15/10/2024

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 Understand the importance of databases

 Understand the importance of securing data stored in
databases
 Learn how the structured nature of data in databases
impacts security mechanisms
 Understand attacks and defenses that specifically target
databases

15/10/2024 2

1
 15/10/2024

 Databases Run Your Life. Databases are everywhere,

o They effect on our daily lives is extensive, databases are
responsible for many of the services we utilize daily.
o They help human to search through millions of filing cabinets to
find a particular record.
o They are a standardized and performant way for programs to
store, retrieve, and mutate data.
o There are quite a few things that would be very difficult if not
impossible without databases… The Internet, GPS, Electronic
Banking, and much more.
o They make everything easier, tons of other interesting and useful
stuff.

15/10/2024 3

 Databases store massive amounts of sensitive data

 Data has structure that influences how it is accessed
 Transactional nature of queries (updates or reads)
 Accessed via queries or programs written in languages
like SQL
 Derived data or database views

2
 15/10/2024

 Database Security is business-critical because they can lead to:

oData theft
o Hackers use theft information to steal identities and make unauthorized purchases.
o Damage to business and brand reputation
• Customers hesitate to do business with companies that don't protect their personal
data. => Compromise customer information can damage the organization's reputation,
resulting in a decline in sales and customer churn.
o Revenue loss
• A data breach can halt or slow down business operations and revenue generation
o Increased costs
• Data breaches can cost millions of dollars to fix, including legal fees, assisting victims,
and extra expenses to recover data and restore systems. ex, pay ransomware to
hackers
o Data breach violation penalties
• State and local agencies impose fines, and in some cases require that customers are
compensated, when companies don’t protect their customer data.

15/10/2024 5

 Database security refers to a set of tools, processes, and

methodologies which establish security inside a database
environment to ensure:
o The confidentiality, availability and integrity of databases (CIA Triad)

 Database security programs are designed to protect

o the data within the database,
o the data management system
o every application that accesses it
from misuse, damage, and intrusion.

15/10/2024 6

3
 15/10/2024

 Database security a broad area

o Legal, ethical, policy, and system-related issues
 Types of threats to databases
o Loss of integrity
• Improper modification of information
o Loss of availability
• Legitimate user cannot access data objects
o Loss of confidentiality
• Unauthorized disclosure of confidential information

 Databases are valuable repositories of sensitive

information, which makes them the primary target of data
thieves.

15/10/2024 8

4
 15/10/2024

Cybercriminals have a variety of approaches

they employ when attempting to steal data
from databases

15/10/2024 9

 Insider Threats
 Human Error
 Database Vulnerabilities
 SQL/NoSQL Injection Attacks
 Buffer Overflow Attacks
 Denial of Service (DoS/DDoS) Attacks
 Malware
 An Evolving IT Environment: trends can lead to new types of
attacks on databases
o Growing data volumes: must be highly scalable to address future reqs
o Distributed infrastructure: ex cloud => security solutions more difficult
o Increasingly tight regulatory requirements: become more challenging
o Cybersecurity skills shortage: more difficult to defend critical DB

15/10/2024 10

5
 15/10/2024

 a defense in depth (DiD) security strategy places

multiple controls across the IT system.
o If one layer of protection fails, then another is in place to
immediately prevent the attack

Lock, Camera

UTM, Firewall, VPN, Routers,…

VLAN, IPS, IDS,…

OS, Update Management, Enpoint Security,…

Application Control, Antivirus,…

15/10/2024 AAA, Encryption, Digital Signature… 11

15/10/2024 12

6
 15/10/2024

 Firewalls serve as the first line of defense in DiD

database security.
o a separator or restrictor of network traffic, which can be
configured to enforce your organization's data security policy.
o increase security at the OS level by providing a chokepoint
where your security measures can be focused.
o Make sure that your firewall is properly configured in such a way
as to cover all security weaknesses.

