Trusted Systems, Trusted Systems • The word secure reflects a

Functions - Trusted dichotomy: Something is either

secure or not secure.
Operating System Design - Rootkit
o If secure, it should
withstand all attacks, today,
Secure Design Principles tomorrow, and a century
from now.
• Good design principles are always
good for security. But several o And if we claim that it is
important design principles are secure, you either accept
particular to security and essential our assertion (and buy and
for building a solid, trusted use it) or reject it (and either
operating system. do not use it or use it but do
not expect much from it).
• Least privilege

• Economy of mechanism
Trusted Systems
• Open design
• We say that software is trusted
• Complete mediation software if we know that the code
• Permission based has been rigorously developed and
analyzed, giving us reason to trust
• Separation of privilege that the code does what it is
• Least common mechanism expected to do and nothing more.

• Ease of use • Typically, trusted code can be a

foundation on which other,
• These design principles led to the untrusted, code runs.
development of “trusted” computer
systems or “trusted” operating • i.e., the trusted code establishes
systems. the baseline for security of the
overall system.

• An OS can be trusted software when

Trusted Systems there is an objective basis for
trusting that it correctly controls the
• Trusted system: one with evidence
accesses of components or
to substantiate the claim it
systems run from it.
implements some function or
policy.

• Trusted systems can help counter Trusted Systems

the malicious softwares.
• Key characteristics to trust any
• A trusted system is one that has program:
been shown to warrant some degree
of trust that it will perform certain o Functional correctness. The
activities faithfully in accordance program does what it is
with users’ expectations. supposed to, and it works
correctly.
 o Enforcement of integrity. • Trusted software is often used as a
Even if presented erroneous safe way for general users to access
commands or commands sensitive data.
from unauthorized users,
• Trusted programs are used to
the program maintains the
perform safe operations for users
correctness of the data with
without allowing the users to have
which it has contact.
direct access to sensitive data.
o Limited privilege. The
• There can be degrees of trust.
program is allowed to
access secure data, but the o e.g., you trust certain friends
access is minimized and with deep secrets, but you
neither the access rights nor trust others only to give you
the data are passed along to the time of day.
other untrusted programs or
back to an untrusted caller. • Trust is a characteristic that often
grows over time, in accordance with
o Appropriate confidence evidence and experience.
level. The program has been
examined and rated at a o e.g., banks increase their
degree of trust appropriate trust in borrowers as the
for the kind of data and borrowers repay loans as
environment in which it is to expected; borrowers with
be used. good trust (credit) records
can borrow larger amounts.

• Finally, trust is earned, not claimed

Trusted Systems or conferred.

that together enforce a unified

security policy over a product or
Trusted Systems
system.
• Trusted process: a process that
• Trusted system: a system that
can affect system security, or a
employs sufficient hardware and
process whose incorrect or
software integrity measures to allow
unsecure execution is capable of
its use for processing sensitive
violating system security policy.
information.
• Trusted product: an evaluated and
approved product.
Trusted Systems Characteristics
• Trusted software: the software
portion of a system that can be • Trusted systems have three
relied upon to enforce security characteristics:
policy.
o A defined policy that details
• Trusted computing base: the set of what security qualities it
all protection mechanisms within a enforces.
computing system, including
hardware, firmware, and software,
 o Appropriate measures and o Hardware, including
mechanisms by which it can processors, memory,
enforce that security registers, a clock, and I/O
adequately. devices.

o Independent scrutiny or o Some notion of processes,

evaluation to ensure that the so that we can separate and
mechanisms have been protect security-critical
selected and implemented processes.
properly so that the security
o Primitive files, such as the
policy is in fact enforced.
security access control
database and identification
and authentication data.
Trusted Systems Functions
o Protected memory, so that
• Trusted Systems contain certain
the reference monitor can
functions to ensure security.
be protected against
tampering.

Trusted Computing Base (TCB) o Some inter process

communication, so that
• The trusted computing base is the different parts of the TCB
name we give to everything in the can pass data to and
trusted OS that is necessary to activate other parts; for
enforce the security policy. example, the reference
• TCB consists of the parts of the monitor can invoke and pass
trusted OS on which we depend for data securely to the audit
correct enforcement of policy. routine.

• Suppose you divide a trusted

operating system into the parts that TCB Functions
are in the TCB and those that are
not, and you allow the most skillful • TCB is only a small subset of the
malicious programmers to write all OS.
the non-TCB parts. Since the TCB
• Although the TCB requires access to
handles all the security (including
files of enforcement data, it does
protecting itself), nothing the
not need an entire file structure of
malicious non-TCB parts do can
hierarchical directories, virtual
impair the correct security policy
devices, indexed files, and
enforcement of the TCB.
multidevice files.
• This definition gives you a sense
• Thus, the TCB might contain a
that the TCB forms the fortresslike
primitive file manager to handle only
shell that protects whatever in the
the small, simple security data files
system needs protection.
needed for the TCB.

