Professional Documents
Culture Documents
7 DatabaseSecurity PDF
7 DatabaseSecurity PDF
7 DatabaseSecurity PDF
Database Security
1
9/21/10
2
9/21/10
3
9/21/10
4
9/21/10
http://oreilly.com/catalog/orasec/chapter/ch07.html
5
9/21/10
cio.uiowa.edu/ITsecurity/education/documents/DatabaseSecurity.ppt
Strong Passwords
• CWE 521: Weak Password Requirements
• Length
– Each character you add to your password increases the protection
– 8 or more characters are the minimum for a strong password; 14 characters
or longer are ideal.
• Complexity
– An ideal password combines both length and different types of symbols
(alpha, numeric, mixed case)
• Does not contain user name
• Expiration
– CWE 262: Not Using Password Aging
• No password reuse.
6
9/21/10
Hardcoded Password
Hardcoded Password -2
7
9/21/10
Privileges:!
SELECT,INSERT,DELETE,UPDATE,REFERENCES!
EMPLOYEE
www.cs.wright.edu/itri/EVENTS/SUMMER.../SIAC03-Chung.ppt
8
9/21/10
Multi-level Access
• Users may be granted “top secret” “secret”
“confidential” or “unclassified” access (decreasing
access)
• Database records can be marked accordingly
– User with TS access sees all three rows
– User with S access sees Minney and Donald
– User with U access sees Donal
9
9/21/10
10
9/21/10
Inference Problem - 1
• The inference problem is a way to infer or derive sensitive data
from non-sensitive data.
• Sum: An attack by sum tries to infer a value from reported sum.
Often helps us determine a negative result.
– This report reveals that no female living in Grey is receiving financial
aid.
Inference Problem - 2
• Count: count + sum average; average + count sum
– This report reveals that two males in Holmes and West are receiving
financial aid in the amount of $5000 and $4000, respectively.
• Holmes Adams
• West Groff
11
9/21/10
Inference Problem - 3
science.kennesaw.edu/~mguimara/8080/dbsecurity.ppt
12
9/21/10
13
9/21/10
Hibernate Framework
• Object/relational mapping
– Cleanly connect Java objects and database tables
– Requires adding a few Java classes
– Uses Hibernate Query Language (HQL); similar to SQL
– Uses prepared statements “under the covers”
• So same issues as prepared statements
Good
Bad
http://blog.harpoontech.com/2008/10/how-to-avoid-sql-injection-in-hibernate.html
14
9/21/10
http://cwe.mitre.org/data/definitions/778.html
15