1、Databases: A class break by design! Is there a class defense?,Dr Steve Moyle Founder/CTO SecernoE: T: +44 7801749587,Edinburgh Chapter February 2008,2,“Sensitive customer information is like asbestos. Weve been building housing with it for years and only recently discovered its toxic when airborne”
2、.Andrew Jaquith Yankee, September 2007,3,“In my opinion, database security is riddled with holes and its the biggest problem we face in IT today.Database attacks offer the biggest potential for fraudulent activity and damage to companies reputations and customer confidence”.David Litchfield, Managin
3、g Director NGSS Keynote, Black Hats Conference Las Vegas, August 2006,4,Databases: The class break by design! Is there a class defense?,Outline Class breaks Database principles The infinite language space Class Defenses Informed Security Automatic unique language subspace,5,Databases the good news,U
4、biquitous persistent storage fielded in millions of systems Skills availability Standards based common language Long history Multi featured Aggregated storage of valuable data,6,Ubiquitous persistent storage,How many fielded systems? $14 billion database market in 2005 Source: Gartner 2005 135,166,4
5、73 “up” web sites Source: Netcraft September 2007 How many “unknown” systems? Products built on a database that the owner knows nothing about Persistent storage Microsoft was rumoured to have considered it as an alternative component of their operating system for its file-store,7,Mature market,Marke
6、tplace of alternatives “simple” for customers to switch Database skill sets DBAs Applications Development (But what about database security?) Very stable technology 80% budget spent “keeping the lights on” Difficult to start again with a “clean sheet”Competition is good for customers as it drives st
7、andardisation but standardisation leads to a single point of failure,8,Databases are one of many components in complicated systems Abstracting complexity into large components obfuscates security issues Evolution of data usage Data processing systems Client-server SOAHow many legacy database systems
8、 secure in yesteryear are wrapped to deliver SOA?,Aggregated data aggregating risk,9,Databases the not so good news,Ubiquitous persistent storage fielded in millions of systems every one has got one Skills availability every one knows how they work Standards based common language Long history old fa
9、shioned Multi featured vast vulnerability surface Aggregated storage of valuable data all eggs in a single basket,Class Breaks,11,Class breaks,What is a “class break?” In network security jargon, thats what happens when one breach leads to a whole new “class” of attacks on various systems, using sim
10、ilar methods. Source: http:/www.doubletongued.org/index.php/citations/class_break_1/“Technological advances bring with them standardization, which also adds to security vulnerabilities, because they make it possible for attackers to carry out class breaks: attacks that can break every instance of so
11、me feature in a security system. Class breaks mean that you can be vulnerable simply because your systems are the same as everyone elses. And once attackers discover a class break, theyll exploit it again and again until the manufacturer fixes the problem (or until technology advances in favor of th
12、e defender again).“ Source: Bruce Schneier, “Beyond Fear“, 2003, pp 93-4,12,Classic class break,Combining control and data channels“For decades, phone companies have been fighting against class breaks. In the 1970s, for example, some people discovered that they could emulate a telephone operators co
13、nsole with a 2600-Hz tone, enabling them to make telephone calls for free, from any telephone” Source: Bruce Schneier, “Beyond Fear“, 2003, pp 93-4,13,Lessons from history,What can go wrong when combining static data & dynamic control in the one channel? Microsoft Word Words/Paragraphs + Word Basic
14、Macros Macro viruses Web browsers Static Web pages + JavaScript Cross-site scripting (XSS) Databases Valuable data + Data Control Language, Data Manipulation Language SQL Injection, ,Remote Database Control,14,Principles of databases,History Original research due to Ted Codd in the 1960s Codds 12 ru
15、les for defining a fully relational database Source: E.F. Codd, : “Is Your DBMS Really Relational?“, ComputerWorld, 1985The “breakthrough” everything is a relation (i.e. a table of records)Everything is accessed by the same language Structured Query Language is the most popular computer language use
16、d to create, modify, retrieve and manipulate data from relational database management systems.,15,Codds Principles: Rule #4,Codds 12 rules for defining a fully relational databaseRule 4: Dynamic On-line Catalog Based on the Relational Model The database description is represented at the logical leve
