Name: Okelitse Nyathi

Topic: Literature Review on “An investigation into the security features of Oracle 10g R2 Enterprise Edition”

Department: Computer Science, Rhodes University

Supervisor: Mr John Ebden ________________________________________________________________________________

2

Table of contents

Abstract………………………………………………3

1. Introduction……………………………………….4

1.1 Database Security………………………………..4

2. Background……………………………………....5

3. Products from Oracle………………………….....7

4. Cursors…………………………………………...8

5. Cursor Snarfing………………………………….8

6. Security Concerns……………………………….9

6.1 Authentication…………………………………...9

6.2 Privileges and roles………………………………12

6.3 Auditing……………………………………….....13

6.4 Data integrity………………………………….....15

6.4 Oracle Software Assurance……………………...16

7. Summary………………………………………...18

8. References……………………………………….19

3

Abstract

The aim of this Literature review is to explore the basic security features offered by the Oracle 10g

Enterprise Edition database as well as to discover the insecurities hidden within the same database.

The introduction section introduces the concept of database security including the reason we have

to protect databases. The background section of the paper summarises the current situation within

the database security which includes the threats posed towards database security.

Oracle 10g database is categorised into five versions and among these I have made a choice of one

on which I will conduct my research. The research product offers good features on authentication,

roles and privileges, auditing and data integrity. The last section describes how Oracle caries out

their software assurance and what the critics of Oracle think about it.

4

1. Introduction

1.1 Database Security

This is defined by the Wikipedia encyclopaedia as “the system, processes, and procedures that

protect a database from unintended activity.” These maybe categorised as authorised misuse,

malicious attacks or in advent mistakes made by authorised individuals or processes [Wikipedia (1),

2007]

“At its core, security is all about risk reduction. One of the most effective database security

practices, defence­in­depth, employs multiple layers of protection to reduce the risk of intrusion. It

is analogous to the many defensive layers surrounding a medieval

Castle: drawbridge, moat, the outer wall, the inner keep, archers manning the wall, soldiers

stationed outside the wall, etc. No single level of defence is infallible; and yet all of these layers

cannot ensure the castle will be 100% impenetrable. However, these layers of protection can make

the castle (and its crown jewels) less vulnerable to attackers.”…Aaron Newman [Newman A (1),

2007]

Ever since databases have been included on the web wide web, their security has been at risk. Its

inclusion on the web was meant to alleviate its use by users in the fast growing industry of e­

commerce, but little was it known that this would give serious challenges to Database

Administrators posed by hackers. “Data hacking dates back to the 1960s” claims St Petersburg

Times [St Petersburg Times, 2007].

This involves identity theft which is unlawfully using another person’s credentials as yours. Bellah

[Bellah, 2001] defines identity theft as “…the unlawful use of another’s personal identifying

information.” This may include individual’s name, address, and date of birth or maybe biometric

information as well.

According to the Window Security website, there are 4 reasons for identity theft. It can be used by

a malicious user disguised as somebody else to commit crime. Malicious users can also gain profit

by selling people’s identities to others. Some people steal other peoples identities so as to hide from

past experience e.g. crime and debts. Another aspect to identity theft is illegal immigrants who steal

local citizens’ identities to seek employment as well as medication to mention a few

[WindowSecurity.com, 2007].

It is argued that identity theft is one of the biggest threats to the U.S. economy with actual losses

due to identity theft escalating as high as $442 million in 1995, $450 million in 1996 and $745

million in 1997. The growth is tremendous and is expected to reach a height of $2.3 billion in the

near future [Fichtman, 2001]

5

2. Background

A decade ago, databases used to be physically secure; they used to be housed in central data centres

and not distributed. If an external data access had to be carried out it was mediated and thus it was

very rare for a security flaw to occur [Newman A, 2007]. But databases are now accessible

externally. They are now directly connected to suppliers, customers as well as partners, sharing data

directly. Databases have been configured to be available across the World Wide Web using web

pages to present fast querying by users for example online selling of products. The growing use of

ecommerce and Web application solutions has led to an increased risk of indirect attack on DBMS

from the Internet. These attacks on databases can not be prevented by barrier defence systems on

the Internet such as firewalls.

