Database Security
7.4 Conclusion
7 Database Security 99 one to identify and combine necessary components so that they can together provide a comprehensive solution to integrity control and management.
7.3.3 Securing Web-Enabled Databases
With the recent advancement of Internet technologies and adoption of Web-based applications for e-commerce by organizations, more and more internal databases are now being accessed by users outside the organization. Though access is not direct and is usually mediated by application programs, the security risks associated with opening up internal databases to untrusted users in the public domain are still significant.
One of the most common ways to attack a database through a web appli-cation isSQL injection. SQL injection can be defined as an attack technique used to exploit Web applications that construct SQL statements from user-supplied input. Web applications traditionally use user-user-supplied input to cre-ate custom SQL stcre-atements for dynamic Web page requests. Problems occur, however, when an application fails to properly sanitize user-supplied input, which makes it possible for an attacker to alter the construction of back-end SQL statements. When an attacker is able to modify a SQL statement, the process runs with the same permissions as the component that executed the command (e.g. database server, Web application server, Web server, etc.).
The impact of this attack can allow attackers to gain control of the database or even execute commands on the system.
To date, no satisfactory solutions have been proposed to mitigate or detect such attacks on databases. One reported approach is an automated universal server-level solution (AUSELSQI) proposed by Abdulkader et al. [37]. Their solution operates at the Web-server level by intercepting browser requests containing SQL queries. It then inspects the SQL query string for the presence of some known special characters that are indicative of a SQL injection attack.
A SNORT-like signature-based scheme is described by Mookhey et al. [38].
However, as shown in the paper by Imperva [39], most of these signatures can be evaded by exploiting the richness of SQL that allows multiple ways to achieve the same result.
100 E. Bertino, J.W. Byun, A. Kamra
References
1. B. Iyer, S. Mehrotra, E. Mykletun, G. Tsudik, and Y. Wu. A framework for effi-cient storage security in rdbms. InProceedings of 9th International Conference on Extending Database Technology (EDBT), March 2004.
2. E. Bertino, D. Leggieri, and E. Terzi. Securing dbms: Characterizing and detect-ing query flood. InProceedings of 9th Information Security Conference (ISC), September 2004.
3. National Security Telecommunications and Information Systems Security Com-mittee. The insider threat to U.S. government information systems, July 1999.
4. F. Schneider, editor. Trust in Cyberspace. National Academy Press, 1999.
5. Oracle Corporation. Oracle Database Security Guide 10g Release 2, June 2005.
Available at www.oracle.com.
6. C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Commu-nication in a Public World. Second Edition, Prentice Hall, 2002.
7. E.B. Fernandez, R.C. Summers, and T. Lang. Database Security and Integrity.
Addison-Wesley, 1981.
8. P.G. Griffiths and B. Wade. An authorization mechanism for a relational database. ACM Transactions on Database Systems, 1(3):242–255, 1976.
9. R. Fagin. On an authorisation mechanism. ACM Transactions on Database Systems, 3(3):310–319, 1978.
10. E. Bertino, S. Jajodia, and P. Samarati. An extended authorization model.
IEEE Transactions on Knowledge and Data Engineering, 9(1):85–101, 1997.
11. R. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-based access control models. Computer, 29(2):38–47, 1996.
12. R. Thomas and R. Sandhu. Task-based authorization controls (TBAC) models for active and enterprise-oriented authorization management.Database Security XI: Status and Prospects, pages 262–275, 1998.
13. D. Ferraiolo, R. Sandhu, S. Gavrilaa, R. Kuhn, and R. Chandramouli. Proposed nist standard for role-based access control. ACM Transactions on Information and System Security, 4(3):224–274, 2001.
14. E. Bertino, C. Bettini, E. Ferrari, , and P. Samarati. An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems, 23(3):231–285, 1998.
15. Oracle Corporation. The Virtual Private Database in Oracle9iR2: An Oracle Technical White Paper, January 2002. Available at http://www.oracle.com.
16. R. Sandhu and F. Chen. The multilevel relational data model. ACM Transac-tions on Information and System Security, 1(1):93–132, 1998.
17. S. Jajodia, R. Sandhu, and B. Blaustein. Solutions to the polyinstantiation problem. Information Security: An Integrated Collection of Essays, 1994.
18. O. SamySayadjari. Multilevel security: Reprise. IEEE Security and Privacy, 2004.
19. E. Bertino, S. Castano, and E. Ferrari. Securing xml documents with author-x.
IEEE Internet Computing, 5(3):21–30, 2001.
20. OASIS Consortium. eXtensible Access Control Markup Language (XACML) Committee Specification, Version 1.1, 2000. Available at: http://www.oasis-open.org/committees/xacml/.
21. S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for fine-grained access control. InProceedings of ACM SIGMOD conference, June 2004.
7 Database Security 101 22. F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next-generation database systems. ACM Transactions on Database Systems, 16(1):88–131, 1991.
23. B. Thuraisingham. Mandatory security in object-oriented database systems.
In Proceedings of International Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), 1989.
24. IBM. DB2 Information Center. Available at http://publib.boulder.ibm.com/
infocenter/db2luw/v8//index.jsp.
25. MySQL. MySQL 5.1 Reference Manual, 2006. Available at http://dev.my-sql.com/doc/refman/5.1/en.
26. ANSI. American national standard for information technology – role based access control. ANSI INCITS 359-2004, February 2004.
27. R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Order-preserving encryption for numeric data. InProceedings of ACM SIGMOD Conference, 2004.
28. S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Chalmers Univ., March 2000.
29. E. Bertino, A. Kamra, and E. Terzi. Intrusion detection in rbac-administered databases. InProceedings of Annual Computer Security Applications Conference (ACSAC), 2005.
30. R. Sandhu. On five definitions of data integrity. Inthe IFIP WG11.3 Workshop on Database Security, 1993.
31. E. Bertino and R. Sandhu. Database security - concepts, approaches, and chal-lenges. IEEE Transaction on dependable and secure computing, 2005.
32. R. Sandhu and S. Jajodia. Integrity mechanisms in database management sys-tems. InNIST-NCSC National Computer Security Conference, 1990.
33. D.D. Clark and D.R. Wilson. A comparison of commercial and military com-puter security policies. InIEEE Symposium on Security and Privacy, 1987.
34. M. Bishop. Computer Security: Art and Science. Addison-Wesley, 2003.
35. K.J. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, Mitre, 1977.
36. R. Ramakrishnan and J. Gehrke.Database Management Systems. McGraw-Hill, 2000.
37. A.A. Alfantookh. An automated universal server level solution for sql injection security flaw. In Proceedings of International Conference on Electrical, Elec-tronic and Computer Engineering (ICEEC), 2004.
38. K.K. Mookhey and N. Burghate. Detection of SQL Injection and Cross-site Scripting Attacks, 2003. Available at http://www.securityfocus.com/in-focus/1768.
39. Imperva. Sql injection signatures evasion. Technical report, 2004.
40. B.M. Thuraisingham, W. Ford, M. Collins, and J. OKeeffe. Design and im-plementation of a database inference controller. Data Knowledge Engineering, 11(3):271–285, 1993.
41. D.E. Denning. Secure statistical databases with random sample queries. ACM Transactions on Database Systems, 5(3):291–315, 1980.
42. D.E. Denning and J. Schlo rer. A fast procedure for finding a tracker in a sta-tistical database. ACM Transactions on Database Systems, 5(1):88–102, 1980.