Commercial Database Commercial Database Security IssuesSecurity Issues

James HamiltonJames HamiltonJamesRH@microsoft.comJamesRH@microsoft.com

Microsoft SQL ServerMicrosoft SQL Server

2002.10.162002.10.16

22

AgendaAgenda IntroductionIntroduction

Growing Problem: S/W securityGrowing Problem: S/W security DB Security: the Battleground shiftsDB Security: the Battleground shifts Evolving DB Threat EnvironmentEvolving DB Threat Environment

DB Attacker Toolkit: Well ArmedDB Attacker Toolkit: Well Armed Who Cracks Databases?Who Cracks Databases? Attack Vectors—How are DBs cracked?Attack Vectors—How are DBs cracked?

7 DB Attack Examples7 DB Attack Examples Defense Mechanisms:Defense Mechanisms:

DB Developers & AdministratorsDB Developers & Administrators DB ImplementersDB Implementers

33

Growing Problem: S/W SecurityGrowing Problem: S/W Security

SurvivabilitySurvivability: the capability of a system to fulfill it’s : the capability of a system to fulfill it’s mission, in a timely manner, in the presence of mission, in a timely manner, in the presence of attacks, failures, and accidents attacks, failures, and accidents - Lipson, Howard & Fisher, 1999- Lipson, Howard & Fisher, 1999

Survivability challenge:Survivability challenge: Previous focus primarily on S/W failure, human error, & Previous focus primarily on S/W failure, human error, &

natural disasternatural disaster Primary security measure was physical:Primary security measure was physical:

Keep external bad guys awayKeep external bad guys away Protection against insiders primarily via legal Protection against insiders primarily via legal

protection & data isolationprotection & data isolation Industry shifts:Industry shifts:

Shift from mediated access to direct application accessShift from mediated access to direct application access Vendors, customers, & partnersVendors, customers, & partners

Shift from central admin to distributedShift from central admin to distributed Shift from survivability focus largely ignoring security to Shift from survivability focus largely ignoring security to

being prime concernbeing prime concern

44

Cracking Not New PhenomenaCracking Not New Phenomena 1981: Kevin Mitnick (Condor) cracks LA School System & PacBell1981: Kevin Mitnick (Condor) cracks LA School System & PacBell

steals passwordssteals passwords 1992: 414 Gang cracks Los Alamos & cancer center1992: 414 Gang cracks Los Alamos & cancer center 1983: Mitnick (Condor) cracks Pentagon Computers1983: Mitnick (Condor) cracks Pentagon Computers 1984: Kevin Poulsen (Dark Dante) cracks into ARPAnet1984: Kevin Poulsen (Dark Dante) cracks into ARPAnet 1986: Pakistani Brain virus – 11986: Pakistani Brain virus – 1stst malicious virus malicious virus 1996: Chaos Computing Club hacks LBL1996: Chaos Computing Club hacks LBL 1987: Jerusalem Virus – 11987: Jerusalem Virus – 1stst infecting files infecting files 1988: Robert Morris releases 11988: Robert Morris releases 1stst internet worm internet worm

Sendmail buffer overrun -- over 6,000 systems infectedSendmail buffer overrun -- over 6,000 systems infected 1988: Mitnick cracks MCI DECnet1988: Mitnick cracks MCI DECnet

Steals VMS source codeSteals VMS source code 1989: Fry Guy cracks McDonalds1989: Fry Guy cracks McDonalds

Credit cards and $6,000 in cash and productCredit cards and $6,000 in cash and product 1991: Michelangelo virus1991: Michelangelo virus 1991: Justin Petersen (Agent Steal) cracks bank computer & transfers funds1991: Justin Petersen (Agent Steal) cracks bank computer & transfers funds 1992: Morty Rosenfeld (Storm Shadow) cracks TRW1992: Morty Rosenfeld (Storm Shadow) cracks TRW