The diagram below shows a how databases and firewalls may be linked on the Internet. The

problem experienced is that firewalls do not solve all security issues surrounding a database; they

can block some security threats to a database but fail to detect those higher than them in the OSI

model as explained on the diagram below. It is unreasonable to believe attackers can not get behind

a firewall, thus a layered defence is needed which includes Vulnerability Assessment (involves

reviewing, analysing and even attacking your own database to find security holes) and Intrusion

Detection/Security Auditing [Newman A (1), 2007].

www.appsecinc.com

Barrier Defense Is No Longer Enough

Internet Internet

Main Office Network Firewall Web Proxy

Firewall VPN Firewall

VPN

Business Partner’s Network

Remote Office Network Remote Employees

Accounting Accounting

Financial Financial

Internet Internet

Secret Secret Formula Formula

CRM CRM

HR HR

Fig 1: Firewalls and database [Newman A, 2007]

Databases

Internet

6

Recently, attackers have found a way of bypassing the role of the firewall in a database attack. It is

possible to search for Oracle database logins on the Internet and thus avoiding dealing with the

firewall by typing in the search string “iSQLplus’ in Google’s advanced search engine. This is also

possible in Yahoo as well [Newman A.C, 2007]

Firewalls operate at network layer of the OSI model (layer 3) and can not protect the database

against vulnerabilities introduced on higher levels of the OSI model such as SQL Injection which is

in layer 5, See diagram below[Rowe D, 2006].

Fig 2: The OSI model showing levels in which vulnerabilities work [Rowe D]

It was reported that attacker are now turning their attention from Microsoft to other corporate

products such as Oracle. It reported that “…the software products developed by Oracle Corp ...

have started to be more and more targeted by hackers” [Softpedia.com, 2007]. Recently, there has

been an allegation by David Litchfield, a researcher from the NGS Software Insight Security

Research (NISR) that Oracle has a big loop hole in its security system [Litchfield D (1), 2006]. He

claims to have found a method to hack into the Oracle RDBMS called “Dangling Cursor Snarfing”

in which he manages to access the system password using Dynamic SQL code. This is the chaining

together of SQL commands with user­provided parameters, it’s actually the embedding of SQL

commands inside the given parameters [Anley C, 2002]. The researcher attributes that the Oracle

RDBMS’s failure to close cursors (a control structure for the successive traversal of records in

databases [Wikipedia (2), 2007]) created and used by Oracle DBMS_Sql) or failure to clean up

open cursors in the event of an exception can lead to a security hole [Litchfield D (1), 2006]. An

Oracle member of staff, Natalka Roshak, in the Oracle frequently asked questions gives a good

tutorial about how to manage open and closed cursors [Roshak N, 2005]. If the cursor in question

has been created by higher privileged code and left hanging then it becomes possible for a low

privilege user to snarf (steal or grab a large document or file for the purpose of using it with or

without the author's permission) and use the cursor outside of the application logic that created it.

7 6 5 4 3 2 1

7

This leads to data being exposed [Litchfield D (1), 2006]. Furthermore Litchfield, an associate in

the Microsoft Company released yet another paper entitled “Which database is more secure? Oracle

vs. Microsoft SQL Server” in which he proves that Oracle RDBMS suffers the most flaws as

compared to Microsoft SQL Server [Litchfield D (2), 2006]. This really leaves a very big question

on the security measures offered by Oracle which is worthy a research.

On the other hand Oracle management acknowledge the discovery but claim that an exploitation of

this type of vulnerability is limited and requires all of the following conditions:

• Direct SQL*Net connection to the database with proper authentication, meaning that one

has to have administrative rights in order to take advantage of the flaw.

• Cursor executed in a package or procedure with Definer Rights

• Use of dynamic SQL via DBMS_SQL, a tutorial has been offered above.

• Can not alter the parsed SQL statement and can only change bind variable values.

• The cursor is not properly closed in a logic branch or in the event of an exception

[Oracle (1), 2007]

Therefore they claim that based on these conditions for a vulnerability to exist and the type of SQL

statement that could be exploited, this attack is practically a no issue. They say that there are more

serious issues to worry about in DBMS_SQL than the trivial and highly impractical dangling cursor

snarfing [Oracle (1), 2007].