15/10/2024 13

 Authentication: DB, OS
 Authorization
 Access control
 Auditing

15/10/2024 14

7
 15/10/2024

 Authentication: User must log in using assigned u/p

o DB level, OS level
o users and applications should use separate accounts to
authenticate.
• limits the permissions granted to users and applications
• reduces the risks of malicious activity.
• It's especially critical if application code is vulnerable to a SQL
injection attack.
 Zero Trust is a framework for securing infrastructure and
data for today’s modern digital transformation.
o securing remote workers,
o hybrid cloud environments,
o and ransomware threats

Slide 30- 15

 Authentication: User must log in using assigned u/p

o DB level, OS level
o users and applications should use separate accounts to
authenticate. This limits the permissions granted to users and
applications and reduces the risks of malicious activity. It's
especially critical if application code is vulnerable to a SQL
injection attack.
 Login session
o Sequence of database operations by a certain user
o Recorded in system log
 Database audit
o Reviewing log to examine all accesses and operations applied
during a certain time period

Slide 30- 16

8
 15/10/2024

 Discretionary security mechanisms

o Used to grant privileges to users
 Mandatory security mechanisms
o Classify data and users into various security classes
o Implement security policy
 Role-based security
o The permissions of user-defined database roles can be
customized by using the GRANT, DENY, and REVOKE.
 Row-Level Security
o enables you to use group membership or execution context to
control access to rows in a database table
o Implement RLS by using the CREATE SECURITY
POLICY Transact-SQL statement

15/10/2024 17

 Database administrator (DBA)

o Central authority for administering database system
o Superuser or system account
 The DBA is responsible for the overall security of the
database system.
o granting privileges to users who need to use the system
o classifying users and data in accordance with the policy of the
organization
 DBA-privileged commands
o Account creation - access control
o Privilege granting - control discretionary authorization
o Privilege revocation - control discretionary authorization
o Security level assignment - control mandatory authorization

Slide 30- 18

9
 15/10/2024

 DAC: 2 levels for assigning privileges to use a DB system

o Account level
• Example: CREATE, DROP, ALTER, MODIFY, SELECT privileges
o Relation (or table) level: Defined for SQL2
• Access matrix model
• Each relation R assigned an owner account
• Owner of a relation given all privileges on that relation
• Owner can grant privileges to other users on any owned relation
 Revoking of Privileges
o Useful for granting a privilege temporarily
o REVOKE command used to cancel a privilege
 DAC policies have a high degree of flexibility. Do not
impose control on how information is propagated

 Mandatory access control

o Additional security policy that classifies data and users based on
security classes: Top secret, Secret, Confidential, Unclassified
o MAC policies ensure high degree of protection.
o Rigid.
o Prevent illegal information flow
 Bell-LaPadula model: Subject and object classifications
o Simple security property
• Subject S not allowed read access to object O unless:
class(S) ≥ class(O)
o Star property (*-property)
• Subject not allowed to write an object unless class(S) ≤ class(O)
• Prevent information from flowing from higher to lower classifications

10
 15/10/2024

 Permissions associated with organizational roles

o Users are assigned to appropriate roles
 Can be used with traditional DAC, MAC

15/10/2024 21

 Sophisticated access control rules implemented by considering the

data row by row
 Each row given a label
o prevent unauthorized users from viewing or altering certain data
 Provides finer granularity of data security
 Label security policy: Defined by an administrator
 On top of DAC (must satisfy DAC and the label security requirements)

Slide 30- 22

11
 15/10/2024

 E-commerce environments require elaborate access

control policies
o Go beyond traditional DBMSs
 Legal and financial consequences for unauthorized data
breach
 Content-based access control
o Takes protection object content into account
 Credentials
o Digital certificates are used in https to prevent MITM
attack
o Certification agency creates digital certificate by
encrypting, e.g., site’s public key using its own private
key
Slide 30- 23

 Auditing
o track database activities and helps maintain compliance with
security standards by recording database events to an audit log.
o allow monitor ongoing database activities
o analyze and investigate historical activity to identify potential
threats or suspected abuse and security violations.
 Threat detection:
o uncovers anomalous database activities that indicate a potential
security threat to the database
o can show information about suspicious events directly to the
administrator.