• The more complex file manager to

TCB Functions provide externally visible files could
be outside the TCB.
• What constitutes the TCB?
 must monitor memory
references to ensure
secrecy and integrity for
each domain.

o I/O operation: In some

systems, software is
involved with each character
transferred in an I/O
operation. This software
connects a user program in
the outermost domain to an
I/O device in the innermost
(hardware) domain.

TCB DESIGN:

TCB Functions

• The TCB, which must maintain the

secrecy and integrity of each
domain, monitors four basic
interactions:

o Process activation:
Changing from one process
to another requires a
complete change of
registers, relocation maps,
file access lists, process
status information, and
other pointers, much of
which is security sensitive
information.

o Execution domain
switching: Processes TCB Design
running in one domain often • The division of the OS into TCB and
invoke processes in other non-TCB aspects is convenient for
domains to obtain more or designers and developers because
less sensitive data or all security-relevant code is in one
services. (logical) part.
o Memory protection: • To ensure that the security
Because each domain enforcement cannot be affected by
includes code and data
stored in memory, the TCB
 non-TCB code, TCB code must run
in some protected state.

• However, once this structuring has

been done, code outside the TCB
can be changed without affecting
the TCB’s ability to enforce security.

• Major sections of the OS—utilities,

device drivers, user interface
managers,—can be revised or
replaced any time; the TCB code
must be controlled carefully.

• Evaluating the security of a trusted

operating system is simplified
because non-TCB code need not be
considered.

• TCB is separated to achieve self-

protection and independence. TCB Implementation

• A more sensible approach is to

design the security kernel first and
TCB Implementation
then design the OS around it.
• Security is related to every memory
• The security kernel monitors all OS
access, every I/O operation, every
hardware accesses and performs
file or program access, every
all protection functions.
activation or termination of a user,
every creation of a new execution • The security kernel, which relies on
thread, and every inter process support from hardware, allows OS
communication. itself to handle most functions not
related to security. In this way, the
• In modular OS, these separate
security kernel can be small and
activities can be handled in
efficient.
independent modules.
• With this partitioning, computing
• Collecting all security functions into
systems have three execution
the TCB may destroy the modularity
domains: security kernel, OS, and
of an existing OS.
the user.
• A unified TCB may also be too large
to be analyzed easily.
Secure Startup
• Nevertheless, a designer may
decide to separate the security • Before the OS is fully functional, its
functions of an existing OS, creating protection capabilities are limited.
a security kernel. As more pieces become
operational, they exercise more
complete control over the
TCB implementation: resources.
 • During startup, the nature of the access the resource. But reusable
threats is also lowered because objects must be carefully
users are not yet active, and controlled.
network connections have not yet
o e.g., when a new file is
been established.
created, space is allocated
• Designers of trusted systems from a free pool, previously
recognized the vulnerability at used space on a storage
system startup, especially if it was a device.
restart from a previous failure.
• Released space is returned to the
• So, when the system starts, all pool “dirty,” that is, still containing
security functions should work the data from the previous user.
properly and no effects should Because most users would write to
remain from any previous system a file before trying to read from it,
session. the new user’s data obliterate the
previous owner’s data. But, a
• Secure startup ensures no
malicious user may claim a large
malicious code can block or
amount of space and then scavenge
interfere with security enforcement.
for sensitive data by reading before
writing. This kind of attack is called
object reuse.
Trusted Path

• Any moderately competent

programmer can write code to pop Object Reuse
up a box with fields for username
• Object sanitization ensures no
and password.
leakage of data if a subject uses a
• How can you be assured the box memory object released by another
comes from and passes entered subject.
data to the password manager?
• To prevent object reuse leakage, OS
• A trusted path is an unforgeable clears (i.e., overwrites) all space to
connection by which the user can be reassigned before allowing the
be confident of communicating next user to access it.
directly with the OS, not with any
• Magnetic media are particularly
fraudulent intermediate application.
vulnerable to this threat.
• A trusted path precludes
interference between a user and the
security enforcement mechanisms Audit
of the operating system.
• Trusted systems must also track
any security relevant changes, such
as installation of new programs or
Object Reuse
modification to the operating
• OS controls resource allocation, system.
and as a resource is freed for use by
• The audit log must be protected
other users or programs, the OS
against tampering, modification, or
permits the next user or program to
deletion other than by an
 authenticated security • Complexity of the OS led to more
administrator. opportunities for attack and,
ultimately, a rootkit.
• Furthermore, the audit log must be
active throughout system operation. • Rootkits can exist on any OS.
If the audit medium fills to capacity
• A rootkit that could turn on a
(for example, if audit records written
phone’s microphone without the
to a disk use all space on the disk),
owner’s knowing it happened. In
the system is to shut down.
such a case, the attacker would
send an invisible text message to
the infected phone, telling it to
Rootkit
place a call and turn on the
Rootkit microphone.