Credit card reports and numbersCredit card reports and numbers 1994 Richard Pryce (DataStream Cowbow) cracks USAF Rome Lab,…1994 Richard Pryce (DataStream Cowbow) cracks USAF Rome Lab,… 1994: Vladimir Levin cracks CitBank network1994: Vladimir Levin cracks CitBank network

Source: Bill Wall, Harris computer CorpSource: Bill Wall, Harris computer Corp

55

Incidents ReportedIncidents Reported CERT/CC incident statistics 1988 through 2002CERT/CC incident statistics 1988 through 2002 IncidentIncident: single security issue grouping together all : single security issue grouping together all

impacts of that that issueimpacts of that that issue e.g. LoveLetter worm defined to be a single “incident”e.g. LoveLetter worm defined to be a single “incident”

IssueIssue: disruption, DOS, loss of data, misuse, damage, loss : disruption, DOS, loss of data, misuse, damage, loss of confidentialityof confidentiality

0

10000

20000

30000

40000

50000

60000

70000

80000

Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html

66

Particularly Damaging AttacksParticularly Damaging Attacks

Love Bug wormLove Bug worm Damages estimated at $8.75 billionDamages estimated at $8.75 billion

Code Red virusCode Red virus Infected 1 million machinesInfected 1 million machines Damages estimated at $2.6 billion Damages estimated at $2.6 billion (newer estimates much higher)(newer estimates much higher)

SirCam virus:SirCam virus: Infected 2.3 million machinesInfected 2.3 million machines Damages $1.2 billionDamages $1.2 billion

Klez virus:Klez virus: Infected 900,000 machinesInfected 900,000 machines

Nimda virus:Nimda virus: Damages estimated at $700 millionDamages estimated at $700 million

Source: Bill Wall, Harris computer CorpSource: Bill Wall, Harris computer Corp

77

S/W Security ProblemS/W Security Problem O/S security alerts since Jan 2002 --O/S security alerts since Jan 2002 --www.securitytracker.comwww.securitytracker.com

Windows: 636Windows: 636 Linux: 759Linux: 759

Paradoxically under invested:Paradoxically under invested: ““Less than 0.0025% of corp revenue invested in securityLess than 0.0025% of corp revenue invested in security”” ““If you spend more on coffee than on IT security, then you will If you spend more on coffee than on IT security, then you will

be hackedbe hacked”” Source: Richard Clarke, Special security advisor to president, 2002Source: Richard Clarke, Special security advisor to president, 2002

Problem gaining recognition:Problem gaining recognition: 90% detected computer security breaches over last year90% detected computer security breaches over last year 80% acknowledged financial losses due to breaches80% acknowledged financial losses due to breaches 34% reported the intrusions to law enforcement34% reported the intrusions to law enforcement Source: 2002 Computer Crime & Security Survey– Computer Security InstituteSource: 2002 Computer Crime & Security Survey– Computer Security Institute

Investment Situation Improving:Investment Situation Improving: Intrusion detection & vulnerability assessment market: Intrusion detection & vulnerability assessment market:

$1B by 2003 with CAGR of 34%$1B by 2003 with CAGR of 34% Source: IDC 2001Source: IDC 2001

Authentication, Authorization, & Administration:Authentication, Authorization, & Administration: $2.8B in 2000$2.8B in 2000 CAGR of 28% growing to $7.7BCAGR of 28% growing to $7.7B Source: IDC 2001Source: IDC 2001

88

DB Security: Battleground ShiftsDB Security: Battleground Shifts Most apps of value have persistent dataMost apps of value have persistent data Data valuable to company, organization, or even individual Data valuable to company, organization, or even individual

typically also has value to otherstypically also has value to others Information is becoming the most valuable asset in many Information is becoming the most valuable asset in many

industriesindustries E.g. Charles Schwab & Wal-Mart both identify mgmt of info E.g. Charles Schwab & Wal-Mart both identify mgmt of info

asset as key competitive advantageasset as key competitive advantage Even ephemeral data has significant value, when trends Even ephemeral data has significant value, when trends

analyzed and understood:analyzed and understood: Decreased storage & data management costs enables itDecreased storage & data management costs enables it Competitive pressure demands itCompetitive pressure demands it

