Oracle Database Security

from the application perspective Martin Nystrom September 2003

Purpose
In

scope: application security of Oracle databases of scope: system security of Oracle databases

Out

Agenda
Oracle

architecture

System architecture Network architecture

Common

Oracle objects Schema/object security Java security Application integration techniques Current challenges at Cisco

Grossly oversimplified Oracle network architecture

Client host Oracle client software ONS query ONS server Oracle 1526 Names service

SQL*Net (Net8)
1521 (ADDRESS=(PROTOCOL=TCP) (HOST=db.company.com) (PORT=1521))

Database server

TNS Listener

Database

Oracle architecture

Oracle networking example

fields-sj-1 Oracle client software ONS query ons-sj Oracle 1526 Names service

1521 (ADDRESS=(PROTOCOL=TCP) (HOST=cmrsdb.cisco.com) (PORT=1521))

cmrsdb

TNS Listener

cmrs

Oracle architecture

Simplified Oracle Network Architecture w/OCM

Host #1

Oracle client software

OCM Server 1521

TNS Listener

Allowed
Host #1 Host #2

Host #2 Oracle client software

rejected rejected 1521 Database server TNS

Listener

Host #3 Oracle client software

Oracle architecture

Database

SQL*Net
Introduced

in Oracle V5 Renamed Net8 in Oracle8 Supports multiple protocols (TCP/IP, DECnet, SPX/IPX, etc.)

Oracle architecture

Authentication & credentials

Can

be

OS authentication Userid/password X.509 certificates Smart card Etc.

Stored

in Oracle

As MD5 hash not so for dblinks or FND_USERS

Oracle architecture

Authentication & credentials (cont.)

Transport encryption

DES encryption of db-selected random number w/users password hash OS-integrated authentication available too Password changes travel unencrypted
Aging & expiration History (e.g., can prohibit reuse of last 3 passwords) Composition & complexity (e.g., require letters + numbers) Account lockout

Password management features available

Common Oracle objects

Database instance schema
view

stored procedure

schema

function
table trigger table

index

Public area synonym

Oracle object security

grant select on EMPLOYEES to ASOK;

orders customers

candidates employees

asoks schema
all_users

alices schema

Public objects

Oracle role-based security

hr_steward
grant all privileges on EMPLOYEES to role HR_STEWARD;

grant HR_STEWARD to CATBERT;

DBA

candidates employees

hrdata schema

Database links
Create database link EMPLINK connect to DOGBERT identified by CISCO123 using HR_DB;

ECOMMERCE_DB

HR_DB

orders

employees

EMPLINK
dogberts schema dogberts schema

Java security in Oracle

System classes loaded by default, accessible & shared by all sessions

com.cisco.ipc.*

com.cisco.myapp.calc

wally session

dilbert session

java.*

oracle.aurora.*

oracle.jdbc.*

Java server classes (common, read-only)

Java security in Oracle

System classes loaded in shared area Users can load classes

Into their own schema/session Can grant execution rights to other users Stored in Oracle objects, not files Stored in PolicyTable table Granted by DBA or JAVA_ADMIN roles
call dbms_java.grant_permission(
mnystrom, java.util.SocketPermission, localhost:1024-, connect)

Permissions

2 privilege models

Invokers rights Definers rights (setuid)

Invokers rights

com.cisco.myapp.calc com.cisco.ipc.*

salary

salary

dogberts schema

alices schema

Definers rights

com.cisco.myapp.calc com.cisco.ipc.*

salary

salary

dogberts schema

alices schema

Access beyond the database

Languages: PL/SQL or Java Techniques: Stored procs or functions Examples

Execute, read, write local files Make and receive network calls (HTTP, MMX, etc.) Access data in remote databases Send mail

Database server

Database /oracle/apps/

Auditing
Obviously

impacts database performance Writes high-level info to a common table

Database user Object (table, role, etc.) Action (select, insert, etc.) Date/time

Currently

enabled on-request to DBA team Difficult to trace actions to a live human

Can correlate with IP address

Common integration techniques

Shared

database schemas Separate schemas/dbs

Grant direct access to each others schemas Grant only stored proc access

Typical modern application

application

orders

customers

application schema

Shared schemas
Application #1 Application #2

select insert update

orders

select

insert update delete select grant

customers

application #2s schema

Shared objects
Application #1 Application #2
insert update delete select grant
customers

select insert update

orders

select

Application #1s schema

Application #2s schema

Shared, protected objects

Application #1 Application #2

select insert update

orders

execute

insert update delete select grant

stored procedure
customers

Application #1s schema

Application #2s schema

Application-level integration
Application #1
Shared libraries MMX Web services IIOP

Application #2

select insert update

orders

insert update delete select grant

customers

Application #1s schema

Application #2s schema

Current problems in industry

Account

management

Passwords never changed Accounts/passwords widely known

All developers cgi-bin trees CVS source repositories

Privileges

too broad No data stewardship No segregation/special protection for sensitive data