COMPUTER NETWORK SECURITY

Transcription

1 COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (5 th Week)

2 5. Database and Cloud Security

3 5.Outline The Need for Database Security Database Management Systems Relational Databases SQL Injection Attacks Database Access Control Inference threat Database Encryption Cloud Computing Cloud Security Risks and Countermeasures Data Protection in the Cloud Cloud Security as a Service

4 Structured collection of data stored for use by one or more applications Contains the relationships between data items and groups of data items Can sometimes contain sensitive data that needs to be secured Database management system (DBMS) Suite of programs for constructing and maintaining the database Offers ad hoc query facilities to multiple users and applications Query language Provides a uniform interface to the database

5 Database utilities User applications User queries DDL processor DML and query language processor Database description tables Authorization tables Transaction manager DBMS File manager Concurrent access tables DDL = data definition language DML = data manipulation language Physical database Figure 5.1 DBMS Architecture

6 Table of data consisting of rows and columns Each column holds a particular type of data Each row contains a specific value for each column Ideally has one column where all values are unique, forming an identifier/key for that row Enables the creation of multiple tables linked together by a unique identifier that is present in all tables Use a relational query language to access the database Allows the user to request data that fit a given set of criteria

7

8 Primary key Uniquely identifies a row Consists of one or more column names Foreign key Relation/table/file Tuple/row/record Attribute/column/field Links one table to attributes in another View/virtual table Result of a query that returns selected rows and columns from one or more tables

9 Basic Terminology for Relational Databases

10 Attributes A 1 A j A M 1 x 11 x 1j x 1M Records i x i1 x ij x im N x N1 x Nj x NM Figure 5.3 Abstract Model of a Relational Database

11 Did Dname Dacctno Ename Did Salarycode Eid 4 human resources Robin education 9 accounts public relations primary key services Department Table Neil Jasmine Cody Holly Robin Smith Employee Table Ephone foreign key primary key (a) Two tables in a relational database Dname Ename Eid Ephone human resources Jasmine education Holly education Robin accounts Smith public relations Neil services Robin services Cody (b) A view derived from the database Figure 5.4 Relational Database Example

12 Standardized language to define schema, manipulate, and query data in a relational database Several similar versions of ANSI/ISO standard All follow the same basic syntax and semantics SQL statements can be used to: Create tables Insert and delete data in tables Create views Retrieve data with query statements

13 SQL Injection Attacks (SQLi) One of the most prevalent and dangerous networkbased security threats Designed to exploit the nature of Web application pages Sends malicious SQL commands to the database server Most common attack goal is bulk extraction of data Depending on the environment SQL injection can also be exploited to: o o o Modify or delete data Execute arbitrary operating system commands Launch denial-of-service (DoS) attacks

14 Switch Internet Router Firewall Wireless access point Web servers Legend:. Data exchanged between hacker and servers Two-way traffic between hacker and Web server Credit card data is retrieved from database Database servers Database Web application server Figure 5.5 Typical SQL I njection Attack

15 Injection Technique The SQLi attack typically works by prematurely terminating a text string and appending a new command Because the inserted command may have additional strings appended to it before it is executed the attacker terminates the injected string with a comment mark - - Subsequent text is ignored at execution time

16 User input Attackers inject SQL commands by providing suitable crafted user input Server variables Attackers can forge the values that are placed in HTTP and network headers and exploit this vulnerability by placing data directly into the headers Second-order injection A malicious user could rely on data already present in the system or database to trigger an SQL injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from within the system itself Cookies An attacker could alter cookies such that when the application server builds an SQL query based on the cookie s content, the structure and function of the query is modified Physical user input Applying user input that constructs an attack outside the realm of web requests

17 Uses the same communication channel for injecting SQL code and retrieving results The retrieved data are presented directly in application Web page Include: Tautology End-of-line comment Piggybacked queries This form of attack injects code in one or more conditional statements so that they always evaluate to true After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments The attacker adds additional queries beyond the intended query, piggybacking the attack on top of a legitimate request

18 There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database server Include: o Illegal/logically incorrect queries This attack lets an attacker gather important information about the type and structure of the backend database of a Web application The attack is considered a preliminary, information-gathering step for other attacks o Blind SQL injection Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker

19 Data are retrieved using a different channel This can be used when there are limitations on information retrieval, but outbound connectivity from the database server is lax

20 SQLi Countermeasures Three types: Manual defensive coding practices Parameterized query insertion SQL DOM: Defensive coding Detection Signature based Anomaly based Code analysis Check queries at runtime to see if they conform to a model of expected queries Run-time prevention

21 Database access control system determines: Can support a range of administrative policies If the user has access to the entire database or just portions of it Centralized administration Small number of privileged users may grant and revoke access rights What access rights the user has (create, insert, delete, update, read, write) Ownership-based administration The creator of a table may grant and revoke access rights to the table Decentralized administration The owner of the table may grant and revoke authorization rights to other users, allowing them to grant and revoke access rights to the table

22 Two commands for managing access rights: Grant o Used to grant one or more access rights or can be used to assign a user to a role Revoke o Revokes the access rights Typical access rights are: Select Insert Update Delete References

23 Role-based access control eases administrative burden and improves security A database RBAC needs to provide the following capabilities: Create and delete roles Define permissions for a role Assign and cancel assignment of users to roles Categories of database users: Application owner End user Administrator An end user who owns database objects as part of an application An end user who operates on database objects via a particular application but does not own any of the database objects User who has administrative responsibility for part or all of the database

24 Fixed Roles in Microsoft SQL Server Role sysadmin serveradmin setupadmin securityadmin processadmin dbcreator diskadmin bulkadmin db_owner db_accessadmin db_datareader db_datawriter db_ddladmin db_securityadmin db_backupoperator db_denydatareader db_denydatawriter Permissions Fixed Server Roles Can perform any activity in SQL Server and have complete control over all database functions Can set server-wide configuration options, shut down the server Can manage linked servers and startup procedures Can manage logins and CREATE DATABASE permissions, also read error logs and change passwords Can manage processes running in SQL Server Can create, alter, and drop databases Can manage disk files Can execute BULK INSERT statements Fixed Database Roles Has all permissions in the database Can add or remove user IDs Can select all data from any user table in the database Can modify any data in any user table in the database Can issue all Data Definition Language (DDL) statements Can manage all permissions, object ownerships, roles and role memberships Can issue DBCC, CHECKPOINT, and BACKUP statements Can deny permission to select data in the database Can deny permission to change data in the database

25 Nonsensitive data Inference Sensitive data Access Control Authorized access Unauthorized access Metadata Figure 5.7 Indirect Information Access Via Inference Channel

26 Name Position Salary ($) Department Dept. Manager Andy senior 43,000 strip Cathy Calvin junior 35,000 strip Cathy Cathy senior 48,000 strip Cathy Dennis junior 38,000 panel Herman Herman senior 55,000 panel Herman Ziggy senior 67,000 panel Herman (a) Employee table Position Salary ($) Name Department senior 43, 000 Andy strip junior 35,000 Calvin strip senior 48,000 Cathy strip (b) Two views Name Position Salary ($) Department Andy senior 43,000 strip Calvin junior 35,000 strip Cathy senior 48,000 strip (c) Table derived from combining query answers Figure 5.8 Inference Example

27 Inference Detection Inference detection during database design Approach removes an inference channel by altering the database structure or by changing the access control regime to prevent inference Techniques in this category often result in unnecessarily stricter access controls that reduce availability Two approaches Approach seeks to eliminate an inference channel violation during a query or series of queries Inference detection at query time If an inference channel is detected, the query is denied or altered Some inference detection algorithm is needed for either of these approaches Progress has been made in devising specific inference detection techniques for multilevel secure databases and statistical databases

28 The database is typically the most valuable information resource for any organization Protected by multiple layers of security Firewalls, authentication, general access control systems, DB access control systems, database encryption Encryption becomes the last line of defense in database security Can be applied to the entire database, at the record level, the attribute level, or level of the individual field Disadvantages to encryption: Key management Authorized users must have access to the decryption key for the data for which they have access Inflexibility When part or all of the database is encrypted it becomes more difficult to perform record searching