3. The Products from Oracle and the choice made

The latest release from Oracle is Oracle 10g, and it is in four different versions. There is the

Standard Edition One which can be used by a single user in a small business to a distributed branch

environment. Its disadvantage in large scale industry is that it is limited to only two processors. The

second type is the Standard Edition which offers support for large machines and clustering of

services with real application clusters. Its characteristics might be good for my project but the

problem is that it is only licensed to a single server with a maximum of four processors. The third

version is the Personal Edition which supports single user developments and basically summaries

all the functionality of the Oracle 10g RDBMS into a personalised edition. It has a good advantage

of running on any number of processors but the only short fall if I were to use it for my project is

that it is restricted to one user. The fourth version is the Express Edition which has an advantage for

its capability to be installed on any size of machine with any number of CPUs but the major

difference is that it is designed for database beginners [Cheveeers S, 2006]

8

I intend to make my project as close as possible to work environments, to enable me to face the

database security problems faced in the work place. I want it to relate closely to real life and not be

based on assumptions and further more I want to produce tangible results that can be used by a

corporation, not just a practical but a project.

This leaves me with one last version which suites my needs, the Enterprise Edition. Oracle claims

it’s the most reliable among the five already stated. It performs secure data management for mission

critical application which is most suitable for my project. These include OLTP (On­line transaction

processes) that are the fundamentals for e­commerce since databases are usually useful on the web.

It has a query­intensive­data warehouse demanding internet applications, it also provides

functionality to meet today’s mission­oriented applications for the enterprise. It contains all of

Oracle’s database features and has the ability of adding extra security packs to improve on security.

Enterprise Edition supports all sizes of computers and is not limited to maximum processor count.

And finally, it has the most secure feature compared to the other four and is designed for big

corporations [Oracle (2), 2006]. Enterprise Edition R2 also offers a security measure called

Transparent Data Encryption which fields protects sensitive. It also protects data in lost or stolen

backup tapes and contains an Oracle Wallet to store username/passwords [Smith GC, 2005].

4. Terminology

4.1. Cursors

These help to retrieve data from the database by fetching a row at a time, this it does by making a

copy each time. A cursor has to be opened and closed immediately after use otherwise it may create

an exception in the code thus leaving the cursor dangling (unclosed). This leaves the database

vulnerable to attack if a low privileged user gains access to this cursor as shown by the new class of

attack “dangling cursor snarfing” demonstrated by Litchfield [Litchfield D (1), 2007]

Technically, a cursor is a name for a structure in memory called a private SQL area which the

server allocates at runtime for each SQL statement. This memory area contains among other things,

a parsed version of the original SQL statement [Pribyl B, Feuerstein S, 2002]. If the host program

uses any variables in the SQL statement, then the cursor also contains the memory address of this

variable.

5. Cursor snarfing

The hacking code is Dynamic SQL on PL/SQL which is Oracle’s primary language for

programming stored procedures which are programs that live and run inside the database server. I

have implemented the code and proved it to be true as specified by [David Litchfield, 2006]; Oracle

indeed has a security hole in case of unattended dangling cursors created by high privileged code. In

9

a nutshell, a higher privilege database user creates a stored procedure and grants rights to public

(every user on the database), this enables a low privileged hacker to run the procedure and creating

an exception which can not be handled by the dynamic SQL code. This leaves a cursor dangling

(unclosed) if the exception occurred before closing the cursor, and using this cursor value, the

hacker can easily obtain the SYS password.

6. Security concerns

6.1 Authentication

The Wikipedia encyclopaedia defines authentication as the process of attempting to verify the

digital identity of the sender of a communication such as a request to log in. The authenticated body

may be a person using a computer, a computer itself or it may be a program on a computer. It

assures that users are who they claim to be and gives access to legitimate users [Wikipedia (3),

2007]. It is defined in the Information Systems Security’s glossary as “The act of identifying or

verifying the eligibility of a station, originator, or individual to access specific categories of

information….a measure designed to protect against fraudulent transmissions by establishing the

validity of a transmission, message, station, or originator.” [ISS, 2007]

Users of a database have to be authenticated before gaining access to any resources in a database to

avoid malicious users from gaining access to personal and valuable information of other users

which may lead to crimes like identity theft. There is a difference between authentication and

authorisation; authentication verifies a person’s identity whilst authorisation verifies that a person

has privileges of executing certain operations. A user has to be authenticated first and authorised to

execute a task. Users of databases must be discouraged from using default passwords and

encouraged to change their passwords as often as possible. They must also be discouraged to use

common and obvious words for passwords e.g. “oracle” or perhaps user names. Oracle claims that it

allows four failed attempts before an account is blocked, after which the account is locked for a day

or so or may wait to be unlocked by a DBA. On contrary, another researcher from NGS consultancy

has a whitepaper that proves that Oracle passwords may be tried over and over by brute forcing

which may reach a try of two million passwords a day, now the question to ask is how is this

possible if only a maximum of four tries is adequate to lock up an account [Wright P, 2007].

