oracle database security …from the application perspective martin nystrom september 2003
TRANSCRIPT
Oracle Database Oracle Database SecuritySecurity
……from the application perspectivefrom the application perspective
Martin NystromMartin NystromSeptember 2003September 2003
PurposePurpose
In scope: application security of Oracle In scope: application security of Oracle databasesdatabases
Out of scope: system security of Oracle Out of scope: system security of Oracle databasesdatabases
AgendaAgenda
Oracle architectureOracle architecture System architectureSystem architecture Network architectureNetwork architecture
Common Oracle objectsCommon Oracle objects Schema/object securitySchema/object security Java securityJava security Application integration techniquesApplication integration techniques Current challenges at CiscoCurrent challenges at Cisco
Database server
Grossly oversimplified Oracle Grossly oversimplified Oracle network architecturenetwork architecture
Database
Client host
1521
TNSListener
SQL*Net (Net8)
Oracle client
software
Oracle architecture
ONS server
Oracle Names service
ONS query1526
(ADDRESS=(PROTOCOL=TCP)(HOST=db.company.com)(PORT=1521))
(ADDRESS=(PROTOCOL=TCP)(HOST=cmrsdb.cisco.com)(PORT=1521))
cmrsdb
Oracle networking exampleOracle networking example
cmrs
fields-sj-1
1521
TNSListener
Oracle client
software
Oracle architecture
ons-sj
Oracle Names service
ONS query1526
Database server
Simplified Oracle Simplified Oracle Network Architecture w/OCMNetwork Architecture w/OCM
Database
1521
TNSListener
Host #1
Oracle client
software
OCM Server
Host #2
Oracle client
software
Host #3
Oracle client
software
1521 TNSListener
rejected
Allowed
Host #1
Host #2
rejected
Oracle architecture
SQL*NetSQL*Net
Introduced in Oracle V5Introduced in Oracle V5 Renamed “Net8” in Oracle8Renamed “Net8” in Oracle8 Supports multiple protocols (TCP/IP, Supports multiple protocols (TCP/IP,
DECnet, SPX/IPX, etc.)DECnet, SPX/IPX, etc.)
Oracle architecture
Authentication & credentialsAuthentication & credentials
Can be…Can be… OS authenticationOS authentication Userid/passwordUserid/password X.509 certificatesX.509 certificates Smart cardSmart card Etc.Etc.
Stored in OracleStored in Oracle As MD5 hashAs MD5 hash ……not so for dblinks or FND_USERSnot so for dblinks or FND_USERS
Oracle architecture
Authentication & credentials (cont.)Authentication & credentials (cont.)
Transport encryptionTransport encryption DES encryption of db-selected random number DES encryption of db-selected random number
w/user’s password hashw/user’s password hash OS-integrated authentication available tooOS-integrated authentication available too Password changes travel unencryptedPassword changes travel unencrypted
Password management features availablePassword management features available Aging & expirationAging & expiration History (e.g., can prohibit reuse of last 3 passwords)History (e.g., can prohibit reuse of last 3 passwords) Composition & complexity (e.g., require letters + Composition & complexity (e.g., require letters +
numbers)numbers) Account lockoutAccount lockout
Common Oracle objectsCommon Oracle objects
Database instance
schema
Public area
schema
table
view
trigger
index
stored procedure
function
table
synonym
Oracle object securityOracle object securitygrant select on EMPLOYEES to ASOK;
alice’s schema
employees
candidates
asok’s schema
orderscustomers
Public objects
all_users
Oracle role-based securityOracle role-based security
hrdata schema
employees
candidates
hr_steward grant all privileges on EMPLOYEES to role HR_STEWARD;
grant HR_STEWARD to CATBERT;
DBA
Database linksDatabase links
dogbert’s schema
orders
EMPLINK
dogbert’s schema
employees
HR_DBECOMMERCE_DB
Create database link EMPLINK connect to DOGBERT identified by CISCO123 using HR_DB;
Java security in OracleJava security in Oracle
dilbert sessionwally session
Java server classes (common, read-only)
