Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed

UKOUG 2008 Presentation Monday@17.55

Whilst preparing for UKOUG and talking to another well known Oracle Security expert I had some thoughts about the implications of the CREATE ANY DIRECTORY issue .
Firstly the Oracle utilities could be overwritten with a new binary – LSNRCTL, SQL*PLUS, IMP, EXP and the debugger for instance. It is possible to execute OS binaries from the DB as Tanel’s post shows
But is it possible to patch the Oracle binary itself using UTL_FILE?
It is a serious vulnerability either way, especially given that there is no version of CREATE ANY DIRECTORY without the “ANY”, and there are applications that need to be able to dynamically create directories. This vulnerability is hard to patch imo. That is why I have coded a new PL/SQL package called “CREATE_DIRECTORY”. This package will allow the user to safely create directories in a segregated area of the OS and only grant READ and WRITE to that user.
The code also deals with the ../../ and //// issues that have affected DIRECTORIES in the past.
The code for CREATE_DIRECTORY will be given out for the first time at my UKOUG presentation on Monday night @17.55.
In addition to the new CREATE_DIRECTORY package I will summarise secure Oracle 3-tier Development best practise at DB, Java and Web layers. Lastly I will discuss the results of a long evaluation of Sentrigo Hedgehog. I have thoroughly examined this product in terms of its security and its affect on performance and will be able to give a summary of what it is good for and lessons learnt from the deployment. This will be the first presentation of it’s kind in the UK. Apparently there are free drinks and “luxury Canap├ęs” straight after, so the talk will also be concise :)
Cheers and look forward to seeing you there.
Paul M. Wright

Leave a Reply

You must be logged in to post a comment.