17、l in the same way as ordinary data, so authorized users can apply the same relational language to its interrogation as they apply to regular data.,16,Database Class break Component #1,Database nitric acid (nitro)Combining control and data channelsTo be a relational database it must combine data and
18、control in the same Physical channel (the network) Logical channel (the language),17,The Language space,How many sentences are allowed in a language? How many SQL statements can we write? Can we index an infinite space?,18,Database Class break Component #2,Database glycerineConsider the Database as
19、a scripting engine SQL is a powerful, common, standard scripting (a.k.a. macro) language. What functionality can be achieved with a modern database? Data access (e.g. read) yes Data manipulation (e.g. write) yes operating system interaction sure Anything that is computable (?),19,The database vulner
20、ability surface,The infinite language spaceApplication programming errorsinappropriate setup E.g. Over provisioning, ACL,+,+,= ,20,How does an application talk to the database?,Assembling a Normal SQL statement SELECT * from dvd_stock where catalog-no = PHE8131 and location = 1The parameters in the
21、statement come from user input (e.g. a web browser). The application layer accepts the values for catalog-no and location (PHE8131, 1) and pastes them into the pre-canned query template.SELECT * from dvd_stock where catalog-no = and location =,PHE8131,1,21,Database answers,Results from a Normal quer
22、y.Statement: SELECT * from dvd_stock where catalog-no = PHE8131 and location = 1Output:,Star Trek - The Next Generation Season 2 39.35 15 Star Trek - The Next Generation Season 3 39.35 12 Star Trek - The Next Generation Season 4 39.35 13 Star Trek - The Next Generation Season 5 39.35 17,22,Assemblin
23、g an abnormal SQL statement: SQL Injection,Instead of inputting a sensible value for catalog-no in the web browser the user enters union select name, id, 0 from sysobjects where xtype=U;- which the application layer pastes into the pre-canned query template.,SELECT * from dvd_stock where catalog-no
24、= , and location =,union select name, id, 0 from sysobjects where xtype=U;-,1,23,Codds Achilles heal,Using “union“ in the select returns meta-data about the tables within the database. Statement: SELECT * from dvd_stock where catalog-no = union select name, id, 0 from sysobjects where xtype=U;- and
25、location = 1 Output:,adult_display 1269579561 0 anonemail 1285579618 0 card_prefix 1301579675 0 catalog 1317579732 0 catalog_redirects 1349579846 0 certs 1365579903 0 country 1381579960 0 director 1397580017 0 directorlink 1413580074 0 dvd_customers 1429580131 0 dvd_orderitems 1461580245 0 dvd_order
26、s 1445580188 0 dvd_stock 1477580302 0 dvd_users 1493580359 0:,(Slide B-03),24,“Airborne” Sensitive Customer Information,Credit card detail records. Statement: SELECT * from dvd_stock where catalog-no = union select cardNo, customerId, 0 from DVD_Orders - and location = 1Output:,4511222233334444 1185
27、3 0 4612345678901234 11853 0 4675883388338833 11588 0 4514861356415750 11204 0,25,What does the attacker actually see?, union select cardNo, customerId, 0 from DVD_Orders -,26,How did this situation occur?,Developers love adding features but do they ever delete features?We can define developers (fro
28、m the perspective of application security) as: Vulnerability Surface Expansion Engineers,27,External Attack Its Personal,SQL injection remains a serious type of attack affecting databases, with 250% year on year growth (MITRE).,28,Codds principles and the infinite language space,Database nitro-glyce
29、rineThe same language is used to interact with meta-data as data The SQL language allows infinite statements to be acceptedHow does one defend in an infinite space?,Class Defenses,30,Defending Class Breaks,Schneiers view: “manufacturer fixes the problem (or until technology advances in favor of the
30、defender again).”But Manufacturers have (or nearly have) fixed their end! What “technology advances favor the defender”?,31,Can patching really help?,Microsoft SQL Server users ,Source: David Litchfield Which database is more secure? Oracle vs. Microsoft, 21st November 2006,Year,Number of Published
31、Vulnerabilities,32,Class defenses,What is a “class defense?”,An approach that leads to a whole new “class” of defenses on various systems, using similar methods.,Source: Steve Moyle, RSA Europe, October 2007,33,Defending in an infinite language space,How does one defend in an infinite space? By defi
32、ning the sub-set of the space that is normal for the system in its (unique) context still potentially infiniteHow does one define the appropriate language subspace? .,34,“Legal” SQL vs. Normal behaviour,How hard is it to stop hacking? It is hard to define normal SQL behaviour because it is applicati
