Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Forensic checksumming on all versions of supported Oracle databases

Below is an excerpt from my new book on Oracle Forensics which is available through Rampant Techpress and contains both the underlying concepts and advanced practice of Oracle forensics for both incident handling and vulnerability detection. A cornerstone of the book is the need to fully understand the methods that an attacker may use to attack an Oracle server so that the security practitioner can effectively secure the DB and respond effectively to an incident.Excerpt:
Checksums have been used in forensics to verify the state of a piece of code for many years both in terms of Tripwire OS applications and also lists of known good checksums such as those produced at NIST http://www.nsrl.nist.gov/ .
Creating checksums in an Oracle database to verify integrity is pretty straightforward.
DBMS_UTILITY.GET_HASH_VALUE is available on 7, 8, 9, 10 and fast but has different implementation on 7 therefore a different checksum is returned. This is not good for forensic consistency.
DBMS_OBFUSCATION.MD5 is good on 9 and 10 (not 8) and cryptographically stronger than DBMS_UTILITY but slower due to the more complex computation.
DBMS_CRYPTO HASH_SH1 is on 10 only and not fast but the most secure of the three. Additionally, use of MD5 and SHA1 together is not susceptible to malicious use of a collision where two files with differing content have the same checksum. http://www.doxpara.com/md5_someday.pdf. By using stripwire http://www.doxpara.com/stripwire-1.1.tar.gz it is possible for an attacker to control the content of a malicious collision.

However, using both MD5 and SHA1 checksums, dual collisions become all but impossible.

In summary DBMS_UTILITY is useful for checking patches and day to day state checking where speed is important but for higher security MD5 or preferably SHA1 should be used. For very high security purposes it is preferable to check integrity using a combination of both MD5 and SHA1.

Here is an example to check the state of VIEWs in a given schema using SHA1 algorithm:

set wrap off
set linesize 400
set serveroutput on
DROP TABLE SHA1VIEWSTATES
CREATE TABLE SHA1VIEWSTATES(SHA1SCHEMA VARCHAR2(40), SHA1NAME VARCHAR2(40), SHA1CHECKSUM VARCHAR2(40));
CREATE OR REPLACE PROCEDURE SHA1DBVIEWSTATECHECKER(lvschema in varchar2) AS TYPE C_TYPE IS REF CURSOR;
CV C_TYPE;
string varchar2(32767);
l_hash raw(2000);
lvname VARCHAR2(30);
lvtype varchar2(30) :='VIEW';
begin
OPEN CV FOR 'SELECT DISTINCT OBJECT_NAME FROM SYS.DBA_OBJECTS WHERE OBJECT_TYPE=''VIEW'' AND OWNER = :x' using lvschema;
LOOP
FETCH CV INTO lvname;
DBMS_OUTPUT.ENABLE(200000);
l_hash:=dbms_crypto.hash(dbms_metadata.get_ddl(lvtype, lvname, lvschema), dbms_crypto.hash_sh1);
dbms_output.put_line('HashSHA1='||l_hash||' Name='||lvschema||'.'||lvname);
insert into SHA1VIEWSTATES values(lvschema, lvname, l_hash);
EXIT WHEN CV%NOTFOUND;
END LOOP;
CLOSE CV;
end;
/
EXEC SHA1DBVIEWSTATECHECKER('SYS');
SELECT * FROM SHA1VIEWSTATES;

–Carry out again in the future using HA1PACKAGESTATEVIEWSNEW table and compare to the baseline to see if there has been change.
–If both resultsets are identical there should be no result from this query.

(((select * from SHA1PACKAGESTATEVIEWS)minus
(select * from SHA1PACKAGESTATEVIEWSNEW))UNION
((select * from SHA1PACKAGESTATEVIEWSNEW)minus
(select * from SHA1PACKAGESTATEVIEWS)))

I am going go to SANSFIRE now in Washington DC where I will be leading a BoF on Oracle Forensics to launch my new book, Auditing the GCIA for ANSI and testing the new GSEs for SANS/GIAC as well as catching up with some old friends.
Cheers,
Paul
Additional relevant links:
http://eprint.iacr.org/2006/104.pdf
http://web.mit.edu/AFS/sipb/project/fastcoll/
http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5_source.zip
http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5.exe.zip

Leave a Reply

You must be logged in to post a comment.