java.* oracle.aurora.* oracle.jdbc.*
com.cisco.ipc.* com.cisco.myapp.calc
• System classes loaded by default, accessible & shared by all sessions
Java security in OracleJava security in Oracle System classes loaded in shared areaSystem classes loaded in shared area Users can load classesUsers can load classes
Into their own schema/sessionInto their own schema/session Can grant execution rights to other usersCan grant execution rights to other users
PermissionsPermissions Stored in Oracle objects, not filesStored in Oracle objects, not files Stored in PolicyTable tableStored in PolicyTable table Granted by DBA or JAVA_ADMIN rolesGranted by DBA or JAVA_ADMIN roles
• ““call dbms_java.grant_permission(call dbms_java.grant_permission(““mnystrom”,mnystrom”,““java.util.SocketPermission”,java.util.SocketPermission”,““localhost:1024-”,localhost:1024-”,““connect”)connect”)
2 privilege models2 privilege models Invoker’s rightsInvoker’s rights Definer’s rights (setuid)Definer’s rights (setuid)
Invoker’s rightsInvoker’s rights
alice’s schemadogbert’s schema
com.cisco.ipc.*com.cisco.myapp.calc
salary salary
Definer’s rightsDefiner’s rights
alice’s schemadogbert’s schema
com.cisco.ipc.*com.cisco.myapp.calc
salary salary
Access beyond the databaseAccess beyond the database
Database server
Database
/oracle/apps/
Languages: PL/SQL or JavaLanguages: PL/SQL or Java Techniques: Stored procs or functionsTechniques: Stored procs or functions ExamplesExamples
Execute, read, write local filesExecute, read, write local files Make and receive network calls (HTTP, MMX, etc.)Make and receive network calls (HTTP, MMX, etc.) Access data in remote databasesAccess data in remote databases Send mailSend mail
AuditingAuditing
Obviously impacts database performanceObviously impacts database performance Writes high-level info to a common tableWrites high-level info to a common table
Database userDatabase user Object (table, role, etc.)Object (table, role, etc.) Action (select, insert, etc.)Action (select, insert, etc.) Date/timeDate/time
Currently enabled on-request to DBA teamCurrently enabled on-request to DBA team Difficult to trace actions to a live humanDifficult to trace actions to a live human
Can correlate with IP addressCan correlate with IP address
Common integration techniquesCommon integration techniques
Shared database schemasShared database schemas Separate schemas/dbsSeparate schemas/dbs
Grant direct access to each other’s schemasGrant direct access to each other’s schemas Grant only stored proc accessGrant only stored proc access
Typical modern applicationTypical modern application
application schema
orders customers
application
Shared schemasShared schemas
application #2’s schema
orderscustomers
Application#1
Application#2
selectinsertupdate
insertupdatedeleteselectgrant
select
Shared objectsShared objects
Application #1’s schema
orders
Application#1
Application#2
selectinsertupdate
Application #2’s schema
customers
insertupdatedeleteselectgrant
select
Shared, protected objectsShared, protected objects
Application #1’s schema
orders
Application#1
Application#2
selectinsertupdate
Application #2’s schema
customers
insertupdatedeleteselectgrant
execute
stored procedure
Application-level integrationApplication-level integration
Application #1’s schema
orders
Application#1
Application#2
selectinsertupdate
Application #2’s schema
customers
insertupdatedeleteselectgrant
•Shared libraries•MMX•Web services•IIOP
Current problems in industryCurrent problems in industry Account managementAccount management
Passwords never changedPasswords never changed Accounts/passwords widely knownAccounts/passwords widely known
• All developersAll developers• cgi-bin treescgi-bin trees• CVS source repositoriesCVS source repositories
Privileges too broadPrivileges too broad No data stewardshipNo data stewardship No segregation/special protection for sensitive No segregation/special protection for sensitive
datadata