15/10/2024 24

12
 15/10/2024

 Data encryption
o it enhances security by limiting data loss when access controls
are bypassed.
 Database backup data and recovery
o involves making backup copies of the database and log files on
a regular basis and storing the copies in a secure location.
o They are available to restore the database in the event of a
security breach or failure.
 Security for web server applications and websites:
o Any application or web server that connects to the database
could be a target and should be subjected to periodic security
testing and best practices management.
 Physical security
o limits access to the physical server and hardware components.
15/10/2024 25

 Always encrypted data offers built-in protection of data

against theft in memory, on disk, in transit, and even
during query processing.
o Encrypt the database at storage level, transparent to application
• Whole database/file/relation: Unit of encryption: page
• Column encryption
• Supported by many database systems
o Encrypt "in transit" between the client and server irrespective -
Network level – using TLS protocol: use encryption to prevent
• Eavesdropping: unauthorized reading of messages
• Masquerading: pretending to be an authorized user

15/10/2024 26

13
 15/10/2024

 Sensitivity of data: a measure of the importance assigned

to the data
o Inherently sensitive (e.g., health info, grades)
o From a sensitive source (e.g., an informer)
o Declared sensitive
o A sensitive attribute or sensitive record (e.g., grade)
o Sensitivity in relation to previously disclosed data
 Factors in deciding whether it is safe to reveal the data
o Data availability: Not available when being updated
o Access acceptability: Authorized users?
o Authenticity assurance: External characteristics of the user
• Example: access allowed during working hours

Slide 30- 27

 Typically a tradeoff between precision and security

 Precision
o Protect all sensitive data while making available as much
nonsensitive data as possible
 Security
o Ensuring data kept safe from corruption and unauthorized
access suitably controlled

Slide 30- 28

14
 15/10/2024

 Security: technology to ensure info protection

 Concept of privacy goes beyond security
o Ability of individuals to control the terms under which their personal
information is acquired and used
o Preventing storage of personal information
o Ensuring appropriate use of personal information
 Security a required building block for privacy

Slide 30- 29

● SQL Injection
● Inference attacks

15
 15/10/2024

 Malicious SQL commands are sent to a database

 Can impact both
 confidentiality (extraction of data) and
 integrity (corruption of data)
 In a web application environment, typically a script takes
user input and builds an SQL query
 Web application vulnerability can be used to craft an SQL
injection
 SQL injection attack is one of the most prevalent and
dangerous network-based security threats

16
 15/10/2024

The SQLi attack typically works:

 early terminating a text string
 appending a new command.
 terminates the injected string with a comment mark “--”.
Example:
Var Shipcity;
Shipcity = Request.form (“Shipcity”);
Var sql = “select * from OrdersTable
where
Shipcity = ‘” + Shipcity + “‘’”;

a user will enter the name of a city. Ex, REDMOND,

● Script generates:
SELECT * FROM OrdersTable Where Shipcity = ‘Redmond’.

● What if user enters:

Redmond’ ; DROP table OrdersTable--
● In this case, script is generated:
SELECT * FROM OrdersTable WHERE Shipcity = ‘Redmond’ ;
DROP OrdersTable
 Server will:
- select all records in OrdersTable where ShipCity is Redmond.
- Then, it executes the DROP request
● Malicious user is able to inject code to delete the table
●Many other code injection examples exist

17
 15/10/2024

 User input: In this case, attackers inject SQL commands by

providing suitably crafted user input.
 Server variables: variables are logged to a database without
sanitization, this could create an SQL injection vulnerability.
 Second-order injection: a malicious user could rely on data
already present in the system or database to trigger an SQL
injection attack
 Cookies: an attacker could alter cookies when the application
server builds an SQL query based on the cookie’s content, the
structure and function of the query is modified.
 Physical user input: could be scanned using optical character
recognition and passed to a database management system.
15/10/2024 35

 A successful SQL injection attack can result in unauthorized access

to sensitive data, such as passwords, credit card details, or personal
user information.
 Many high-profile data breaches, leading to reputational damage
and regulatory fines.
 In some cases, an attacker can obtain a persistent backdoor into an
organization's systems,
o leading to a long-term compromise that can go unnoticed for an extended period.