Oracle also acknowledges that passwords have to have an expiry date and that users have to be

prompted to change their passwords three times before blocking it to avoid unauthorised security

breaches [Oracle (4), 2007]. More, [Stephen S, 2004], who worked for Oracle for more than 13

years, in his websites makes a tutorial on passwords which involve how to prompt a user to change

his password. Also on the Oracle website, under the topic “Password aging and expiration”, Oracle

10

gives a coded example of how they implement a prompt to the user to change password after 90

days as shown below, and also that the account is locked for 30 days if a trial number exceeding 4 is

reached giving no room for over 2 million tries during brute forcing. A database security expert,

Mark Burnett explains that the most obvious way to block brute forcing is to lock accounts but this

can work very well for an attacker. He can cause a denial of service (DOS) by initiating the lock of

a large number of accounts, locking on its own is an indication of an existing account so it can be

used to harvest usernames and also an attacker can disable an account by continuously initiating a

lock each time it is unlocked. Above all most databases can not lock the DBA account so this can be

a major victim of brute forcing [Burnett M, 2007]

A coded example of Oracle’s password management; CREATE PROFILE prof LIMIT

FAILED_LOGIN_ATTEMPTS 4

PASSWORD_LOCK_TIME 30

PASSWORD_LIFE_TIME 90

PASSWORD_GRACE_TIME 3;

ALTER USER johndoe PROFILE prof;

[Oracle (4), 2007]

But surprisingly [Stephen S, 2004] says “Even after several years, I've found that my old password

still works on previous projects...” His website shows how Oracle programs safe password

management citing that Oracle provides good facilities to enable users to make very strong

password. But according to Paul Wright[Wright P, 2007], Oracle offers a limited sample space of

characters to choose from when designing a password, for example it does not allow the use of ‘$’

and ‘#’ to avoid scripting errors, also passwords cannot start with either ‘_’, ‘$’, ‘#’ or a number

and Oracle’s password are not allowed to contain Oracle/SQL keywords like INSERT. As part of

my project, intend looking further into the issue passwords in the Oracle database. It is claimed that

the highest source of data insecurity is within the organisation [Kornbrust A, 2005]. He comes up

with an important idea; passwords have to be encrypted so that even the DBA who have access to

all data are prevented from accessing it sensibly as shown in the example below. This also prevents

hackers in possession of DBA privileges to access valuable data. This is also part of my project to

research on. Initially we have two tables, customer and orders, now a query is made to select all the

elements of the table Customer by the statement “select * from customer”.

11

If the data is not encrypted we get a result presented below which is clear text which everyone can

read.

If the data has been encrypted we get something as shown below.

As shown above, if the hash table is kept safe, this can be a very good and effective method to

maintain security of passwords for authentication. In this method called safe key management, “The

Oracle customer is responsible for the entire key management” [Kornbrust A, 2005]. The user

decides where to keep the key safe; this may be handling it himself, storing it in the file system or

else keeping it in the database.

12

6.2 Privileges and roles

Oracle offers privileges to its users. These are rights to execute a particular type of SQL statements

or to access another user’s object. These include session creation i.e. connecting to the database,

creating a table as well as executing another user’s stored procedure. Privileges are granted to

individuals as a necessity to accomplish important tasks. A DBA has to be very careful when

assigning privileges as an excess of these to users unnecessarily can cause a security flaw.

Privileges may be granted to individual users for example John or they may also be bundled

together with others to produce a role and in turn this role is assigned to one or more users e.g.

managers. Because roles allow for easier and better management of privileges, you should normally

grant privileges to roles and not to specific users [Oracle (5), 2007]

At the creation of the database the accounts for SYS and SYSTEM are created and granted all

privileges pertaining to the database as well. SYS can then grant roles and privileges to other users

as well as the privilege to grant other users roles and privileges as well. Roles are meant to ease up

the administration of user systems as well as schema object privileges. Roles make it easy to

manage and assign privileges, rather than give out similar sets of privileges to users individually in

a group; we may assign a role to the group. This saves on time and makes the whole work of

monitoring these privileges a little bit easier. It also lightens the load when making changes to roles,

say we want to change some privileges given to a group of user for security reasons; it is now easier

since a change has to done on the roles to affect every user than making changes manually and

individually on each and everyone of the available users. Roles can also allow some privileges to be

password­protected. It makes it easier for an auditor to audit security breaches e.g. it narrow down

the search criteria if a privilege has been breached since it will be known who owns certain

privileges [Oracle(5), 2007]