• In the Unix OS, root is the most

powerful user, owning sensitive
Phone Rootkit
system resources such as memory
and performing powerful actions • A rootkit that responds to a text
such as creating users and killing query by relaying the phone’s
processes. location as furnished by its GPS
receiver. This would enable an
• The identity root is the name of the
attacker to track the owner’s
entity (subject) established to own
whereabouts.
and run all primitive system tasks.
• A rootkit that could turn on power-
• Thus, compromising a task with root
hungry capabilities—Bluetooth
privilege is a hacker’s goal because
radio and GPS receiver—to quickly
from that position the hacker has
drain the battery.
complete and unrestricted system
control. • The worst part of these three
attacks is that they are effectively
undetectable: The cell phone’s
Rootkit interface seems no different to the
user who is unaware of danger.
• Rootkit: Tool or script that obtains
privileges of root. • The rootkit can thus perform actions
normally reserved for the OS but
• People who execute attack code does so without the user’s
from someone else are sometimes knowledge.
called “script kiddies”.

Attacker Perspective
Phone Rootkit
• Attack should be difficult to detect
• The OS of a mobile phone is rather so your victim cannot find and try to
simple, although smartphones with eradicate your code.
their rich functionality demand a
more complex operating. • Two conditions can help you remain
undiscovered:
 o Your code executing before • These functions in turn call NT
other programs that might Kernel “native mode” system
block your execution. functions, such as
NTQueryDirectoryObject. At the end
o You're not being detected as
of this call chain is a simple function
a file or process.
call: Load a number into a register
• If your code is introduced early to represent the specific system
enough, it can override other normal function to perform, and execute a
system functions that would detect call instruction to the operating
its presence. system kernel. The operating
system returns descriptive
information, and the higher-level
Rootkit Evades Detection functions format and present that
information.
• Malicious code consists of
executable files. To be able to
execute, malicious code must Rootkit Evades Detection
locate and invoke its pieces.

• An attack might involve the file

mal_code.exe stored in some
directory. A file explorer program on
that directory may list the file
mal_code.exe and you might
recognize and eradicate the file.

• Antivirus tools do not contain code

to query the disk, determine the disk
format, identify files and where they
are stored, find the file names and
properties from an index table, or
structure the results for use and
display.

• These tools call built in functions

through an application
programming interface (API) to get
this information.

Rootkit Evades Detection

• e.g., the Windows API functions Rootkit Evades Detection

FindFirstFile() and FindNextFile()
return the file name of the first or
next file that matches certain
criteria. The criteria may be null,
implying to select all files.
 again to find the next file after
mal_code.exe.

• The higher-level utility to produce

the listing keeps the running total of
file sizes for the files of which it
receives information, so the total in
the listing correctly reports all files
except mal_code.exe.

Rootkit Evades Detection

• If the attacker intercepts and

modifies either the input going into
the API or the output coming from
the API, the effect is to make the file
mal_code.exe invisible to higher-
level callers.

• Thus, if an antivirus tool is scanning

Rootkit Evades Detection
by obtaining a list of files and
inspecting each one, the tool will
miss the malicious file.

Rootkit Evades Detection

Rootkit Evades Detection

• The utility to present a file listing Rootkit Filtering File Description Result
uses primitives such as
FindNextFile() and
NTQueryDirectoryObject.

• To remain invisible, the rootkit

intercepts these calls so that if the
result from FindNextFile() points to
mal_code.exe, the rootkit skips that
file and executes FindNextFile()
 • The ultimate privilege level is the
OS, so to replace some or all OS
functions amounts to achieving the
highest power.

• Rootkits can be difficult to detect

and eradicate, or even to count.

• Rootkits can also interfere with

computer maintenance because
their functionality can become
intertwined with other OS functions
being modified.

Rootkit Operates Unchecked

• Rootkits interfere with normal

system functions to remain hidden.

• A common rootkit trick is to

intercept file directory enumeration
functions to conceal the rootkit’s
presence.

• Suppose you suspect code is

interfering with your file display
program, write a program that
displays files, examines the disk
and file system directly to
enumerate files, and compares
these two results.
Rootkit Evades Detection
• RootkitRevealer is such a program
• The utility to present a file listing for Windows.
uses primitives such as
FindNextFile() and o This program will search for
NTQueryDirectoryObject.s user-mode or kernel-mode
rootkits and list any API
discrepancies that are
Rootkit Intercepts and Modifies Basic found.
Operating System Functions

Other Rootkits
Rootkit Operates Unchecked • Not every rootkit is malicious.
• One objective of malicious code • Suppose you are a manager of a
authors is to escalate privilege, that company that handles very sensitive
is, to run with the greater privileges information (intellectual property,
of an administrator or more or the medical records of some
powerful user. high-profile patients).
 o Your employees need this detection and prevention systems,
information internally for sometimes operate in a stealthy
ordinary business functions, and hard to-disable manner, just
but there is almost no like rootkits.
reason such information
• The two vulnerabilities that
should ever leave your
contribute to installation of rootkits
company.
are that the operating system is
o Because the value of this complex and not transparent.
information is so high, you
want to be sure nothing
sensitive is included in email
sent by your employees or
by a malicious process
acting under the name of an CHAPTER
employee.
FIREWALLS

