CS 426 Lecture 29: Review of Database Security and Web Application Security Issues, Study notes of Computer Science

Download CS 426 Lecture 29: Review of Database Security and Web Application Security Issues and more Study notes Computer Science in PDF only on Docsity! Computer Security CS 426 Lecture 29 Review and DBMS Security CS426 Fall 2007/Lecture 29 2 Review of Web Application Security Issues • SQL Injection – caused by using user inputs to form SQL queries – should use “prepare statement”(e.g., PreparedStatement in Java) •using input validation and/or quotation helps, but less bulletproof – for legacy code, can use, e.g., query structure checking • Cross Site Scripting – caused by using user inputs to generate HTML pages • inputs may contain malicious scripts – should process user input before using it •use input checking helps, but less bulletproof CS426 Fall 2007/Lecture 29 5 DBMS Security Issues • Users and authentication • Secure communication between client and server • Vulnerabilities of DBMS implementation – e.g., SQL Slammer worm – limit who can connect to DBMS server CS426 Fall 2007/Lecture 29 6 Basics • Data are modeled as tables (relations) • Each database may contain many tables and their definitions • Multiple users may use the same DBMS, and have different privileges CS426 Fall 2007/Lecture 29 7 Access Control Mechanisms • Key features for access controls in DBMS 1. Privileges 2. Views 3. Stored Procedures 4. Roles 5. Row-level access control CS426 Fall 2007/Lecture 29 10 Cascading Effect • There is no timestamp for privileges. – Revocation (i.e., cascading effect) is coarse. A B C D Grant p at t1 Grant p at t2 Grant p at t3 Grant p at t4 ? A B C D Grant p at t1 Grant p at t2 Grant p at t3 CS426 Fall 2007/Lecture 29 11 Views • Access control based on column and content • Employee(Emp_ID, name, dept_ID, salary) – Want to allow employees to see only (dept_ID, salary) – CREATE VIEW view_name AS select dept_ID, salary from Employee; – Grant select privileges to employees CS426 Fall 2007/Lecture 29 12 Views • To create a view – The creator must have been explicitly (i.e., not through roles) granted one of SELECT, INSERT, UPDATE or DELETE object privileges on all base object underlying the view or corresponding system privileges. • To grant access to the view – The creator must have been granted the privileges to the base tables with Grant Option. • To access the view – The creator must have the proper privilege to the underlying base tables. CS426 Fall 2007/Lecture 29 15 Invoker’s Right Procedure • Invoker’s right procedures – A user of an invoker’s right procedure needs privileges on the objects that the procedure accesses. – Invoker’s right procedures can prevent illegal privilege sharing. – More like function calls in operating systems. CS426 Fall 2007/Lecture 29 16 Invoker’s Right Procedure • Invoker’s right procedures can be embedded with Trojan Horse. – Users of invoker’s right procedures can blindly run malicious procedures. – E.g., create procedure niceProcedure Authid Current_User As Begin Do something useful; grant some-privileges to me; Do something useful; End; CS426 Fall 2007/Lecture 29 17 Why use Roles? • Two main purposes 1. To manage the privileges for a user group (User roles) – DBA creates a role for a group of users with common privilege requirements. DBA grants all the required privileges to a role and then grants the role to appropriate users. 2. To manage the privileges for an application (Application roles) – DBA creates a role (or a set of roles) for an application and grants it all necessary privileges to run the application. Then DBA grants the application role to appropriate users. CS426 Fall 2007/Lecture 29 20 Permission Assignments • To grant a privilege to a role, one just needs to be able to grant the privilege. – GRANT insert ON table1 TO clerk; • To revoke a privilege from a role, one just needs to be able to revoke the privilege. – REVOKE insert ON table1 FROM clerk; • No special admin privilege is required. – It can be a problem since one can make a role unusable by granting many roles to the role to exceed MAX_ENABLED_ROLES. • “Grant Option”is not valid when granting an object privilege to a role. – To prevent the propagation of object privileges through roles. CS426 Fall 2007/Lecture 29 21 VPD •How does it work? When a user accesses a table (or view or synonym) which is protected by a VPD policy (function), 1. The Oracle server invokes the policy function. 2. The policy function returns a predicate, based on session attributes or database contents. 3. The server dynamically rewrites the submitted query by appending the returned predicate to the WHERE clause. 4. The modified SQL query is executed. CS426 Fall 2007/Lecture 29 22 Example • Suppose Alice has the following table. Employees(e_id number(2), name varchar2(10), salary nubmer(3)); • Users can access e_id’s and names without any restriction. But users can access only their own salary information. 99Carl3 60Bob2 80Alice1 SalaryNamee_id CS426 Fall 2007/Lecture 29 25 3. Bob accesses table Employees select e_id, name from Employee; select e_id, name, salary from Employee; è select e_id, name, salary from Employee where name = ‘Bob’; Carl3 Bob2 Alice1 Namee_id 60Bob2 SalaryNamee_id Coming Attractions ... e December 12: — Final Exam