Oracle数据库安全讲义-by Paul Wright

NGSConsultingNextGenerationSecuritySoftwareLtd.NextGenerationSecuritySoftwareLtd.SecuringOracleForensicallySecuringOracleForensicallyPaulWrightSecuritySoftwareDeveloperandConsultantypNGSConsultingNextGenerationSecuritySoftwareLtd.OracleForensicsatISACAOracleForensicsatISACAAboutmyself~PaulM.WrightAboutmyself~PaulM.Wright•UniversityofManchesterComputerScientistspecialisedinOracleandsecurity.•6yearsOracleexperienceand7yearssecurityexperience.•11SANSconferencesandmostGIACqualifiedpersonintheUK.•PentestLtd.PublishedthefirstpaperonOracleForensicsinJanuary20052005.•NGSSoftwareforthelastyearwritingsecuritychecksforOracleSftkiithDidLithfildSoftwareworkingwithDavidLitchfield.•FirstGSOCwiththehighestmarkssofar~PeterFinniganscourse.•ThislatestworkisanextensionoftheOracleForensicsPaperfortheGSOCqualificationandIthinkitmaybeofinteresttoISACA.Copyright©2006.NGSSoftwareLtd.NGSConsultingNextGenerationSecuritySoftwareLtd.OracleForensicsatISACAOracleForensicsatISACAPlanofpresentationPlanofpresentation•Generaldatabasesecurity•Oracledatabasesecurity•PLSQLpackagesandSQLInjection•Identifyingeasyvulnerabilities•Patchingproblems•TryingtoIdentifyvulnerableproceduresygyp•Identifyvulnerablepackagesforensically•Assessingrisktozerodaysretrospectivelygypy•QuestionsCopyright©2006.NGSSoftwareLtd.NGSConsultingNextGenerationSecuritySoftwareLtd.OracleForensicsatISACAOracleForensicsatISACASomepriorresearchSomepriorresearchaboutyourselvesaboutyourselvesFinancialsectorFinancialsectorauditingandauditingandggconsultancyconsultancyCopyright©2006.NGSSoftwareLtd.NGSConsultingNextGenerationSecuritySoftwareLtd.OracleForensicsatISACAOracleForensicsatISACAWhyDatabaseSecurity?•Databasesholdthemostsensitiveinformationinacompany.WhetherthisisFinancial,MedicalorHRinformation,thedatabaseistheultimatetargetofahacker.CrownJewels.Creditcardnumbersforinstance.•PrivilegemodelsinDatabasesarelessevolvedinDBssodifficulttomanagePrivilegemodelsinDatabasesarelessevolvedinDBssodifficulttomanagee.g.PrivilegeinheritancewithnestedrolesandNoexplicitdenyinOracleonlyrevoke.Dtbdfiilltkbili•Databasesareusedforincreasinglycomplextasks,asbusinesslogicmovesfromthemiddletiertothedatabase,andsupportforfullprogramminglanguagessuchasJavaandCisadded.Thereforemorevulnerabilities.•Thinclientdesktopmovestothedatabase.MoreaccesstoDB.Copyright©2006.NGSSoftwareLtd.NGSConsultingNextGenerationSecuritySoftwareLtd.OracleForensicsatISACAOracleForensicsatISACAIntroductionIntroduction--NGSNGSNGSandDatabaseSecurity•NGSstartedin2001andmuchoftheresearchwasfocusedondatabase•NGSstartedin2001,andmuchoftheresearchwasfocusedondatabasevulnerabilities,asthiswasexpectedtobetheagrowthareawithinITSecurity.•In2001,Oracle9iwasreleased,containingover400newfeaturesandthecampaignslogan“Unbreakable”IwasworkingasanOracledeveloperatLinnProductsatthesloganUnbreakable.IwasworkingasanOracledeveloperatLinnProductsatthetimeandhadthewordunbreakableontopofmymonitor.DavidLitchfieldbrokeitandnowIworkforhim.•In2002NGSdevelopedvulnerabilityscanningtoolsforOracleandMSSQLdatabases•In2002,NGSdevelopedvulnerabilityscanningtoolsforOracleandMSSQLdatabases.•Followingfurthersuccessesindatabaseresearchandadvisoriesreleased,NGSnowhascomprehensivescanningtoolsforDB2,InformixandSybaseCopyright©2006.NGSSoftwareLtd.NGSConsultingNextGenerationSecuritySoftwareLtd.OracleForensicsatISACAOracleForensicsatISACAWhyOracleSecuritynow?WhyOracleSecuritynow?•Coredatabasehasbeensecure~Oracle’spride•TheAltersessionvariablebugaffectedthewholeDBandsodentedthispride.•AlsoOraclecriticisedDavidLitchfieldforpresentingafixintheabsenceofanyotherfix(mod_plsqlgateway).Difficulttojustify?GtOlilthbtifit•Gartner.Oracleisnolongerthebastionofsecurity.•Iaminterestedinthetechnicalratherthanpoliticalmediasidemediaside.Copyright©2006.NGSSoftwareLtd.NGSConsultingNextGenerationSecuritySoftwareLtd.OracleForensicsatISACAOracleForensicsatISACALocating,AnalysingandmitigatingThreats~Locating,AnalysingandmitigatingThreats~AgenericprocessAgenericprocess•Locatethedatabaseinstancesonanetwork~PortscanningnmapAgenericprocessAgenericprocessLocatethedatabaseinstancesonanetworkPortscanningnmap•Runvulnerabilityauditssimilartostandardvulnerabilityassessmenttools~VulnerabilityscannerlikeNessusRnSQLscriptsonthedatabasetodetermineinternalthreats•RunSQLscriptsonthedatabasetodetermineinternalthreats•Placevulnerabilitiesinabusinesscontextduringreportandanalysis•Securevulnerabilitiesthroughpatching,revokingaccess,orremovingtheaffectedresourceCopyright©2006.NGSSoftwareLtd.NGSConsultingNextGenerationSecuritySoftwareLtd.OracleForensicsatISACAOracleForensicsatISACATop8threatsthatoccurinadatabase?Top8threatsthatoccurinadatabase?1.DefaultorWeakPasswords2PrivilegeAbuse–noexplicitdenyprivonlyrevokea2.PrivilegeAbusenoexplicitdenyprivonlyrevokeagrant.3.BufferOverflowandFormatString3ueOeoadoaSg4.NetworkCommunicationvulns5.Reading&WritingArbitrarySystemFiles5.Reading&WritingArbitrarySystemFiles6.SQLInjection7BreakingoutoftheDatabase7.BreakingoutoftheDatabaseCopyright©2006.NGSSoftwareLtd.NGSConsultingNextGenerati