• Firewalls in buildings are walls

Other Rootkits intended to inhibit the spread of fire
• Several products like eBlaster and from one part of a building to
Spector are rootkits that parents another.
can install on children’s computers • Built of materials that withstand
to monitor the nature of email, fires of a particular intensity or
messaging, and web searches. duration.
o As rootkits, these products • As computer security devices,
are invisible to the children network firewalls are similar,
and, even if detected, the protecting one subnet from harm
products are difficult to from another subnet.
disable or remove.
• The primary use of a firewall is to
o Managers worried about protect an internal subnetwork from
illicit or unintentional the many threats.
exfiltration of sensitive
information could use • Firewalls can also be used to
similar products. separate segments of an internal
network, for example, to preserve
high confidentiality of a sensitive
Other Rootkits research network within a larger
organization.
• Law enforcement authorities also
install rootkits on machines of
suspects so that agents can trace WHAT IS A FIREWALL?
and even control what users of the
affected machines do, but the • A firewall is a device that filters all
suspects remain oblivious. traffic between a protected or
“inside” network and a less
• In fact, security tools, such as trustworthy or “outside” network.
antivirus software and intrusion
 • Usually a firewall runs on a the flow of data to and from a
dedicated device. network.

• In practice, a firewall is a computer • Two qualities lead to that

with memory, storage devices, effectiveness:
interface cards for network access,
o A well-understood traffic
and other devices.
flow policy.
• It runs an operating system and
o A trustworthy design and
executes application programs.
implementation.

WHAT IS A FIREWALL?
POLICY
• Because a firewall is executable
• A firewall implements a security
code, an attacker could
policy, i.e., a set of rules that
compromise that code and execute
determine what traffic can or
from the firewall’s device.
cannot pass through the firewall.
• A firewall system typically does not
• Network administrator should
have compilers, linkers, loaders,
determine what traffic to allow into
general text editors, debuggers,
a particular network.
programming libraries, or other
tools an attacker might use to • An example of a simple firewall
extend an attack from the firewall configuration is shown in Table. The
computer. table is processed from the top
down, and the first matching rule
• Firewalls implement a security
determines the firewall’s action.
policy that is specifically designed
to address what bad things might
happen.

o e.g., the policy might be to

prevent any access from
outside (while still allowing
traffic to pass from the
inside to the outside).

o Or, the policy might permit

accesses only from certain
places, from certain users,
or for certain activities. •
Sample Firewall Configuration
• Firewalls enforce predetermined
rules governing what traffic can • The * matches any value in that
flow. field. This policy says any inbound
traffic to port 25 (mail transfer) or
port 69 (so-called trivial file transfer)
DESIGN OF FIREWALLS is allowed to or from any host on the
192.168.1 subnetwork.
• Firewalls are simple devices that
rigorously and effectively control
 • By rule 3 any inside host is allowed to view and edit that log;
outbound traffic anywhere on port modifications, if necessary,
80 (web page fetches). Furthermore, can be done on a different
by rule 4 outside traffic to the machine in a protected
internal host at destination address environment.
192.168.1.18 (e.g., a web server) is
• Finally, firewall designers strongly
allowed.
recommend keeping the
• All other traffic to the 192.168.1 functionality of the firewall simple.
network is denied.
• A firewall is a reference monitor,
positioned to monitor all traffic, not
accessible to outside attacks, and
TRUST
implementing only access control.
• A firewall is an example of a
reference monitor.
Types of Firewalls
• A reference monitor has three
characteristics: • Firewalls have a wide range of
capabilities.
o Always invoked.
• Different types of firewalls
o Tamperproof.
implement different types of
o Small and simple enough for policies; for example, simple
rigorous analysis. firewalls called screening routers
judge based only on header data:
• By carefully positioning a firewall in addresses.
a network’s architecture, we can
ensure that all network accesses • More complex firewalls investigate
that we want to control must pass the content being communicated to
through the firewall. make access decisions.

• When choosing a type of firewall,

decide on what threats an
TRUST installation needs to counter.
• Tamperproof:

o A firewall is typically well OSI Reference Model

isolated, making it highly
immune to modification (a • OSI Reference Model:
separate computer).
o In this model, data are
o Firewall platform runs OS generated at the top layer
with minimal services that (7—Application) by some
could allow compromise of application program. Then
the OS or the firewall the data pass through the
application. other six layers; at each
layer the data are
o e.g., the firewall generates a reformatted, packaged, and
log of traffic denied, but it addressed.
may not have installed tools
 o Transport layer: Performs client needs to try to
error checking and connect to all your ports.
correction to ensure a
o So detect and block probes
reliable data flow.
from any source that seems
o Network layer: Addressing to be trying to investigate
to determine how to route your network.
data.
o Receiving several
o Data link layer: Divides data connection attempts to
into manageable blocks for unusual ports from the
efficient transfer. same source might be
something to stop.
o Physical layer: Deals with
the electrical or other o Firewall would need to
technology by which signals record and correlate
are transmitted across individual connection
some physical medium. probes.

o At the destination, the data

enter at the bottom of a
Types of Firewalls
similar stack and travel up
through the layers, where • Packet filtering gateways or
addressing details are screening routers
removed and items are
again repackaged and • Stateful inspection firewalls
reformatted. • Application-level gateways, also
o Finally, they are delivered to known as proxies
an application on the • Circuit-level gateways
destination side.
• Guards
o Each layer plays a well-
defined role in the • Personal firewalls
communication.