Where there is value, there are bad guysWhere there is value, there are bad guys And professional services guys, and press guys, & industry And professional services guys, and press guys, & industry

analysts, …analysts, … Battleground evolving to include the databaseBattleground evolving to include the database

““Port 1433 [SQL Server] regularly registered as one of the top Port 1433 [SQL Server] regularly registered as one of the top scan ports in the Internet Storm Center” scan ports in the Internet Storm Center” –Source: http://www.sans.org/top20–Source: http://www.sans.org/top20

99

Evolving DB Threat EnvironmentEvolving DB Threat Environment A decade ago, databases were:A decade ago, databases were:

Physically securePhysically secure Housed in central data centers – not distributedHoused in central data centers – not distributed External access mediated through customer service reps, External access mediated through customer service reps,

purchasing managers, etc.purchasing managers, etc. Security issues rarely reportedSecurity issues rarely reported

Now increasingly DB’s externally accessible:Now increasingly DB’s externally accessible: Suppliers directly connectedSuppliers directly connected Customers directly connectedCustomers directly connected Customers & partners directly sharing dataCustomers & partners directly sharing data

Data is most valuable resource in application stackData is most valuable resource in application stack Value increases with greater integration & aggregationValue increases with greater integration & aggregation Opportunities for data theft, modification, or destructionOpportunities for data theft, modification, or destruction

DB security a growing problem:DB security a growing problem: 101 DB alerts since January 2001101 DB alerts since January 2001--www.securitytracker.com--www.securitytracker.com Two database issues on SANS/FBI top 20 list Two database issues on SANS/FBI top 20 list –http://www.sans.org/top20/–http://www.sans.org/top20/

1010

DB Attack Toolkit: Well ArmedDB Attack Toolkit: Well Armed Brute force & dictionary-based password crackersBrute force & dictionary-based password crackers Network sniffers and Port scannersNetwork sniffers and Port scanners Object code de-compilersObject code de-compilers Application Source code often (illegally) availableApplication Source code often (illegally) available Quality debuggersQuality debuggers

Symbols typically available for problem determinationSymbols typically available for problem determination Leveraging cracked systems:Leveraging cracked systems:

Credentials: leverage & escalate by stepsCredentials: leverage & escalate by steps Compute power: host distributed denial of serviceCompute power: host distributed denial of service

DB Security/cracking tools & consulting:DB Security/cracking tools & consulting: NGSSoftware NGSSoftware ((http://http://www.nextgenss.comwww.nextgenss.com//)) Internet Security Services Internet Security Services ((http://http://www.iss.netwww.iss.net//)) Application Security Inc. Application Security Inc. ((http://http://www.appsecinc.comwww.appsecinc.com)) And many others…And many others…

Community shared resources:Community shared resources: Exploit, risk, & data sharing the communityExploit, risk, & data sharing the community E.g. NTBugTraq E.g. NTBugTraq ((http://www.ntbugtraq.com/http://www.ntbugtraq.com/))

1111

Who Cracks DB’s?: Who Cracks DB’s?: tale of two crackerstale of two crackers

Who Cracks DBs? Who Cracks DBs? Black Hats in search of gain or damageBlack Hats in search of gain or damage Security Professional ServicesSecurity Professional Services Individuals in search of fameIndividuals in search of fame

I encounter many of these folks although typically I encounter many of these folks although typically not black hatsnot black hats They don’t often report issues to a vendorThey don’t often report issues to a vendor

Most commercial DB security issues not found in Most commercial DB security issues not found in operational systemsoperational systems

