Securing your Databases and Protecting User Data: A risk-based
approach MSSD-3 , .
Slide 2
About me Principal Program Manager, Business Platform Security
Services Formerly worked on security training and policy for
Microsoft Security Engineering Center Former vulnerability team
leader, CERT/CC Former database administrator and developer
Slide 3
About this deck Database systems are complex I use the word
systems intentionally You have to secure the servers and the
applications that access the server Priority and degree of scrutiny
depend on risk Well look at some problems through the eyes of some
great historical figures to illustrate some security development
principles
Slide 4
Great figures in history as security engineers William
Shakespeare Jawaharlal Nehru Eleanor Roosevelt
Slide 5
William Shakespeare as security engineer We will demonstrate
Shakespeare's credibility as a security engineer by looking at the
history of SQL injection and a 1996-era vulnerability in a popular
CGI webform
Slide 6
SQL injection C# string Status = "No"; string sqlstring ="";
try { SqlConnection sql= new SqlConnection( @"data
source=localhost;" + "user id=sa;password=password;"); sql.Open();
sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id +
"'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if
((int)cmd.ExecuteScalar() != 0) Status = "Yes"; } catch
(SqlException se) { Status = sqlstring + " failed\n\r"; foreach
(SqlError e in se.Errors) { Status += e.Message + "\n\r"; } } catch
(Exception e) { Status = e.ToString(); } Embedded, hard to guess
password! Connecting as sysadmin String concat for dynamic SQL
Telling the bad guy too much on failure
Slide 7
Why its wrong (1) Good guy SELECT HasShipped FROM Shipment
WHERE ID='1001' Not so good guy SELECT HasShipped FROM Shipment
WHERE ID= '1001' or 2>1 -- ' sqlstring="SELECT HasShipped" + "
FROM Shipment WHERE ID='" + Id + "'"; " FROM Shipment WHERE ID='" +
Id + "'";
Slide 8
Why its wrong (2) Really bad guy SELECT HasShipped FROM
Shipment WHERE ID= '1001' drop table orders -- ' Downright evil guy
SELECT HasShipped FROM Shipment WHERE ID= '1001' exec
xp_cmdshell('...') -- ' sqlstring="SELECT HasShipped" + " FROM
Shipment WHERE ID='" + Id + "'";
Slide 9
SQL injection hits the big time For many years, common wisdom
held that SQL injection required detailed knowledge of the victims
application By 2008, however, attackers had figured out how to
automatically identify the structure of a web application to
perform mass SQL injection without a priori detailed knowledge of
the victim There are (in hindsight) clear trends that could have
predicted this
Slide 10
SQL injection heat map Source: Microsoft Security Intelligence
Report, Volume 9 http://www.microsoft.com/security/sir/default.aspx
Not including TLDs
Slide 11
Was there a warning for SQL injection? Yes SQL Injection is
just a sub class of a class of vulnerabilities known as command
injectionsub classcommand injection Command injection has its own
long history, of which SQL injection is just one prominent part The
name "SQL injection" may cause database security activities to be
limited to SQL injection
Slide 12
An early command injection vul: PhF CVE-1999-0067 (disclosed
1996) CVE-1999-0067 PhF takes an argument from a web page, usually
a name, and constructs a UNIX shell command to look up the name in
the phone book, something like $ ph hernan This returns directory
information about ' hernan ' Shipped with NCSA httpd and Apache
httpd
Slide 13
Command injection in PhF Command injection was well known at
the time PhF was written, and the authors guarded against some
attacks such as $ ph hernan ; rm * Here the attacker entered
'hernan ; rm *' as the argument, but PhF filtered semicolons and
other metacharacters except one: newline
Slide 14
Exploiting PhF So, to exploit PhF, all you needed was to enter
a newline in the argument, which was easy with URL encoding $ ph
hernan $ rm * Here the attacker entered ' hernan rm * '
Slide 15
Similarities Command injection in PhF and SQL injection in PhF
are extremely similar A web interface takes a string and gives it
to a command subsystem That subsystem uses that string to build a
command Nothing sanitizes characters that have special meaning to
the command subsystem SQL is a much richer, more powerful
environment however, which has led to a longer lifetime of SQL
injection attacks as compared to PhF command injection
Slide 16
Whats this have to do with Shakespeare? Whats past is prologue
The Tempest, Act 2, Scene I
Slide 17
Eleanor Roosevelt as security engineer We will demonstrate Mrs.
Roosevelts credibility as a security engineer by looking at padding
oracles in database systems
Slide 18
Basic oracle model 42 Informally, an oracle answers a question
for you. A padding oracle gives you information about the padding
bits in an encrypted text. When a padding oracle exists, it is
quite powerful. What is the meaning of life?
Slide 19
A padding oracle Are you able to successfully decrypt this
text? Yes or No, because the padding is invalid. When an oracle
will answer a question in this fashion, it is a padding oracle, and
attackers can use it to decrypt a ciphertext or encrypt a plaintext
without access to the key. Ill give an intuitive understanding of
how it works.
Slide 20
Understanding padding oracles Cipher-block chaining (CBC)
decryption: Intermediate decrypted Text Intermediate decrypted Text
Intermediate decrypted Text Intermediate decrypted Text P1P2P3P4
C1C2C3C4 Plaintext Ciphertext IV For the attack to be meaningful,
the attacker has to be able to submit an arbitrary ciphertext for
decryption
Slide 21
Padding formats There are a variety of ways to pad the data One
format looks like this Length of dataData Padding (possibly empty)
All of this gets encrypted in CBC mode
Slide 22
Revisiting decryption Intermediate decrypted Text Intermediate
decrypted Text Intermediate decrypted Text Intermediate decrypted
Text P1P2P3P4 C1C2C3C4 Plaintext Ciphertext Encrypted padding block
Attacker flips a bit here The decryption engine flips the
corresponding bit here IV Remember that the attacker controls the
cipher text he submits for decryption.