1. Packet Filtering Gateways (Screening

Firewall Router)

• Different firewall types correspond • Simplest, and sometimes the most

to different threats. effective type of firewall.

• Port scan: • Controls access based on packet

address (source or destination) or
o The scanner sends a probe specific transport protocol (such as
first to port 1, then to ports HTTP web traffic).
2, 3, 4, and so forth. These
ports represent services, • e.g., if the port scan originated from
some of which you need to address 100.200.3.4, you might
keep alive so that external configure the packet filtering
clients can access them. gateway firewall to discard all
But no normal external packets from that address.
Packet Filtering Gateways (Screening
Router)

• The filter in figure allows HTTP traffic

but blocks traffic by using the Telnet
protocol.

• Packet filters operate at OSI level 3.

Packet Filtering Gateways

• Simple, efficient, and fast.

• But for sophisticated filtering, the

Packet Filtering Gateways rules set needs to be very detailed.
A detailed rules set will be complex
• Packet filters do not “see inside” a and therefore prone to error.
packet.
o e.g., blocking all port 23
• Packet filters can perform the traffic (Telnet) is simple and
important service of ensuring the straightforward. But if some
validity of inside addresses. Telnet traffic is to be
allowed, each IP address
• Source addresses in packets can be
from which it is allowed
forged.
must be specified in the
• A packet filter sits between the rules.
inside network and the outside net,
• Best if a lower level of security is
so it can determine if a packet from
acceptable.
the outside is forging an inside
address. • Good for budget-constrained,
smaller organizations to provide a
basic level of protection against
Packet Filtering Gateways known threats.

• In larger networks, packet filtering

firewalls can be integral
components of a multilayered
defense strategy, e.g., between
internal departments.
 • A circuit-level gateway connects
two separate subnetworks as if they
Packet Filtering Gateways
were one contiguous unit.
• Advantages:

o Quite fast and nearly

transparent to users.

o Affordable versus more

advanced firewalls.

• Disadvantages:

o Limited in their ability to

provide network protection.

o Easy to bypass if the firewall

is not kept up-to-date.

o Easy to trick by hackers who

manipulate headers to get
around pre-established
rules.
Circuit-Level Gateway

• Can be used to implement a virtual

2. Circuit-Level Gateway private network.
• A circuit is a logical connection that o Suppose a company has two
is maintained for a time, then offices, each with its own
disconnected. network, at addresses
100.1.1.x and 200.1.1.x.
• A circuit-level gateway is a firewall
that allows one network to be an o To ensure that
extension of another. communication between
these two address spaces is
• It functions as a virtual gateway
private, so the network
between two networks.
administrator installs a pair
• The firewall verifies the circuit when of encryption devices.
it is first created. After the circuit
o The circuit-level gateway
has been verified, subsequent data
separates all traffic to and
transferred over the circuit are not
from the 100 and 200
checked.
networks.
• Circuit-level gateways can limit
o The circuit gateway on the
which connections can be made
100 network routes all traffic
through the gateway.
to the 200 network through
an encryption device.

Circuit-Level Gateway o When traffic returns, the

firewall on the 100
subnetwork routes all traffic
 from the 200 network • Popular network security tool for
through the encryption unit most larger enterprises.
(for decryption) and back to
• Frequently used to defend network
the 100 gateway.
devices against specific attacks like
distributed denial of service (DDoS)
attacks.
Circuit-Level Gateway

• Advantages:
Stateful Inspection Firewall
o Easy to set up and manage.
• Consider a probe against port 1: It
o Easy to block most traffic as
might be a legitimate attempt to
only requested transactions
connect to the service of port 1 OR a
are processed.
mistake, OR the start of a port scan
o Lower in cost and do not attack.
impact system
• The firewall records the address
performance.
100.200.3.4 that sent a connection
• Disadvantages: packet to port 1 at 01:37:26.

o Offer no protection against • When the probe against port 2

data leakage from devices arrives, the firewall may record the
within the firewall. second connection from
100.200.3.4 at 01:37:29.
o Cannot monitor the
application layer and require • After two more connections at
ongoing updates. 01:37:34 and 01:37:36, the next
connection at 01:37:39 meets the
o If these firewalls are firewall’s rule for number of
neglected, they can go out different ports in a short time, so it
of date and be easily activates the rule to block
bypassed by bad actors. connections from 100.200.3.4.

• The firewall progresses through

3. Stateful Inspection Firewall several states from different
packets until the count exceeds the
• Filtering firewalls have no concept threshold for acceptable behavior.
of “state” or “context” from one
packet to the next.