Examples from people I’ve worked with:Examples from people I’ve worked with:1.1. Consulting Firm, a company establishing their name as Consulting Firm, a company establishing their name as

security expertssecurity experts2.2. Individual, a programmer making mark in security circlesIndividual, a programmer making mark in security circles

1212

Who Cracks DBs?: Who Cracks DBs?: Consulting FirmConsulting Firm

A security-focused professional services companyA security-focused professional services company They sell security services to customers and, when not They sell security services to customers and, when not

billing, crack softwarebilling, crack software Shows that there really is a security problem out there to attract Shows that there really is a security problem out there to attract

customerscustomers Shows potential customers that they are security expertsShows potential customers that they are security experts

Most professional security services companies responsibleMost professional security services companies responsible Can’t afford to be perceived as Black Hats by potential Can’t afford to be perceived as Black Hats by potential

customerscustomers Usually give time for problems to be fixed before disclosureUsually give time for problems to be fixed before disclosure

Some learn that it’s easier to attempt to bill DB vendors directlySome learn that it’s easier to attempt to bill DB vendors directly Looks to me a lot like “selling protection”Looks to me a lot like “selling protection”

Extract from a recent note from Consulting Firm:Extract from a recent note from Consulting Firm: … …FictitiousInc have now considered that building FictitiousInc have now considered that building

succesful business relationships with companies such as succesful business relationships with companies such as yourself and Oracle, out strips the private vulnerability yourself and Oracle, out strips the private vulnerability research.  We are very much more keen to go down this research.  We are very much more keen to go down this path, if this means not talking about a specific product path, if this means not talking about a specific product fine.  There are many many more products out there IBM fine.  There are many many more products out there IBM for starters:)…for starters:)…

Some responsible, some less so, but generally helping Some responsible, some less so, but generally helping customers by finding issues yielding product fixescustomers by finding issues yielding product fixes

Issues found often contrived but not without valueIssues found often contrived but not without value

1313

Who Cracks DBs?: Who Cracks DBs?: An IndividualAn Individual Overview of this system cracker:Overview of this system cracker:

Living outside the USLiving outside the US Attending college studying Computer ScienceAttending college studying Computer Science Working as a database application developerWorking as a database application developer More productive than most full time software testersMore productive than most full time software testers Communicates with me via Instant MessagingCommunicates with me via Instant Messaging Generally principled:Generally principled:

wants famewants fame wants security bugs fully disclosedwants security bugs fully disclosed wants a security S/W related jobwants a security S/W related job not trying to get “bought off” by industrynot trying to get “bought off” by industry

Many people are less highly principled:Many people are less highly principled: Not all just looking for fame rather than financial gainNot all just looking for fame rather than financial gain Skills appropriate for full spectrum from information theft, Skills appropriate for full spectrum from information theft,

vandalism, through terrorismvandalism, through terrorism Many live in other jurisdictionsMany live in other jurisdictions Visibility of Black Hats numbers difficultVisibility of Black Hats numbers difficult

1414

DB Attack: Admin ErrorDB Attack: Admin Error Impossible to cover all forms of attackImpossible to cover all forms of attack

Numerous and some not yet knownNumerous and some not yet known We’ll sample the attack spaceWe’ll sample the attack space

Administrative ErrorAdministrative Error No system administrator password and database No system administrator password and database

unprotected on the public networkunprotected on the public network SQL Server Worm (Spida) based upon this issueSQL Server Worm (Spida) based upon this issue

Old versions of SQL allowed null SA password on Old versions of SQL allowed null SA password on installationinstallation

SQL2000 fixed but many upgrades retain blank PWSQL2000 fixed but many upgrades retain blank PW SQL2000 Service Pack 3 prompts for non-null SA SQL2000 Service Pack 3 prompts for non-null SA

passwordpassword Lessons:Lessons:

Default install must be secureDefault install must be secure Databases should never be directly on public netDatabases should never be directly on public net DB’s should enforce strong password policyDB’s should enforce strong password policy

