Uses the same communication channel for injecting SQL code and retrieving results • The retrieved data are presented directly in application Web page • Include: • Tautology • End-of-line comment • Piggybacked queries • This form of attack injects code in one or more conditional statements so that they always evaluate to true • After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments • The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request

  13. Inferential Attack • There is no actual transfer of data, but the attacker is able to reconstruct the information • by sending particular requests and observing the resulting behavior of the Website/database server • Include: • Illegal/logically incorrect queries • This attack lets an attacker gather important information about the type and structure of the backend database of a Web application • The attack is considered a preliminary, information-gathering step for other attacks • Blind SQL injection • Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker

  14. Out-of-Band Attack • Data are retrieved using a different channel • This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax

  15. SQLi Countermeasures • Three types: • Detection • Manual defensive coding practices • Parameterized query insertion • SQL DOM • Signature based • Anomaly based • Code analysis • Check queries at runtime to see if they conform to a model of expected queries • Defensive coding • Run-time prevention

  16. Database Access Control • database access control system determines: • can support a range of administrative policies • if the user has access to the entire database or just portions of it • centralized administration • small number of privileged users may grant and revoke access rights • what access rights the user has • (create, insert, delete, update, read, write) • ownership-based administration • the creator of a table may grant and revoke access rights to the table • decentralized administration • the owner of the table may grant and revoke authorization rights to other users, allowing them to grant and revoke access rights to the table

  17. SQL Access Controls • two commands for managing access rights: • grant • used to grant one or more access rights or can be used to assign a user to a role • revoke • revokes the access rights • typical access rights are: • select, insert, update, delete, references

  18. Cascading Authorizations Revoke t = 100

  19. Role-Based Access Control (RBAC) • Role-based access control eases administrative burden and improves security • A database RBAC needs to provide the following capabilities: • Create and delete roles • Define permissions for a role • Assign and cancel assignment of users to roles • Categories of database users:

  20. Fixed Roles in Microsoft SQL Server

  21. Inference • Performing queries to deduce unauthorized information from the legitimate responses received • inference channel • information transfer path by which unauthorized data is obtained

  22. Inference Example

  23. Inference Detection • Some inference detection algorithm is needed for either of these approaches • Progress has been made in devising specific inference detection techniques for multilevel secure databases and statistical databases • Approach removes an inference channel by altering the database structure or by changing the access control regime to prevent inference • Inference detection during database design • Techniques in this category often result in unnecessarily stricter access controls that reduce availability • Two approaches • Approach seeks to eliminate an inference channel violation during a query or series of queries • Inference detection at query time • If an inference channel is detected, the query is denied or altered

  24. Statistical Databases (SDB) • provides data of a statistical nature such as counts and averages • pure statistical database • ordinary database with statistical access • access control objective • provide users with the needed information • without compromising the confidentiality • security problem is one of inference

  25. Statistical Database Example

  26. Statistical Database Security • use a characteristic formula C • a logical formula over the values of attributes • e.g. (Sex=Male) AND ((Major=CS) OR (Major=EE)) • query set X(C) of characteristic formula C, is the set of records matching C • a statistical query is a query that produces a value calculated over a query set

  27. Some Queries of a Statistical Database

  28. Protecting Against Inference

  29. Perturbation • data perturbation technique • data swapping • generate statistics from probability distribution • output perturbation technique • statistic adjustment • random-sample query • goal is to minimize the differences between original results and perturbed results • challenge is to determine the average size of the error to be used

  30. Other Query Restrictions • query set overlap control • limit overlap between new and previous queries • partitioning • cluster records into a number of mutually exclusive groups • query the statistical properties of each group as a whole • query denial and information leakage • denials can leak information • to counter, must track queries from user

  31. Tracker Attacks • divide queries into parts • C = C1.C2 • count(C  D) = count(C1) - count (C1 ~C2) • combination is called a tracker • each part acceptable query size • overlap is desired result • Count(C) = Count(C1) - Count(T) • Count(C  D) = Count(T + C1D) - Count(T)

  32. Database Encryption • database is typically the most valuable information resource for any organization • protected by multiple layers of security • firewalls, authentication, O/S access control systems, DB access control systems, database encryption • encryption is often implemented with particularly sensitive data • at record, attribute, or individual field levels • disadvantages to encryption: • key management • inflexibility

  33. Database Encryption

  34. Encryption Scheme

  35. Summary • database • structured collection of data • database management system (DBMS) • programs for constructing and maintaining the database • structured query language (SQL) • language used to define schema/manipulate/query data in a relational database • SQL injection attacks • A typical SQLi attack • The injection technique • SQLi attack avenues and types • SQLi countermeasures • relational database • table of data consisting of rows (tuples) and columns (attributes) • multiple tables tied together by a unique identifier that is present in all tables • database access control • centralized/ownership-based/decentralized administration • role-based access control (RBAC) • application owner/end user otherthan application owner/administrator • inference channel • information transfer path by which unauthorized data is obtained • statistical database (SDB) • query restriction/perturbation/data swapping/random-sample query • database encryption • cloud computing/security/ data protection • multi-instance/ multi-tenant model • Cloud security as a service

More Related