• A stateful inspection firewall Stateful Inspection Firewall

maintains state information from • Advantages:
one packet to another in the input
stream. o Monitor the entire session
for the state of connections,
• Works according to information while checking IP addresses
from multiple packets. and payloads.
• Can track whether or not the packet o Higher degree of control
is part of an established TCP or over the content that is
other network protocol session.
 allowed in or out of the
network.

o Detailed logs generated by

stateful inspection firewalls.

• Disadvantages:

o Require a great deal of

resources, hence less speed
of network
communications.

o More expensive over less

advanced firewall
technology.

o Cannot provide
authentication capabilities,
leaving networks vulnerable
to potentially spoofed traffic
sources.

4. Application Proxy
Stateful Inspection Firewall
• Also called as bastion host.
• Attackers try to break an attack into
• Applications are complex and
multiple packets by forcing some
sometimes contain errors.
packets to have very short lengths
so that a firewall cannot detect the • A flawed application, running with
characteristic of an attack split all-users privileges, can cause
across two or more packets. much damage. e.g., email delivery
agent to store incoming mail
• A stateful inspection firewall would
messages so that inside users can
track the sequence of packets and
read them.
conditions from one packet to
another to thwart such an attack. • Use: To protect organizations from
web application threats. These
firewalls can block access to
Stateful Inspection Blocking Multiple harmful sites and can prevent
Probes sensitive information from being
leaked from within a firewall.

Application Proxy

• An application proxy simulates the

behavior of a protected application
on the inside network, allowing in
only safe data.
 • An application proxy runs what sites have been visited and
pseudoapplications. what files from those sites have
been fetched; particularly popular
o e.g., when email is
files will be cached locally.
transferred to a location, a
sending process at one site o The school’s requirement
and a receiving process at could be met by a logging
the destination procedure as part of the web
communicate by a protocol browser.
that establishes the
legitimacy of a mail transfer
and then actually passes the Application Proxy
mail message.
• The firewall serves as a user’s proxy
• A proxy gateway intrudes in the to access the database on behalf of
middle of this exchange, seeming the outside user but limits the
like a destination for the sender that information returned from the
is outside the firewall, and seeming query.
like the sender for the real recipient
on the inside. • The web page server, also known as
a bastion host, is on its own LAN,
• The proxy can screen the mail isolated from the main internal LAN
transfer, ensuring that only by a second firewall.
acceptable email protocol
commands and content are sent in Application Proxy
either direction. Advantages

• deeper level of network protection

Application Proxy over simpler packet filtering
firewalls.
• A company wants to set up an
online price list so that outsiders • check not just IP addresses, port,
can see the products and prices and TCP header information, but the
offered. It wants to be sure that: actual content, before allowing
traffic to pass through the proxy.
o (a) No outsider can change
the prices or product list. • can be fine-tuned to, e.g., allow
users to access a given website, but
o (b) Outsiders can access only specific pages.
only the price list, not other
sensitive files stored inside. • provides a level of user anonymity.

• The proxy would monitor the FTP Disadvantages

data to ensure that only the price • resource-intense, putting network
list file was accessed and in read- performance at risk.
only mode.
• more expensive
• A school wants to allow its students
to retrieve any information from • do not work with all network
World Wide Web resources on the protocols.
Internet. The school wants to know Proxy Firewall Functions
 • The guard determines what services
to perform on the user’s behalf in
accordance with its available
information, such as whatever it can
reliably ascertain of the (outside)
user’s identity, previous
interactions, etc.

• The degree of control a guard can

provide is limited only by what is
computable.

