David Litchfield's Weblog

Home
Archives
NGSSoftware
DatabaseSecurity.com


Greymatter Forums

November 2007
SMTWTFS
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Valid XHTML 1.0!

Powered By Greymatter

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.1
Home » Archives » November 2007 » Database tripwires...

[Previous entry: "Navy vs. Notre Dame"] [Next entry: "Oracle 11g/10g Installation Vulnerability"]

11/06/2007: "Database tripwires..."


I was thinking about the problem of creating a cheap tripwire for database servers that doesn't require a third party agent and it will alert us to when someone's snooping around places in our databases where they shouldn't be snooping. We could set up a honeypot table or view with an appropriately attractive name like USERNAMES_AND_PASSWORDS. Because this is a fake table no-one should ever really be looking at it and we can get the database to alert us when anyone touches it: there's a snooper online.

This could be achieved with a trigger in the case of an UPDATE, INSERT or DELETE of course but not so with a SELECT query. This limitation is easy to fix in Oracle with the use of fine grained access control by setting a policy on the table in question using DBMS_FGA. But what about other database servers that don't have an equivalent? Well, we can still achieve the same results with a simple view.

First off we create a function that does the actual alerting - whatever that happens to be - for example sending a mail to the DBA. Once we've created this function we then create a view that calls this functions - this view becomes our honeypot:

CREATE VIEW USERNAMES_AND_PASSWORDS AS SELECT FOO, BAR FROM TABLE WHERE ALERTFUNC = 1;

Thus when someone's snooping around our database and they look at DBA_OBJECTS / SYSOBJECTS / SYSTABLES and they see a name of USERNAMES_AND_PASSWORDS hopefully their curiosity will get the better of them and they'll do a SELECT thus firing our alert function.

This could be extended to extant views such as DBA/ALL/USER_OBJECTS; if you know none of your application logic queries these views then you could tripwire them up so as to be alerted when someone queries them - a potential snooper. Tripwiring up DBA/ALL/USER_VIEWS might also be a good option if the attacker selects a view's text/body before selecting from the view itself to ensure it's not a trap. They could of course just select from the VIEW$ table to bypass this but then we can hope that most attackers won't smile