Research on database Virtual patching technology

Virtual Patching Technology is the technology that controls the input and output of the protected system, and prevents the vulnerability attack on the system.

The virtual patching technology, through the peripheral way, against the characteristics of the system vulnerability attack detection and interception of security defense measures. It makes the implementation of exploit defenses more portable and more timely. Virtual patching technology used in the Web application system, the database of virtual patches in recent years, the latest defense technology, the earlier proposed is McAffee, the domestic database security vendors Anwarking is also the leader in this area.

Classification and Genesis of database vulnerability

United States verizon Span style= "text-indent:28px;font-family: ' The song Body '; In a comprehensive market survey on "How the core data is lost", the results found that 75% cve data security vulnerability statistics, oracle Span style= "TEXT-INDENT:28PX;" >sql Server

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/B5/wKioL1Xr91eiU6BXAADPa-7hpSg713.jpg "title=" Xnbd-1.jpg "alt=" Wkiol1xr91eiu6bxaadpa-7hpsg713.jpg "/>

Database Vulnerability Intrusion Mode

according to CVE released the latest vulnerability statistics, statistics published by the various types of database vulnerability distribution as follows:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/72/B9/wKiom1Xr9U3iQa6sAACW-t_0jtM915.jpg "title=" Xnbd-2.jpg "alt=" Wkiom1xr9u3iqa6saacw-t_0jtm915.jpg "/>

Various types of database vulnerability distribution

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/B9/wKiom1Xr9W2AwPyKAAEcQhH5_QI294.jpg "style=" float: none; "title=" xnbd-3.jpg "alt=" Wkiom1xr9w2awpykaaecqhh5_qi294.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/B6/wKioL1Xr95bz7RojAAEKejfVIwQ257.jpg "style=" float: none; "title=" xnbd-4.jpg "alt=" Wkiol1xr95bz7rojaaekejfviwq257.jpg "/>

CVE Statistics: A class of Oracle database vulnerabilities

The result of database vulnerability is mainly caused by input validation error, boundary condition error, buffer overflow error, access validation error, unexpected condition error, etc.

Due to the existence of database vulnerability, the possible harm, mainly has the following four aspects:

(1) Endanger the database's own system and attack the database natively.

(2) the server which harms the database, uses the database to attack the server. Way:

• running OS commands from PL/SQL

• through JAVA running OS commands

• run directly from the Task Scheduler OS Commands

• Use ALTER SYSTEM run OS command

• run OS commands in a way that Oracle compiles local PL/SQL applications

(3) The file system of the system in which the database is compromised. Way:

• Use Utl_file Package Access file system

• Use JAVA Access file system

• accessing file systems with operating system environment variables

(4) Other platforms on the network where the database is compromised.

Bugs in database patching packages

due to the unpredictable and high concealment of database vulnerability, database developers can only use the post-mortem, periodic, targeted security of the discovered database vulnerabilities, and make a targeted bug fix in the form of database patch package. As a result, patching and expanding storage for databases has become a Regular must-do business for DBAs.

However, the database patching package can compensate for the harm caused by database vulnerability to some extent, and reduce the risk of malicious attack to the database. But there are some usability issues with database patches. The main three points are as follows:

• Database patching packages are highly targeted and the scope of patching has limitations. And the release cycle of the patch pack is lengthy, and the database has a vacuum period of data leakage.

• In the process of patching the database, there is a potential for compatibility, which poses new harm to the database.

• The database patching process has some risks and consumes a lot of resources from users.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/72/B9/wKiom1Xr9Zag85xjAADRSoiJGuI768.jpg "title=" Xnbd-5.jpg "alt=" Wkiom1xr9zag85xjaadrsoijgui768.jpg "/>

in Oracle database As an example, during the response period of a patch release, the database faces 0day the vulnerability risk. even if the vulnerability package is acquired, the user is also required to devote a significant amount of resources during the database repair process, for example: Patch patching takes a long time and is highly professional, and the system is easily exposed to risk during review, testing, and installation of official patch updates. As a result, it is often difficult to patch the enterprise database, and the ever-changing vulnerability can overwhelm database administrators, and the database will be in high-risk shadows for a long time.