Applications can be assigned for user to be able to perform certain application; these roles can also

be assigned to other users or roles. Assigning roles to roles might pose a security breach since it

becomes difficult to monitor how the roles link up together into a net. The DBA will not be able to

trace out which specific roles were assigned to a user if the role to role network becomes large .If

not carefully monitored a user can have all the available privileges defined in the linked roles to be

able to control the database or even carry out malicious actions on it. These also can be enabled or

disabled, this too, I think can affect other users unnecessarily because if a role is disabled the roles

linked to it are blocked as well including those not intended to be blocked thus negatively impacting

the system. Roles and privileges in Oracle 10g can be granted using the enterprise manager as well

13

as the SQL statements, GRANT and REVOKE. These can be granted by anybody with the GRANT

ANY ROLE system or anyone granted a role with Administration Options [Oracle (5), 2007]

6.3. Auditing

Auditing is the monitoring and recording of selected user database actions. It can be based on

individual actions, such as the type of SQL statement executed, or on combinations of factors that

can include user name, application, and time. Security policies can trigger auditing when specified

elements in an Oracle database are accessed or altered, including the contents within a specified

object [Oracle (6), 2007]. Auditing can also be defined as “an independent review and examination

of systems records and activities that test for the adequacy of system controls, ensure compliance

with established policy and operational procedures, and recommend any indicated changes in

controls, policy, and procedures” [ISS, 2007]. Auditing can also be use in Oracle to record failed or

successful attempts on the server. This is useful in being able to know who is attempting to logon to

the database, when an attacking is taking place as well as to know if an attack was successful

[Newman A(1), 2007].

Some more uses of auditing are listed below:

• Enable future accountability for current actions taken in a particular schema, table, or row, or

affecting specific content

• Deter users (or others) from inappropriate actions based on that accountability

• Investigate suspicious activity

• Notify an auditor that an unauthorized user is manipulating or deleting data and that the user has

more privileges than expected which can lead to reassessing user authorizations

• Monitor and gather data about specific database activities

• Detect problems with an authorization or access control implementation

[Oracle (6), 2007]

Without real time auditing, a database can not maintain confidentiality, data integrity and

availability which a very crucial to database security [Newman A (1), 2007].

14

Basically there are four types of audits rendered by Oracle. There is the statement auditing (this

enables the DBA to monitor all the SQL statements implemented on the database). This could be set

to monitor the actions of a certain user or group. Also this can be divided into two categories, the

DDL and the DML statements. The DDL statements include statements like Audit Table which

audits all Create and Drop Table statements. An example of a DML statement is Audit Select Table

which audits all select…from table as well as view statements.

The second type is called privilege auditing. This audits statements that use a system privilege, such

as SELECT ANY TABLE. For example, when AUDIT SELECT ANY TABLE is in force, all statements

issued by users with the SELECT ANY TABLE privilege are audited. This is more focused as

compared to statement auditing and can as well be set to monitor a single user a group. Privileged

auditing is triggered when a less privileged user tries to perform action statements that a re not

defined in his privilege space. When the clause table is defined in the audit it takes care of Create

table, Alter table as well as drop table. But if Create table instead is defined then the audit can only

audit create table [Oracle (6), 2007]

The third is Schema Object Auditing which enables the DBA to audit specific statements on a

particular schema object e.g. Audit Select On Employee. It audits the select statement and all DML

statements permitted by the schema objects privileges which include the delete statement on a given

table. It also audits the Grant and the Revoke statements which control the select/delete statements.

As can be seen this is a more specific audit and it applies to every user. The fourth one is Fine­

Grained auditing which involves auditing at the most granular level, data access and actions based

on content, using any Boolean measure, such as value > 1,000,000. Enables auditing based on

access to or changes in a column.

However, auditing has some disadvantages if used excessively (Auditing every action on the

database is good but it has a negative effect on performance) because the constant writing of audits

can create a substantial bottleneck on the disk’s I/O on the server. Also since the auditing data can

be stored in SYS.AUD$, it ends up interacting with database data and sharing disk space which

might result in application downtimes. Above all there is no mechanism to prevent the DBA from

tempering with audit output in case an attacker gains SYS privileges [Newman A (1), 2007].

15

6.4. Data integrity

Data integrity as defined by Wikipedia encyclopaedia is an act of ensuring that data is whole and

complete, it is the condition in which data is identically maintained during an operation such as a

transfer, storage or retrieval. Another aspect to this field is that data can only be accessed by

authorised individuals. Data integrity in a relational database is concerned with accuracy,

correctness and validity of data [Wikipedia (4), 2007]

In Oracle, data is encrypted to keep it safe. It uses a method called Transparent Data Encryption.