1515

DB Attack: Buffer OverrunDB Attack: Buffer Overrun

Buffer OverrunBuffer Overrun Any command that takes an argument or Any command that takes an argument or

bounded buffer has overflow riskbounded buffer has overflow risk Overflow data can be crafted to include Overflow data can be crafted to include

executable but how to force execution?executable but how to force execution? Stack smashingStack smashing Register hijackingRegister hijacking Local pointer subterfugeLocal pointer subterfuge V-Table hijackingV-Table hijacking C++ EH clobberingC++ EH clobbering SEH clobberingSEH clobbering Parameter pointer subterfugeParameter pointer subterfuge

Let’s look at some examplesLet’s look at some examples

1616

DB Attack: Buffer Overrun ExploitsDB Attack: Buffer Overrun Exploits

x86 stacks grow x86 stacks grow downwarddownward

Buffer overrun on stack Buffer overrun on stack can rewrite:can rewrite: Return addressReturn address Frame pointerFrame pointer EH frameEH frame

Exploit usually involves Exploit usually involves privilege escalationprivilege escalation

Previous function’sPrevious function’sstack framestack frame

Return addressReturn address

EH frameEH frame

Callee saveCallee saveregistersregisters

GarbageGarbage

Local variables andLocal variables andlocally declaredlocally declaredbuffersbuffers

Frame pointerFrame pointer

Function argumentsFunction arguments

1717

DB Attack: SQL InjectionDB Attack: SQL Injection Exploiting SQL comment:Exploiting SQL comment:

Select * from customers where name=$inputSelect * from customers where name=$input

With $input = JamesRH’ or 1=1 --With $input = JamesRH’ or 1=1 --

Select * from customers where name=‘JamesRH’ or Select * from customers where name=‘JamesRH’ or 1=1 –-’1=1 –-’

Exploiting multiple commands and SQL comment:Exploiting multiple commands and SQL comment:Select * from customers where name=$inputSelect * from customers where name=$input

With $input = ‘ or 1=1 exec xp_cmdshell NT_command -- With $input = ‘ or 1=1 exec xp_cmdshell NT_command --

Select * from customers where name=‘’or 1=1 exec Select * from customers where name=‘’or 1=1 exec xp_cmdshell NT_command --’xp_cmdshell NT_command --’

Making comment illegal is not sufficient protectionMaking comment illegal is not sufficient protection Only answer is to not ever execute user inputOnly answer is to not ever execute user input

No sane programer would accept prog lang source code No sane programer would accept prog lang source code from user, SQL should never be accepted eitherfrom user, SQL should never be accepted either

1818

DB Attack: Code PatchingDB Attack: Code Patching Innovative attack that can’t be directly appliedInnovative attack that can’t be directly applied

shows how multi-step attacks are constructedshows how multi-step attacks are constructed With (even temporary) ability to run code in SQL Server With (even temporary) ability to run code in SQL Server

address space:address space: Find FHasObjPermissions()Find FHasObjPermissions()

Internal SQL Server object security access check functionInternal SQL Server object security access check function Call VirtualProtect to enable code segment modificationCall VirtualProtect to enable code segment modification Change FHasObjPermissions() implementation to return 1 Change FHasObjPermissions() implementation to return 1

(true)(true) As long as the SQL Server is runningAs long as the SQL Server is running

If they can log on, they will have admin rightsIf they can log on, they will have admin rights Technically not interesting since can’t be exploited without Technically not interesting since can’t be exploited without

access to SQL Server address spaceaccess to SQL Server address space At that point, anything is possibleAt that point, anything is possible I show the example more to show how deep crackers will I show the example more to show how deep crackers will

dig rather than claiming that this is a real exploitdig rather than claiming that this is a real exploit But, once made, even if attacker no longer has direct access But, once made, even if attacker no longer has direct access

to SQL address space, they can exploit SA privsto SQL address space, they can exploit SA privs