Database Virtual Patching Technology

The advantages of virtual patches are mainly that You can do this without patching the dbms Protect the database in the case of a kernel. Virtual patches Create a layer of security outside the database, eliminating the need for database remediation based on patches provided by the database vendor, and without stopping services and regression testing. The basic principle of virtual patch technology protection is the matching of attack rules. According to the way of attack, we can be divided into two kinds: one is the protection of direct attacks in network communication, such as the oracle TNS sql

oracle Dbms_metadata oracle dbms_metadata Sys.dbms_metadata.get_ddl can be used by low-privileged users to execute a variety of ultra vires statements.

hacker attack Way: Combine idiom sentence by way of Scrabble GRANT DBA to USER , any user with the above vulnerabilities can execute DBA enabling low-privileged users to gain access to DBA permissions, obtaining sensitive information in the database or damaging the database, exploiting database vulnerabilities to attack the database, and so forth.

with An Huaqin and database firewall products ( Dbfirewall as an example, the protection principle of the virtual patching technology is to analyze the communication protocol between the database and the client, get to the session information (including: database user, operating system user, etc.) and the user actually executes the statement, the attack characteristic string in the conversation information and the statement synthesis analysis, Determine if the statement has an intent to attack.

where the statement parses the required statement information, such as: SQL The type of statement action, the keyword that often appears in the attack statement (such as the package used to attack, the name of the function, and so on). When these keywords are included in the statement, they are judged to be a vulnerability attack behavior. Finally, the character string is further verified, combined with the context of the keyword, to identify the behavior of the statement, to exclude the normal behavior generated by the statement.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/B9/wKiom1Xr9bmxK0e9AACl8jsYqBo772.jpg "title=" Xnbd-6.jpg "alt=" Wkiom1xr9bmxk0e9aacl8jsyqbo772.jpg "/>

Protection examples

Example: an attack statement

DECLARE a clob;

BEGIN

A:= Sys.dbms_metadata.get_ddl (

"' | | SCOTT.GET_DBA () | | ",

' Dbms_metadata '

);

END;

the rules and means of protection can be:

(1) resolves the user name of the session: Proving not a sys user, may be an ultra vires behavior.

(2) Further verification of the statement: The Proof statement contains the field name of the commonly used attack:dbms_metadata, and contains the function get_ddl.

(3) meet the above conditions, can be guessed as an attack behavior.

(4) The final validation statement is not a query type select .... to exclude normal behavior.

at this point, the statement is considered an attack statement, and there is a risk.

The above-mentioned virtual patch protection method not only improves the efficiency of execution, but also reduces the frequency of false positives, and the virtual patches Protect against database vulnerabilities in general.

(1)DBMS SQL injection

dbms Span style= "text-indent:28px;font-family: ' The song Body '; > The function of the system, the injection of the vulnerability in the stored procedure, rather than the sql dbms product from the sql A calling flaw that allows a hacker to pass a normal sql statement complete statement injection.

in the normal SQL a malformed string or other malformed input for a database vulnerability or database setup defect is included in the statement by embedding, commenting, and escaping characters. Gain higher permissions in the database with one or more of these malformed inputs, eventually obtaining sensitive information in the database or directly seizing database DBA Authority. This may compromise the network environment in which the database resides and the local server. Database virtual patching technology, as the most convenient and the most resource-saving processing method in database vulnerability protection system, has the very high applicability. Its value lies not only in the simple protection of database vulnerability, but also in the future, it can be combined with the database leak-sweeping system to establish a well-controlled detection and protection system for the database. As an important functional component of database firewall, the value of virtual patching in the process of database protection is fully reflected.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1691954

Research on database Virtual patching technology