TDE is very useful for simple and easy encryption of sensitive data in table columns that the user

does not want anyone to see. The encryption and decryption of data is handled by the database

instead of users and applications. An external file named ewaalet.p12 is used to store the encryption

keys, this location, similar to auditing trail storage, can be in the Operating System or it can be

specified in the sqlnet.ora file.[Dewri A,2007] . Now imagine a case where by that whole drive of

data gets stolen with all people’s valuable information, the disk can easily be mounted on a similar

server with the same operating system and wiped out of data. Consider the case of a rogue DBA

who penetrates perimeter protection in the daily course of business and then downloads sensitive

customer information. This only shows that authentication is debatable. If not carefully monitored, a

DBA can be the most dangerous attacker since he controls all the database activities such as audits

that are meant monitored security on the database [Newman A (1), 2007, p5] Oracle compares this

security scheme, TDE as layers that a hacker has to go through in order to get access to data. First

the hacker has to by pass the firewall protecting the database then he has to deal with the

authentication and authorisation process of the data base. Although this far, the hacker cannot see

the data because it is encrypted, it does not make sense to a user who does not know the hash

functions [Oracle (7), 2007]. TDE is a valuable feature for organizations that need high security; it

supports encryption while putting the complexity of key management in the hands of the database

engine. This also is a good measure because even the DBA who monitors data does not get to see

the actual data he is managing, cutting down the risk to data [Dewri A, 2007].

It allows the user to encrypt a certain potion of the data so as to use a simple hashing function as

compared to encrypting the whole data (which is possible) at the expense of a complex and

unpleasant hashing function. This is simply done by declaring a column as encrypted. It works by

the TDE generating a key for a specific table and a master key that can be set at the database level.

The key for the table is encrypted with the master key, which is required to obtain the table key.

Consequently, the master key as well as the table key is required to decrypt encrypted data as shown

below [Oracle (6), 2007].

16

Fig 3: The master and the table key

Data that has been encrypted can only be viewed after decryption by authorised user. To use TDE,

user must have "alter system" privilege and a valid password for Oracle wallet.

7. Oracle’s Software Security Assurance.

Security features which include access control, user authentication, data encryption, and audit

support have become important software buying criteria. A survey carried out shows that security is

the number one priority where new IT investment is planned [Heimann J, 2006]. This only shows

how valuable security is in the IT industry.

This depends on secure system designs implemented, development and support processes that

prevent the introduction of security flaws into system and limit damage caused. Heiman [Heiman J,

2006] defines security flaws as “errors on the software that allow unauthorised access to data or

system resources”. Intruders usually use these security flaws to their advantage, gaining access to

valuable information through privileged means. These allow invaders to bypass even the toughest

security measures that have been put across. Oracle defines a secure system as that which does not

only offer secure feature but also prevents security flaw which can be fatal to the system even if the

best security measures have been enforced. In the white paper by Heimann [Heimann J, 2006],

Oracle claims that their products contain some security assurance features that help prevent security

flaws. But contrast to this, Litchfield [Litchfield D (2), 2006] compiled a paper in November last

year entitled “Which database is more secure? Oracle vs. Microsoft” in which he shows in tabular

form the heights reached by Oracle’s flaws as compared to that portrayed by Microsoft SQL Server

2005 [David Litchfield (2), 2006].

The graphs are shown below.

17

The graph simply shows that in the past two years Oracle has experience more security flaw as

compared to MS SQL Server 2005, this is in direct contrary to the claim made by Heimann

[Heimann J, 2006]. Oracle boasts of working with CIA for a long time protecting their confidential

data and that ever since customers have relied on Oracle to protect their sensitive and mission

critical data. But when one considers the security flaw Oracle has incurred, the fact of it being the

most trusted databases raises eyebrows. Oracle also claims to possess highly trained personnel who

ensure that products are developed with consistently high security assurance to avoid common

insecure coding practices by undergoing an intense coding training. Now, a company responds to

the discovery of a security flaw by offering a patch to rectify the issue. One may ask, If Oracle

programs so well why do we need a whole lot of patches to botch up the system. Further more,

Oracle has made claims that its production team makes use of lessons learned from continual

vulnerabilities testing and previous flaws assessment [Heimann J, 2007]. Independent researcher,