• That is, we can add functionality to

• A government agency wants to a proxy firewall until it starts to look
respond to queries through a a lot like a guard.
database management system.
However, the agency wants to Guard
screen results so that no names or
• Guard activities can be quite
identification are returned in
detailed:
results—only counts in categories.
o A university wants to allow
o The agency’s need could be
its students to use email up
satisfied by a special-
to a limit of so many
purpose proxy that
messages or so many
interacted with the database
characters of email in the
management system,
last so many days. Although
performing queries but
this result could be achieved
filtering the output.
by modifying email handlers,
• A company with multiple offices it is more easily done by
wants to encrypt the data portion of monitoring the common
all email to addresses at its other point through which all
offices. (A corresponding proxy at email flows, the mail
the remote end will remove the transfer protocol.
encryption.)
o A school wants its students
o A firewall application could to be able to access the
encrypt and decrypt specific World Wide Web but,
email messages for the last because of the capacity of
situation. its connection to the web, it
will allow only so many
5. Guard bytes per second (that is,
• A guard is a sophisticated firewall. allowing text mode and
simple graphics but
• Like a proxy firewall, it receives disallowing complex
protocol data units, interprets them, graphics, video, music, or
and emits the same or different the like).
protocol data units that achieve
either the same result or a modified Guard
result.
 • Guard activities can be quite • A guard can implement any
detailed, as in the following programmable set of conditions,
examples: even if the program conditions
become highly sophisticated.
o A library wants to make
available certain documents • Each of these scenarios can be
but, to support fair use of implemented as a modified proxy.
copyrighted matter, it will Because the proxy decision is based
allow a user to retrieve only on some quality of the
the first so many characters communication data, we call the
of a document. After that proxy a guard.
amount, the library will
• Since the security policy
require the user to pay a fee
implemented by the guard is
that will be forwarded to the
somewhat more complex than the
author.
action of a proxy, the guard’s code
o A company is developing a is also more complex and therefore
new product based on more exposed to error.
petroleum and helium gas,
6. Personal Firewalls
code-named “light oil.” In
any outbound data flows, as • Firewalls typically protect a
file transfers, email, web (sub)network of multiple hosts.
pages, or other data stream,
it will replace the words • University students and employees
“petroleum,” “helium,” or in offices are behind a real firewall.
“light oil” with “magic.” A • A personal firewall is an application
firewall is thought of program that runs on the
primarily as an inbound workstation it protects.
filter: letting in only
appropriate traffic (that • Increasingly, home users, individual
which conforms to the workers, and small businesses use
firewall’s security policy). cable modems or DSL connections
This example shows that a with unlimited, always-on access.
firewall or guard can just as These people need a firewall, but a
easily screen outbound separate firewall computer to
traffic. protect a single workstation can
seem too complex and expensive.
Guard These people need a firewall’s
• A company wants to allow its capabilities at a lower price.
employees to fetch files by FTP. • A personal firewall can complement
However, to prevent introduction of the work of a conventional firewall
viruses, it will first pass all incoming by screening the kind of data a
files through a virus scanner. Even single host will accept, or it can
though many of these files will be compensate for the lack of a regular
nonexecutable text or graphics, the firewall, as in a private DSL or cable
company administrator thinks that modem connection.
the expense of scanning them
(which file shall pass) will be Personal Firewalls
negligible.
 • It can only work in conjunction with occasionally, such as sometime
support from the operating system. during the week.

• screens traffic on a single Comparison of Firewall Types

workstation.
• Firewall types are arranged
• A workstation could be vulnerable generally from least sophisticated
to malicious code or malicious on the left to more so on the right,
active agents (ActiveX controls or with the exception of personal
Java applets), leakage of personal firewalls, which are more like an
data stored on the workstation, and enterprise packet filter.
vulnerability scans to identify
• Do not, however, interpret least
potential weaknesses.
sophisticated as meaning weakest
• Commercial implementations of or least desirable; in fact, packet
personal firewalls include SaaS filtering firewalls are the work
Endpoint Protection from McAfee, horses of enterprise networks,
F-Secure Internet Security, quickly and efficiently blocking
Microsoft Windows Firewall, and much undesirable traffic.
Zone Alarm from CheckPoint.

Personal Firewalls

• The personal firewall is configured

to enforce some policy.

• For example, the user may decide

that certain sites, such as
computers on the company
network, are highly trustworthy, but
most other sites are not. Vendors
sometimes supply and maintain
lists of unsafe sites to which their
products block access by default.

• The user defines a policy permitting

download of code, unrestricted
data sharing, and management
access from the corporate segment
but not from other sites.
Example Firewall Configurations
• Personal firewalls can also generate
logs of accesses, which can be • a screening router positioned between
useful to examine in case the internal LAN and the outside network
something harmful does slip connection. In many cases, this
through the firewall. installation is adequate when we need to
screen only the address of a router.
• Combining a malware scanner with
a personal firewall is both effective
and efficient. Typically, users forget
to run scanners regularly, but they
do remember to run them
 Example Firewall Configurations

• The firewall serves as a user’s proxy to

access the database on behalf of the
outside user but limits the information
returned from the query.

• The web page server, also known as a

bastion host, is on its own LAN, isolated
from the main internal LAN by a second
firewall.

Example Firewall Configurations

• If the firewall router is successfully

attacked, all traffic on the LAN to which
the firewall is connected is visible.

• To reduce this exposure, a firewall is

often installed on its own LAN

• The firewall’s LAN feeds traffic to a

router for a separate protected LAN of Example Firewall Configurations
users’ machines.
• Externally accessible services (web
• In this configuration, the only traffic pages, email, and file transfer) are on
visible to the outside is on the firewall’s servers in the demilitarized zone or DMZ
LAN, whose data either came from the
outside or are destined to go outside • Outside users can access tools and
data in a firewall’s demilitarized zone but
cannot get to more sensitive resources
on the more protected inside network.
 “available now,” “a few
left,” or “out of stock.”

• The firewall serves as a user’s proxy

to access the database on behalf of
the outside user but limits the
information returned from the
query.

• The web page server, also known as

a bastion host, is on its own LAN,
isolated from the main internal LAN
by a second firewall.