Slide 23
Bit flips Now flip a bit in the next-to-last ciphertext block
This will flip a bit in the last plaintext block This last bit is
either Part of the data Part of the padding If it is part of the
data, the decryption will succeed If it is part of the padding, the
decryption will fail If the application lets the attacker tell the
difference between success and failure, you leak information about
one bit in the last block
Slide 24
What can you do with the length? Intermediate decrypted text
Intermediate decrypted text Intermediate decrypted text
Intermediate decrypted text LengthData Data|Pad Plaintext
Ciphertext Attacker can manipulate IV By choosing the IV, the
attacker can make the decrypted length be whatever he wants with a
little Boolean algebra IV Encrypted length block Encrypted padding
block
Slide 25
Getting the first (last) bit Submit to the oracle the following
ciphertext C = IV | C 1 | R | C k where C 1 is the length block R
is a random block C k is the block you want to decrypt IV is (2n
-1) (L) (IV) This results in a decrypted length of 2n-1, meaning
that there should be a 0 in the last bit If the last bit is 0, the
decryption succeeds, otherwise, the decryption fails
Slide 26
Graphically Decrypted text Decrypted text Decrypted text
LengthRandomTarget Plaintext Ciphertext Attacker can manipulate IV
Choose the IV such that the length is (2n-1), meaning that the last
bit here must be a ' 0 ' Chosen IV
Slide 27
Getting the next bit Choose IV such that the length is (2n-2)
This means that there must be two 0s at the end of the last block
to get a valid decryption You can ensure that the last bit is 0 by
flipping (or not) the last bit of the random ciphertext block Then,
if you get a valid decryption, you know the next- to-last bit is 0;
otherwise it must be a 1
Slide 28
In summary Are you able to successfully decrypt this text?
Okay, let me change it a bit. What about this one? And this one?
And this one? Yes or No, because the padding is invalid. By
repeatedly asking the padding oracle about the padding of the
attackers chosen ciphtertext, the attacker can recover the original
ciphertext text bit by bit.
Slide 29
Do padding oracles exist in Microsoft SQL Server? No, they do
not In order to encrypt and decrypt anything in SQL, you need
access to the key, which is itself a securable object Anyone who
has access to the key is by definition not an attacker But someone
could write an application that created a padding oracle
Slide 30
A SQL padding oracle Create symmetric key DemoKey with
algorithm = AES_256 encryption by password = 'Do not use this
password!'; CREATE TABLE CryptoTable( PlainText varchar(200),
CipherText varbinary (200)) open symmetric key DemoKey decryption
by password = 'Do not use this password!'; insert into CryptoTable
values (N'Some Data is Better than No Data',
encryptbykey(key_guid('DemoKey'), N'Some Data is Better than No
Data')) SELECT CONVERT( nvarchar(100),
decryptbykey(CryptoTable.CipherText)) FROM CryptoTable select *
from CryptoTable insert into CryptoTable values ('Some Data',
0x00643BF967FEA64684B38BBF5E874A7C010000006AE8686787135388420E2CD90AD450EE02D17AA8622B52
A517E9D493D3ED8801CCF36BA3B8AECD919023443C7EF6A2CD7B952527292D7BDDDE1DFA7A3E4BB49395
8408CCE66AEBF5CE54C237CFEEDE006C506BAD3829EA4BE8C7FD84AAF252C5);
Slide 31
What does this have to do with Eleanor Roosevelt? Learn from
the mistakes of others. You cant live long enough to make them all
yourself.
Slide 32
Nehru as security engineer Well explore the capabilities of
Jawaharlal Nehru as a security engineer by looking at some code and
data flows
Slide 33
Math is hard, especially for computers What will these two
snippets produce? By show of hands unsigned short c = 10; signed
int x; x = c = ~c; if (x ==c) printf("True") else printf("False");
else printf("False"); unsigned short c = 10; signed int x; x = ~c;
c = ~c; if (x ==c) printf("True") else printf("False"); True
False
Slide 34
See SQL injection? CREATE PROCEDURE sp_setPassword @username
varchar(25), @old varchar(25), @new varchar(25) AS DECLARE @command
varchar(100) SET @command= update Users set password= +
QUOTENAME(@new,) + where username= + QUOTENAME(@username,) + AND
password = + QUOTENAME(@old,) EXEC (@command) GO
Slide 35
Whats this have to do with Nehru? Let us be a little humble;
let us think that the truth may not perhaps be entirely with
us.
Slide 36
Database systems are complex A database system is not just the
server, but also all the applications Too often, people want to
secure the data by simply enabling features in the database
Necessary, but not sufficient Evaluate the risks in the system as a
whole, do not merely secure the database Do not build steel doors
in paper walls Evaluate the applications as thoroughly as the
database server, commensurate with the risk
Slide 37
Conclusions Learn from history: Encode and embed your collected
wisdom in your development process to never make the same mistake
twice Learn from the mistakes of others: Practice active threat
modeling to bring the benefits of others mistakes to your own
systems and services Be humble: Constantly improve your processes
and practices to respond to contemporary problems and dont mistake
compliance for securitysecurity is a journey, compliance is a state
A formalized Security Development Lifecycle process addresses all
of these and should be applied to all database systems