Litchfield [Litchfield D (2),2006], claims in his paper that the reason why Oracle suffers the most

security flaws as compared to MS Server 2005 is that they do not practice Security Development

Lifecycle, (SDL) which involves learning from previous flaws to solve the current. He agues further

that the other reason is that Oracle does not understand the problem they are trying to solve which is

evident from his research results. There also has been news about customers complaining about the

amount of patches they have to install, recently Oracle patched 82 critical flaws

[SearchSecurity.com, 2007]. Oracle further claims its team undergoes the basic training and that

their products are thoroughly tested by multiple development teams to assure consistency in product

before dispatch. Heimann[Heimann J, 2006] states that they take their products for external

inspection by independent bodies e.g. the US government. Despite all this technical support Oracle

has on its products, research has it that their product seem to experience the same problem over and

over. With all this information stated above, I am going to look at and test the security features

offered by Oracle and above all where possible try to come up with solutions to the problems.

18

8. Summary

The above sections gave a good portion of the security features that Oracle can offer. It also gave

the views of customers and researcher about what they think about the security of Oracle. Database

security is very crucial to the safety of a user’s personal data which includes credit card numbers,

bank details as well as medical details. Identity thieves target these for personal gains. These may

be to commit crime, to hide away one’s identity from past experience or maybe to sell to illegal

immigrants who want to seek employment in a particular country. Firewalls on their own are not

capable to protect the database from all the malicious activities done by attackers. The fact that they

are in the layer 3 of the OSI model means that they can protect against any intruder activity that is

in layer 3 and below. For example, SQL injection occurs in the application layer, which is layer 5,

so it can never be blocked by a firewall. Also to show that firewall security is not enough, intruders

are now using certain phrases in search engines to bypass them and perform their hacking straight

on the database thus cutting on the time and effort needed in their hacking practise.

Databases are safe if they were to remain isolated and not be harnessed onto the Internet. The need

for e­commerce drove databases to be included on the Internet but this good cause has brought

about serious security breaches that Database administrators have to fight against. Besides external

hacking, the major threat to data has been discovered to be within an organisation, especially

individuals who have full access to database resources as well as full control of all its activities. A

proper database that is concerned about user data security has to offer protection against malicious

external and internal attackers of the database.

Oracle in its 2005 release of the Oracle 10g Database, released more than one version of the

database. The five versions are Standard Edition, Standard Edition One, Express Edition, Personal

Edition and Enterprise Edition. The database used for my project is the Enterprise Edition because

of its security features which are better than that of the rest, in fact it is said to contain all the feature

possessed by all the other versions and can enable a user to add onto the already available security

features using security packs. It also contains a function called Transparent Data Encryption that

protects the data in case a data disk is lost. This it does by use of a master and a table key.

When a cursor is used in a procedure it has to be closed to protect the database. A new security flaw

has been discovered in Oracle where by a low privileged user gains access to a closed cursor which

he uses to attack a database gaining the SYS password which in turn enables him to abuse the

database as much as he likes.

Oracle offers different form of security which include authentication which is making sure that

users are who they claim to be. Another feature is called privileges and roles which monitor “who

does what.” Roles are a bundle of privileges that are given to an individual or a group so that it

19

becomes easier to monitor, assign or suspend rights that have been issued out. Auditing helps the

security officer to monitor all the actions that are executed on the database; this includes failed and

successful attempts to log on to a database. It helps to detect any activities performed by an attacker

by keeping a record of desired actions performed. Data integrity is meant to enforce that data is

maintained in the desired state, it guides against illegal access, alterations or extraction of data by

intruders. It helps keep data constant. It also includes the process of Transparent Data Encryption

which is described above. Software assurance describes the stages and efforts that are taken by a

software developer to make sure that the software is of the highest quality.

9. References

1. Anley C, Advanced SQL injection [Online]. Available:

http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2005 accessed on 06/2007

2. Bella J, Training: Identity theft, Law and Order,49(10), p 222, 2001

3. Burnett M, Blocking Brute Forcing Attacks, System Administration Database,

http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php?PHPSESSID=cc5a284c18