Source: http://www.nextgenss.com/papers/violating_database_security.pdfSource: http://www.nextgenss.com/papers/violating_database_security.pdf

1919

DB Attack: DOS & DDOSDB Attack: DOS & DDOS Denial of service attacks involve attacks consuming all or Denial of service attacks involve attacks consuming all or

most system resourcesmost system resources For authenticated users, resource governor is only full For authenticated users, resource governor is only full

defensedefense Defense for non-authenticated users:Defense for non-authenticated users:

Fail bad passwords slowly with min-resources consumedFail bad passwords slowly with min-resources consumed Can do IP tracking but spoofableCan do IP tracking but spoofable

Distributed denial of services uses many machines to attack Distributed denial of services uses many machines to attack targettarget Usually part of a multi-step crack in that attacking machines are Usually part of a multi-step crack in that attacking machines are

usually also crackedusually also cracked An unusual DOS attack:An unusual DOS attack:

Sending \x02 to SQL Monitor (port 1434)Sending \x02 to SQL Monitor (port 1434) SQL Monitor responds with \x02SQL Monitor responds with \x02 Attacker spoofs source IP to port 1434 on another SQL Attacker spoofs source IP to port 1434 on another SQL

server and they ping back and forth server and they ping back and forth --source: David Litchfield--source: David Litchfield Not particularly effective in that few resources are Not particularly effective in that few resources are

consumed but interesting approachconsumed but interesting approach

2020

DB Attack: Brute Force PW DB Attack: Brute Force PW Bruce force or dictionary-based password cracking remains Bruce force or dictionary-based password cracking remains

an old favoritean old favorite When run against a system directly it usually fails:When run against a system directly it usually fails:

It takes too long for a password to fail (built in delays are often It takes too long for a password to fail (built in delays are often employed)employed)

Failed password attempts are typically auditedFailed password attempts are typically audited When run against a password file, success is more likely:When run against a password file, success is more likely:

Unix removed hashed password from /etc/passwd for this Unix removed hashed password from /etc/passwd for this reason and hashed version can only be read by administratorsreason and hashed version can only be read by administrators

DB have same protections as modern O/S’sDB have same protections as modern O/S’s No passwords stored and cryptographically hashed passwords No passwords stored and cryptographically hashed passwords

only accessible to adminonly accessible to admin Direct attack is only exploitable when:Direct attack is only exploitable when:

Password file is given to non-admin userPassword file is given to non-admin user Passwords are weakPasswords are weak NT authentication isn’t usedNT authentication isn’t used not an elevation of privilege attack:not an elevation of privilege attack:

Only admins can access hashed PWs & they have full rightsOnly admins can access hashed PWs & they have full rights One of the reasons why passwords are changed frequently on One of the reasons why passwords are changed frequently on

well-managed systemswell-managed systems

2121

DB Attack: PW’s in filesDB Attack: PW’s in files Very common attack vector through DB passwords Very common attack vector through DB passwords

stored on other systemsstored on other systems Web-server may store loginsWeb-server may store logins

Should run webserver as low priv account and use NT Should run webserver as low priv account and use NT authentication at DBauthentication at DB

Install programs can store loginsInstall programs can store logins Remove all *.iss files or remove stored passwordsRemove all *.iss files or remove stored passwords

SQL Server Killpwd utilitySQL Server Killpwd utility File system should be locked downFile system should be locked down SQL Server should run as a low priv accountSQL Server should run as a low priv account

Administrators sometimes store passwords in Administrators sometimes store passwords in admin scriptsadmin scripts

2222

Defense MechanismsDefense Mechanisms

““Brakes, they only slow you downBrakes, they only slow you down” – ” – Enzo FerrarriEnzo Ferrarri

Similarly, security only gets in the waySimilarly, security only gets in the way Increases administrative costsIncreases administrative costs Can make development more difficultCan make development more difficult Can make programs more difficult to useCan make programs more difficult to use Can make Black Hat access more difficultCan make Black Hat access more difficult