29 organization that produces data to be made available for controlled release human entity that presents queries to the system frontend that transforms user queries into queries on the encrypted data stored on the server User Client Meta Data 4. Plaintext result 1. Original query Query Processor Encrypt/ Decrypt metadata 2. Transformed query 3. Encrypted result Data owner Query Executor Server Meta Data Database Encrypted database an organization that receives the encrypted data from a data owner and makes them available for distribution to clients Figure 5.9 A Database Encryption Scheme

30 Cloud Security NIST SP defines cloud computing as: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

31 Essent ial Characteristics Broad Netw ork Access Rapid Elasticit y Resource Po oling Measured Service On- Dem and Self- Service Softw are as a Service ( SaaS) Service Models Plat form as a Service ( PaaS) I nfrastructure as a Service ( I aas) Deploym ent Models Public Private Hybrid Com m unit y Figure Cloud Com puting Elem ents

32 Cloud Application Softwar e (provided by cloud, visible to subscriber) Cloud Platform (visible only to pr ovider) Cloud I nfrastructure (visible only to provider) Cloud Application Softwar e (developed by subscriber) Cloud Platform (visible to subscriber) Cloud I nfrastructure (visible only to provider) (a) SaaS (b) PaaS Cloud Application Softwar e (developed by subscriber) Cloud Platform (visible to subscriber) Cloud I nfrastructure (visible to subscriber) (c) IaaS Figure Cloud Service Models

33 Public cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services The cloud provider is responsible both for the cloud infrastructure and for the control of data and operations within the cloud Community cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns It may be managed by the organizations or a third party and may exist on premise or off premise Private cloud The cloud infrastructure is operated solely for an organization It may be managed by the organization or a third party and may exist on premise or off premise The cloud provider is responsible only for the infrastructure and not for the control Hybrid cloud The cloud infrastructure is a composition of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability

34 LAN sw itch Enterprise - Cloud User Rout er Netw ork or I nternet Rout er LAN sw itch Cloud service provider Servers Figure Cloud Com puting Context

35 NIST SP establishes a reference architecture described as follows: The NIST cloud computing reference architecture focuses on the requirements of what cloud services provide, not a how to design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.

36 NIST developed the reference architecture with the following objectives in mind: o To illustrate and understand the various cloud services in the context of an overall cloud computing conceptual model o To provide a technical reference for consumers to understand, discuss, categorize, and compare cloud services o To facilitate the analysis of candidate standards for security, interoperability, and portability and reference implementations

37 Cloud Provider Cloud Consumer Cloud Auditor Security Audit Privacy Impact Audit Performance Audit Service Orchestration Service Layer PaaS IaaS SaaS Resource Abstraction and Control Layer Physical Resource Layer Hardware Facility Cloud Service Management Business Support Provisioning/ Configuration Portability/ Interoperability Security Privacy Cloud Broker Service Intermediation Service Aggregation Service Arbitrage Cloud Carrier Figure NI ST Cloud Com puting Reference Architecture

38 Cloud Security Risks The Cloud Security Alliance lists the following as the top cloud specific security threats: Abuse and nefarious use of cloud computing Insecure interfaces and APIs Malicious insiders Shared technology issues Data loss or leakage Account or service hijacking Unknown risk profile

39 Data Protection in the Cloud The threat of data compromise increases in the cloud Risks and challenges that are unique to the cloud Architectural or operational characteristics of the cloud environment Multi-instance model Provides a unique DBMS running on a virtual machine instance for each cloud subscriber Gives the subscriber complete control over administrative tasks related to security Multi-tenant model Provides a predefined environment for the cloud subscriber that is shared with other tenants typically through tagging data with a subscriber identifier Gives the appearance of exclusive use of the instance but relies on the cloud provider to establish and maintain a secure database environment

40 SecaaS Is a segment of the SaaS offering of a CP Defined by The Cloud Security Alliance as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers onpremise systems

41 Encryption security Data loss prevention Security assessments Security information and event management Business continuity and disaster recovery Web security Intrusion management Identity and access management Network security Cloud service clients and adversaries Figur e Ele m e nt s of Cloud Se cur it y a s a Se r vice