15/10/2024 36

18
 15/10/2024

 There are a wide variety of SQL injection vulnerabilities, attacks, and

techniques, which arise in different situations. Some common SQL injection
examples include:
o Retrieving hidden data, where you can modify an SQL query to return
additional results.
o Subverting application logic, where you can change a query to interfere
with the application's logic.
o UNION attacks, where you can retrieve data from different database
tables.
o Examining the database, where you can extract information about the
version and structure of the database.
o Blind SQL injection, where the results of a query you control are not
returned in the application's responses.

15/10/2024 37

 When the user clicks on the Gifts category, the URL:

o https://insecure-website.com/products?category=Gifts
o An SQL query to retrieve details:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
 Attaker attacker can construct an attack like:
o Ex1: https://insecure-website.com/products?category=Gifts'--
o This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--' AND released = 1
-- is a comment: removes the remainder of the query, so it no longer includes AND
released = 1. This means that all products are displayed
o Ex2: https://insecure-website.com/products?category=Gifts'+OR+1=1--
o This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts' OR 1=1--' AND released = 1
o The modified query will return all items where either the category is Gifts, or 1 is
equal to 1. Since 1=1 is always true, the query will return all items.
15/10/2024 38

19
 15/10/2024

 If a user submits the username wiener and the password

bluecheese, the application checks the credentials by performing the
following SQL query:
o SELECT * FROM users WHERE username = 'wiener' AND password =
'bluecheese'
o If the query returns the details of a user, then the login is successful.
Otherwise, it is rejected.

 Here, an attacker can log in as any user without a password simply

by using the SQL comment sequence -- to remove the password
check from the WHERE clause of the query.
o SELECT * FROM users WHERE username = 'administrator'--' AND
password = ''
o This query returns the user whose username is administrator and
successfully logs the attacker in as that user.
15/10/2024 39

 In cases where the results of an SQL query are returned within the
application's responses, an attacker can leverage an SQL injection
vulnerability to retrieve data from other tables within the database.
 This is done using the UNION keyword, which lets you execute an
additional SELECT query and append the results to the original
query.
 For example, if an application executes the following query
containing the user input "Gifts":
o SELECT name, description FROM products WHERE category = 'Gifts'
then an attacker can submit the input:
o ' UNION SELECT username, password FROM users--
This will cause the application to return all usernames and passwords
along with the names and descriptions of products.

15/10/2024 40

20
 15/10/2024

 Following initial identification of an SQL injection vulnerability, it is

generally useful to obtain some information about the database
itself. This information can often pave the way for further
exploitation.
 You can query the version details for the database. The way that this
is done depends on the database type, so you can infer the
database type from whichever technique works. For example, on
Oracle you can execute:
o SELECT * FROM v$version
 You can also determine what database tables exist, and which
columns they contain. For example, on most databases you can
execute the following query to list the tables:
o SELECT * FROM information_schema.tables

15/10/2024 41

 Blind SQL injection: Many instances of SQL injection are blind

vulnerabilities.
o does not return the results of the SQL query or the details of any database
errors within its responses.
o can still be exploited to access unauthorized data, but the techniques
involved are generally more complicated and difficult to perform.
 Techniques can be used to exploit blind SQL injection vulnerabilities:
o change the logic of the query to trigger a detectable difference in the
application's response depending on the truth of a single condition. This
might involve injecting a new condition into some Boolean logic, or
conditionally triggering an error such as a divide-by-zero.
o trigger a time delay in the processing of the query, allowing you to infer the
truth of the condition based on the time that the application takes to
respond.
o can trigger an out-of-band network interaction, using OAST techniques. This
technique is extremely powerful and works in situations where the other
techniques do not. Often, you can directly exfiltrate data via the out-of-band
channel, for example by placing the data into a DNS lookup for a domain
that you control.