Industry challenge: blocking Black Hats without Industry challenge: blocking Black Hats without unduly slowing intended users, developers & unduly slowing intended users, developers & administratorsadministrators

2323

Defense: Dev & Admin ActionsDefense: Dev & Admin Actions Weak service accountWeak service account

Cracked DB won’t get access to rest of enterpriseCracked DB won’t get access to rest of enterprise Weak access accountsWeak access accounts

Mid-tier account only capable of min needed to run appMid-tier account only capable of min needed to run app Two-tier users with min accessTwo-tier users with min access

Smallest possible admin groupsSmallest possible admin groups Don’t put all enterprise admins in one groupDon’t put all enterprise admins in one group

Never place DB unprotected on public netNever place DB unprotected on public net Nor on private netNor on private net Firewall protectedFirewall protected S/W mediating database accessS/W mediating database access

Use NT authentication rather than DB authUse NT authentication rather than DB auth Leading DBs all provide bothLeading DBs all provide both

Strong PWs with enforcementStrong PWs with enforcement Force all PWs to comply with enterprise policyForce all PWs to comply with enterprise policy Default action if using NT authDefault action if using NT auth Never store a PW in a file for any reasonNever store a PW in a file for any reason

Physical securityPhysical security Protect all related systems, media, backups, etc.Protect all related systems, media, backups, etc.

2424

Defense: Dev & Admin ActionsDefense: Dev & Admin Actions Track usage pattern changesTrack usage pattern changes

E.g. TP systems should NEVER table scanE.g. TP systems should NEVER table scan Future direction for DB security will exploit tracking unusual Future direction for DB security will exploit tracking unusual

access patternsaccess patterns Media security including backupsMedia security including backups

Assume damage possible and have aggressive backup policyAssume damage possible and have aggressive backup policy Test disaster recovery systemTest disaster recovery system

Only install and configure needed features:Only install and configure needed features: Replication, management tools, stored procedures, …Replication, management tools, stored procedures, …

Full audit of all failed eventsFull audit of all failed events Configure system to audit failed logins, failed authentication, …Configure system to audit failed logins, failed authentication, … Drive alerts on audit events to page adminsDrive alerts on audit events to page admins

Apply all latest QFEsApply all latest QFEs Alert to page admins on vendor security releasesAlert to page admins on vendor security releases Never build SQL with unchecked user inputNever build SQL with unchecked user input

Never trust user inputNever trust user input Don’t show “developer quality” error messages to usersDon’t show “developer quality” error messages to users Bound user input size and test application at max sizeBound user input size and test application at max size

2525

Defense: DB ImplementationDefense: DB Implementation Secure default InstallationSecure default Installation

Weak defaults result from ease of use focus and past reduced Weak defaults result from ease of use focus and past reduced threat environmentthreat environment

Best practices scanner (Microsoft Baseline Security Analyzer)Best practices scanner (Microsoft Baseline Security Analyzer) Secure examples in books, documentation, and all customer Secure examples in books, documentation, and all customer

communicationscommunications Support sub-set feature installsSupport sub-set feature installs

Minimize attack surface areaMinimize attack surface area Support auto-update for security fixesSupport auto-update for security fixes

E.g. Windows update delivery of server-side security fixesE.g. Windows update delivery of server-side security fixes Simplify security sub-systemsSimplify security sub-systems

Admin error common cause of failureAdmin error common cause of failure Provide fine grained, policy based access controlsProvide fine grained, policy based access controls

E.g. Row level securityE.g. Row level security Support multi-tier security W/O fully provisioned DB tierSupport multi-tier security W/O fully provisioned DB tier

Most applications don’t provision all users in DB tierMost applications don’t provision all users in DB tier Defense in depth: avoid single failure security exposuresDefense in depth: avoid single failure security exposures

2626

Defense: DB ImplementationDefense: DB Implementation Understand crackers:Understand crackers:

All SQL Server personal attend Security educationAll SQL Server personal attend Security education Everyone: Development, User Education, Program Everyone: Development, User Education, Program

Management, Test, Quality Assurance, Performance Management, Test, Quality Assurance, Performance engineeringengineering

Understand how systems are cracked, what tools are Understand how systems are cracked, what tools are used, what tools can stop, common vulnerabilities, how used, what tools can stop, common vulnerabilities, how competitors have been crackedcompetitors have been cracked

Aggressive program of code hygieneAggressive program of code hygiene SQL Server engineering spent 3 months focused SQL Server engineering spent 3 months focused

exclusively on securityexclusively on security Threat models produced for every S/W componentThreat models produced for every S/W component

Reviewed the entire code base with respect to threat Reviewed the entire code base with respect to threat models & code review methodologymodels & code review methodology

Test targeted each component using threat modelTest targeted each component using threat model Security section required on all new designsSecurity section required on all new designs Across all Microsoft products $100 million spent on this Across all Microsoft products $100 million spent on this

security education & code review programsecurity education & code review program

2727

Defense: DB ImplementationDefense: DB Implementation

Use great tools: Compiler runtime, code generation and host Use great tools: Compiler runtime, code generation and host operating system supportoperating system support

Operating System Support Example:Operating System Support Example: .Net Server enforces that exception handlers be marked by the .Net Server enforces that exception handlers be marked by the

compiler as handlerscompiler as handlers Prevents exception handling hijackingPrevents exception handling hijacking

Compiler Support Example:Compiler Support Example: VS7 compiler puts invocation unique bit pattern on stack VS7 compiler puts invocation unique bit pattern on stack

between local variable and return addressbetween local variable and return address Prevents return address hijackingPrevents return address hijacking Each execution uses a different cryptographically randomly Each execution uses a different cryptographically randomly

generated set of bits to protect return addressgenerated set of bits to protect return address Won’t use the return address unless protection bits correctWon’t use the return address unless protection bits correct

More compiler work soon to ship but no silver bulletMore compiler work soon to ship but no silver bullet Good code still required – just one more level of protectionGood code still required – just one more level of protection

2828

Defense: DB ImplementationDefense: DB Implementation Aggressive application of security tools researchAggressive application of security tools research

Developers very effective in finding innovative exploits Developers very effective in finding innovative exploits but not good at searching 5 mloc to find others of same but not good at searching 5 mloc to find others of same general formgeneral form

Microsoft Research compiler tools framework used Microsoft Research compiler tools framework used to produce security toolsto produce security tools Based upon basic block transform systemBased upon basic block transform system Tracks control and data flowTracks control and data flow Operates on compiler intermediate formOperates on compiler intermediate form Has interface to allow new search modules to be writtenHas interface to allow new search modules to be written Example checks:Example checks:

Uses of error prone functionsUses of error prone functions Assignments in asserts (likely intended equivalence)Assignments in asserts (likely intended equivalence) Custom code annotation warningsCustom code annotation warnings

2929

SummarySummary S/W vulnerability report frequency increasingS/W vulnerability report frequency increasing Database is the most valuable assetDatabase is the most valuable asset

Black Hats know itBlack Hats know it Database vulnerability reports becoming common this yearDatabase vulnerability reports becoming common this year

DB vulnerabilities unusual in even recent pastDB vulnerabilities unusual in even recent past Need multi-tier protection:Need multi-tier protection:

Application developer & administrator best practicesApplication developer & administrator best practices Simplification of security features—Fewer admin errorsSimplification of security features—Fewer admin errors Finer grained control of securityFiner grained control of security DB team educationDB team education DB team development practicesDB team development practices DB engineering team tracking cracker tools and practicesDB engineering team tracking cracker tools and practices Great tools: source code compiler and hosting O/SGreat tools: source code compiler and hosting O/S Advanced security toolsAdvanced security tools

MicrosoftMicrosoft