33、on specific.,Previous,New behaviour,Where we have observed the system,Do you want your databases answering these queries?,The space of legal SQL is infinite,Novel queries, not previously observed,Sinister queries, previously observed,35,Separation of control,S Q L,Data Definition Language: Meta Data
34、,Data Manipulation Language: Queries,Data Control Language: Access Permissions,Application: Previous,Developers/DBAs only,Never applications,36,How does one define the appropriate language subspace?,Pre-defined black lists Unique database deployment contexts cannot be foreseen Error rates unacceptab
35、leUser defined white lists Impractical to expect application owners to program all situations in advanceRegular expressions Too crude to adequately define the intent of a programming language Chomsky, 1956, 1959,| NOT,37,Syntax versus Semantics,Can search for the string union in the hope it will be
36、a keyword unless there are references to “union bank” etc. which will trigger a false positive the developer has actually programmed SELECT lastname from boys union SELECT lastname from girls,But what about uni/* */on which is semantically equivalent? . or u/* */nion char(117,110,105,111,110),We don
37、t like union in this context SELECT * from dvd_stock where catalog-no = union select cardNo, customerId, 0 from DVD_Orders - and location = 1,38,Grammatical Clustering A class defence for databases,Controlling computer behaviour requires the understanding of the conversations between components a la
38、nguage approach combined with machine learning is the only effective way to do it Motivation Language transmits intent Malicious intent transmitted by language too Attackers thwarted by context dependent unique tripwires Only by understanding unique systems at the language level is this achievable e
39、fficiently,39,Ingredients for Grammatical Clustering,Language (SQL),Observed StatementsSELECT Blob2 FROM catalog WHERE catalog-no = 0141318090; SELECT Blob2 FROM catalog WHERE catalog-no = 0141317388; SELECT Blob2 FROM catalog WHERE catalog-no = 0747573603; SELECT Blob2 FROM catalog WHERE catalog-no
40、 = 0747573611; SELECT Blob2 FROM catalog WHERE catalog-no = 074757362X; SELECT Blob2 FROM catalog WHERE catalog-no = 0747573638; SELECT Blob2 FROM catalog WHERE catalog-no = 0747569401; SELECT * from dvd_stock where catalog-no = HEADHPS2 and location = 1 SELECT * from dvd_stock where catalog-no = HE
41、ADHPS2 and location = 2 SELECT Blob2 FROM catalog WHERE catalog-no = 074754624X; SELECT Blob2 FROM catalog WHERE catalog-no = 0747551006; SELECT Blob2 FROM catalog WHERE catalog-no = 0747561079; SELECT Blob2 FROM catalog WHERE catalog-no = 0747568979; SELECT * from dvd_stock where catalog-no = PHE81
42、31 and location = 1 SELECT Blob2 FROM catalog WHERE catalog-no = 0747545723; SELECT * from dvd_stock where catalog-no = PHE8131 and location = 2 SELECT Blob2 FROM catalog WHERE catalog-no = 0747554560; SELECT COUNT(*) AS fullCount FROM catalog WHERE (title LIKE %gotcha% ) AND Status = 1 AND NOT art-
43、type = 7 AND NOT art-class = XXX SELECT * from dvd_stock where catalog-no = PHE8214 and location = 1 SELECT NTesting Connection. SELECT * from dvd_stock where catalog-no = PHE8214 and location = 2 EXECUTE msdb.dbo.sp_sqlagent_get_perf_counters SELECT * FROM prodtype WHERE art-class = XXX SELECT * FR
44、OM certs WHERE cert-type = 18,40,Outputs from Grammatical Clustering,SELECT,FROM, * blob2 cert-type euroexchangerate catalog-no Hometext : location,WHERE, certs catalog dvd_users : dvd_stock prodtype, * blob2 cert-type euroexchangerate catalog-no Hometext : location,= 18, * Blob2 cert-type euroexcha
45、ngerate catalog-no Hometext : location,= 1,SELECT * FROM certs WHERE cert-type = 18 SELECT * from dvd_stock where catalog-no = PHE8131 and location = 1,= PHE1831 and,1,2,41,Extract the database language space used and build security control policy,Automatic extraction of the actual language space us
46、ed providing rich context dependent knowledge Build precise control policies based on live measurements Policies precise enough to determineSELECT * from dvd_stock where catalog-no = union select cardNo, customerId, 0 from DVD_Orders - and location = 1 is anomalous without needing to trigger an expl
47、icit block list,42,Results,Attack detection & prevention Yes BLOCKING! Database misuse internal/external Understanding of application behaviour vulnerabilities are all lurking in the application layer Knowledge feedback loop to all Audit/compliance Operations Development ,43,Conclusions,Databases ar
48、e massively vulnerable to class attacks by designCaused by their underlying principles and technology and multiplied by their ubiquity and the appalling quality of applications developmentDefending databases requires a strong understanding of what they should normally be doing (and restricting it)Techniques from machine learning and computational linguistics provide an approach that can be used as a “class defense”,Questions?,Dr Steve Moyle Founder/CTO SecernoE: T: +44 7801749587,