15/10/2024 42

21
 15/10/2024

 Tool: using Burp Suite's web vulnerability scanner.

 Manual: by using a systematic set of tests against every entry
point in the application. This typically involves:
o Submitting the single quote character ' and looking for errors or other
anomalies.
o Submitting some SQL-specific syntax that evaluates to the base
(original) value of the entry point, and to a different value, and looking
for systematic differences in the resulting application responses.
o Submitting Boolean conditions such as OR 1=1 and OR 1=2, and
looking for differences in the application's responses.
o Submitting payloads designed to trigger time delays when executed
within an SQL query, and looking for differences in the time taken to
respond.
o Submitting OAST payloads designed to trigger an out-of-band network
interaction when executed within an SQL query, and monitoring for any
resulting interactions.

15/10/2024 43

 using parameterized queries (also known as prepared statements)

instead of string concatenation within the query.
 The following code is vulnerable:
o String query = "SELECT * FROM products WHERE category = '"+ input + "'";
o Statement statement = connection.createStatement();
o ResultSet resultSet = statement.executeQuery(query);
 Rewritten code above in a way that prevents the user input from
interfering with the query structure:
o PreparedStatement statement = connection.prepareStatement("SELECT *
FROM products WHERE category = ?");
o statement.setString(1, input);
o ResultSet resultSet = statement.executeQuery();
 Parameterized queries can be used for any situation where untrusted
input appears as data within the query, including
o the WHERE clause and values in an INSERT or UPDATE statement.
o They can't be used to handle untrusted input in other parts of the query, such as
table or column names, or the ORDER BY clause.
o Application functionality that places untrusted data into those parts of the query
will need to take a different approach, such as white-listing permitted input
values, or using different logic to deliver the required behavior.
15/10/2024 44

22
 15/10/2024

 An integrated set of techniques is necessary:

Detection
• Manual defensive • Check queries at
coding practices runtime to see if
• Signature based
• Parameterized they conform to a
query insertion • Anomaly based model of expected
• SQL DOM • Code analysis queries

Defensive Run-time
coding prevention

15/10/2024 45

Mark all applicable answers.

A web application script uses the following code to generate a
query:
Query = “SELECT accounts FROM users WHERE login = ‘ “
+ login + “ ‘ AND pass = ‘ “ + password + “ ‘ AND pin = “ +
pin; The various arguments are read from a form to generate
Query.
This query is executed to get a user’s account information when the
following is provided correctly...

Login name Password PIN

23
 15/10/2024

Choose the best answer.

Query = “SELECT accounts FROM users WHERE login = ‘ “
+ login + “ ‘ AND pass = ‘ “ + password + “ ‘ AND pin = “ +
pin; The various arguments are read from a form to generate
Query.
If a user types “‘or 1 = 1 --” for login in the above query...

Query will fail because the provided login is not a correct

user
An injection attack will result in all users’ account data
being returned

● Inference attacks:
● relates to database security
● is the process of performing authorized queries
and deducing unauthorized information from the
legitimate responses received.
● Problem:
● the combination of a number of data items is more
sensitive than the individual items,
● the combination of data items can be used to infer
data of a higher sensitivity

24
 15/10/2024

•Anonymous medical data:

SSN Name Race DOB Sex Zip Marital Heath

Asian 09/07/64 F 22030 Married Obesity
Black 05/14/61 M 22030 Married Obesity
White 05/08/61 M 22030 Married Chest pain
White 09/15/61 F 22031 Widow Aids

•Public available voter list:

Name Address City Zip DOB Sex Party

…. …. …. …. …. …. ….
Sue Carlson 900 Market St. Fairfax 22031 09/15/61 F Democra
t
•Sue Carlson has Aids!
15/10/2024 49

 Types of attack
o direct attack: aggregate computed over a small
sample so individual data items leaked
o indirect attack: combines several aggregates;
o tracker attack: type of indirect attack (very effective)
o linear system vulnerability: takes tracker attacks
further, using algebraic relations between query sets
to construct equations yielding desired information