2df495f0e00a76fd1115c0, 2007, accessed on 06/2007

4. Cheveers S, The Oracle Database Product Family, Oracle Corporation, 2006

5. Dewri A, Transparent data Encryption, http://hosteddocs.ittoolbox.com/AD082605.pdf , 2007

6. Fitchman P, Preventing credit card fraud and identity theft: A primer for online merchants,

Information Systems Security, p 52­59, 2001

7. Heimann J, Introduction to Oracle Access Manager, Oracle Corporation, 2006

8. ISS, Glossary.pdf, http://www.infosectoday.com/Articles/Glossary.pdf, 2007, accessed on

06/2007

9. Kornbrust A, Circumvent Oracle’s Database Encryption and Reverse Engineering of Oracle

Key Management Algorithms, http://www.red­database­

security.com/wp/oracle_circumvent_encryption_us.pdf, 2005, accessed on 05/2007

10. Litchfield D (1), Dangling cursor snarfing: a new class of attack in Oracle, NGS Insight

Security Research Publication, 2006

11. Litchfield D (2), which database is more secure? Oracle vs. Microsoft, NGS Insight Security

Research Publication, 2006

12. Newman A, Hack­proofing databases,

http://www.appsecinc.com/presentations/oracle_security.pdf, 2007, accessed on 06/2007

20

13. Newman A (1), Database Activity Monitoring: Intrusion Detection & Security Auditing,

http://www.itsec.gov.cn/webportal/download/2005_DAM_wp82305.pdf, 2007, accessed on

06/2007

14. Newman A.C, Search Engines Used To Attack Databases ( whitepaper), CTO & Founder,

Application Security, Inc,

http://www.appsecinc.com/presentations/Search_Engine_Attack_Database.pdf, 2007,

accessed on 06/07.

15. Oracle (1), Risk associated with cursor snarfing, www.integrity.com/oracle­security­

blog/archive, 2007

16. Oracle (2), Oracle Database 10g Enterprise Edition,

http://www.oracle.com/database/index.html, 2006, accessed on 05/2007

17. Oracle (4), Oracle Database Security Guide 10g R2 (7.3.1.1.1 Password security),

http://download­uk.oracle.com/docs/cd/B19306_01/network.102/b14266/toc.htm, 2007

18. Oracle (5), Roles and privileges, http://download­uk.oracle.com/docs/cd/

B19306_01/network.102/b14266/authoriz.htm#sthref429, 2007

19. Oracle (6), auditing (Oracle database security guide 10g R2),

http://download­uk.oracle.com/docs/cd/B19306_01/network.102/b14266/index.htm, 2007

20. Oracle (7), Data Encryption, http://www.oracle.com/technology/

amag/oracle/05­jan/o15security.html

21. Priorbyl B, Feuerstein S, 2002, Learning Oracle PL/SQL, O’Reilly & Assocites, Inc, USA,

2002

22. Roshak N, Monitoring Open and Cached Cursors, http://orafaq.com/node/758, 2007 accessed

on 05/2007

23. Rowe D, An analysis of SQL injection prevention using a filter proxy server, University of

Rhodes, p 7, 2005

24. SearchSecurity.com, Oracle patches 82 critical flaws,http://searchsecurity.techtarget.com

/originalContent/0,289142,sid14_gci1159895,00.html, 2007, accessed on 05/2007

25. Smith GC, Oracle Database 10g Release 2:A Revolution in Database Technology, Oracle

Corporation, p 15,2005

26. Softpedia.com, Toying with Microsoft’s breaches is no longer fun,

http://news.softpedia.com/news/Toying­with­Microsoft­s­breaches­is­no­longer­fun­for­

hackers­1603.shtml, 2007, accessed on 06/2007

27. Stephens S, Oracle Tip: Use profiles to create a password management policy,

http://builder.com.com/5100­6388­5224412.html, 2004, accessed on 05/2007

21

28. St Petersburg Times, A history of hacking,

http://www.sptimes.com/Hackers/history.hacking.html, 2000, accessed on 05/2007

29. Wikipedia (1), database security, www.wikipedia.org/databasesecurity/, 2007, accessed on

05/2007

30. Wikipedia(2), Cursor (databases), http://en.wikipedia.org/wiki/Cursor_%28databases%29,

2007, accessed on 05/2007

31. Wikipedia (3), Authentication, http://en.wikipedia.org/wiki/Authentication, 2007, accessed on

05/2007, accessed on 05/2007

32. Wikipedia (4), data integrity, www.en.wikipedia.org/dataintegrity/, 2007

33. WindowSecurity.com, Avoiding identity theft (whitepaper),

http://www.windowsecurity.com/whitepaper/Avoiding­Identity­Theft.html, 2007, accessed

on 06/2007

34. Wright P, Oracle Passwords and Orabrute, NGS Insight Security Research Publication, 2007