25
 15/10/2024

NAME SEX RACE AID FINES DRUGS DORM

Adams M C 5000 45 1 Holmes

Bailey M B 0 0 0 Grey
Chin F A 3000 20 0 West
Dewitt M B 1000 35 3 Grey
Earhart F C 2000 95 1 Holmes
Fein F C 1000 15 0 West
Groff M C 4000 0 3 West
Hill F B 5000 10 2 Holmes
Koch F C 0 0 1 West
Liu F A 0 10 2 Grey
Majors M C 2000 0 2 Grey

 Direct Attack
o determine values of sensitive fields by seeking them directly with
queries that yield few records
o request LIST which is a union of 3 sets
LIST NAME where (SEX =M  DRUGS = 1) 
(SEX  M  SEX F)  (DORM = Ayres)
• No dorm named Ayres , Sex either M or F
o “n items over k percent” rule helps prevent attack

26
 15/10/2024

Indirect attack: combines several aggregates

Sums of Financial Aid by Dorm and Sex
Holmes Grey West Total

M 5000 3000 4000 12000

F 7000 0 4000 11000

Total 12000 3000 8000 23000

Students by Dorm and Sex

Holmes Grey West Total

M 1 3 1 5

F 2 1 3 6

Total 3 4 4 11

• 1 Male in Holmes receives 5000

• 1 Female in Grey received no aid
o request a list of names by dorm (non sensitive)

2 inference techniques:

- analyzing functional
dependencies between
attributes within a table
or across tables,

- merging views with the

same constraints.

27
 15/10/2024

 Often databases protected against delivering small

response sets to queries
 Trackers can identify unique value
o request (n) and (n-1) values
o given n and n – 1, we can easily compute the desired single
element

removes an inference channel by altering the

database structure or by changing the access
Inference control regime to prevent inference
detection during
database design
often result in unnecessarily stricter access
controls that reduce availability
Two
approaches
seeks to eliminate an inference channel violation
during a query or series of queries
Inference
detection at
query time If an inference channel is detected, the query is
denied or altered

28
 15/10/2024

Choose the best answer.

The database that stores student exam scores allows
queries that return average score for students coming from
various states. Can this lead to an inference attack in this
system?
Yes, depending on how many students come
from each state

No, it is not possible

Choose the best answer.

Assume in (1), the data in the database is de-identified by

removing student id (and other information such as names).
Furthermore, the field that has the state of the student is
generalized by replacing it with the US region (e.g., Midwest).
The generalization ensures that there are at least two students
from each region. Are inference attacks still possible?

Yes No

29
 15/10/2024

 The database is protected by multiple layers of security:

o Firewalls
o Authentication mechanisms
o General access control systems
o Database access control systems.

 Database encryption is warranted and often implemented for particularly

sensitive data
 There are two disadvantages to database encryption:
• Key management: Authorized users must have access to the
decryption key for the data. Providing secure keys to selected parts of
the database to authorized users and applications is a complex task.
• Inflexibility: When part or all of the database is encrypted, it becomes
more difficult to perform record searching.

15/10/2024 59

15/10/2024 60

30
 15/10/2024

15/10/2024 61

organization that produces data to be

human entity that presents
made available for controlled release
queries to the system

frontend that transforms user queries an organization that receives the encrypted
into queries on the encrypted data data from a data owner and makes them
stored on the server available for distribution to clients

31
 15/10/2024

●Used to store lots of sensitive data that can be

accessed via programs (queries)

●Access control must be based on operations

allowed by databases

●New attacks on databases arise due to their unique

characteristics

●Defenses must address such attacks

1. DVWA
o Get important information in DVWA database such as: tables,
user/pass with different level: Low, Medium, High
2. Sqlmap:
o Get important information in DVWA database: tables, user/pass
with different level: Low, Medium, High
o Database from other website, ex:
• http://testphp.vulnweb.com
3. Other Tools:
o Hackbar (built-in web browser) -> vulnerable website.

15/10/2024 64

32