Example Firewall Configurations Example Firewall Configurations

• Proxying: • Externally accessible services (web

pages, email, and file transfer) are
o The proxy host–firewall on servers in the demilitarized zone
communicates with both or DMZ.
internal systems and the
outside because it looks like • Outside users can access tools and
an internal host to the data in a firewall’s demilitarized
outside. zone but cannot get to more
sensitive resources on the more
o e.g., a proxy application for protected inside network.
web page servers: A
company has an internal
web structure, with pages What Firewalls Can and Cannot Block?
describing products,
customers, and perhaps • Firewalls are not complete
internal contact solutions to all computer security
information. problems.

o The company maintains a • A firewall protects only the

protected database of perimeter of its environment against
products, including stock on attacks from outsiders who want to
hand, but the company does execute code or access data on the
not want to release exactly machines in the protected
how many units of a product environment.
are on hand. • Firewalls can protect an
o Thus, each time the system environment only if the firewalls
is ready to display a control the entire perimeter, i.e.,
product’s page, the firewall only if no unmediated connections
queries the database and, breach the perimeter.
according to the result • If even one inside host connects to
obtained, adds a line saying an outside address, by a wireless
connection for example, the entire
 inside net is vulnerable through the the outsider can infer some of the
unprotected host. network structure from the pattern
of addresses.
• Firewalls do not protect data
outside the perimeter; data that • Once released, this address will
have properly passed (outbound) forever be known and exploitable by
through the firewall are just as outsiders.
exposed as if there were no firewall.
• Every packet between two hosts has
the source address and port and the
destination address and port.
What Firewalls Can and Cannot Block?
o e.g., internal host
• Firewalls are the most attractive
192.168.1.35 port 80 is
target for attack. So, have several
sending a packet to external
different layers of protection
host 65.216.161.24 port 80.
(defense in depth).
• Using network address translation
• Firewalls must be correctly
(NAT), the source firewall converts
configured, updated as the internal
source address 192.168.1.35:80 in
and external environment changes,
the packet to the firewall’s own
and activity reports must be
address, 173.203.129.90.
reviewed.
• The firewall also enters the
• While a firewall is designed to
destination address, the source
withstand attack, it is not
port, and the original source
impenetrable. So, keep a firewall
address in translation table to
small and simple.
forward any replies to the original
• Firewalls have only minor control source address.
over the content admitted to the
• Firewall converts the address back
inside, meaning that inaccurate
on any return packets.
data or malicious code must be
controlled by other means inside
the perimeter.

Network Address Translation (NAT)

• Firewalls protect internal hosts

against unacceptable inbound or
outbound data flows.

• However, sometimes an outsider

can gain valuable information just
by learning the architecture,
connectivity, or even size of the
internal network.

• When an internal host presents its

IP address to an outsider (necessary
if the outsider is expected to reply),
 attempts to send data where it is
not allowed to go.
Network Address Translation (NAT)
• Typical data of concern are
• NAT conceals real internal
classified documents, proprietary
addresses; outsiders who do not
information, and private personal
know real addresses cannot access
information (e.g., social security
them directly.
numbers, credit card numbers).
• Complication: If two internal hosts
• DLP can be implemented in several
contact the same destination
ways:
address over the same port, e.g., if
two internal hosts independently o OS rootkits that monitor
wanted to access the web page at user behavior, including
www.google.com. network connections, file
accesses, and applications
o Here, internal host
run.
192.168.1.35 might become
173.203.129.90 port 4236, o Network-based solutions
and 192.168.1.57 might monitor network
become 173.203.129.90 connections, especially file
port 4966. transfers.

• The outside world sees only one o Other solutions may be

external address, 173.203.129.90 application-specific, such
for the whole secured internal as software agents for
network, so outsiders cannot infer monitoring email.
the structure of the internal
network.

Network Address Translation (NAT)

• If an outsider crafts traffic to the

same address at a later time, the
firewall will reject the traffic
because the sender’s address is no
longer in the translation table.

• NAT is primarily used because of

limited public address numbers.

• But NAT performs a significant

security role.
Sender from Company

• DLP solutions look for indicators:

Data Loss Prevention (DLP)
o Keywords: Words such as
• Data loss prevention (DLP) refers to “secret,” “classified,” or
a set of technologies designed to “proprietary” are strong
detect and possibly prevent indicators of sensitive data.
 ▪ DLP solutions may Chapter-3
also allow
Intrusion Detection and Prevention
customers to search
Systems
for keywords that
have specific • Most of the controls are preventive:
meaning for a They block known bad things from
particular business, happening.
such as a codename
for a new product. • Most computer security incidents
are caused by insiders or people
o Traffic patterns: Suspicious impersonating them, people who
traffic patterns like bulk file would not be blocked by a firewall.
transfers, connections to
outside email or file sharing • And insiders require access with
services, emails to unknown significant privileges to do their daily
recipients, and connections jobs.
to unknown network • Majority of harm from insiders is not
services. malicious; it is honest people
o Encoding/encryption: DLP making honest mistakes.
can be easily defeated by • But there are the malicious
strong encryption, because outsiders who have somehow pass
no DLP solution can the screens of firewalls and access
determine the sensitivity of a controls.
file it cannot read.

▪ So, DLP solutions

block outgoing files Intrusion Detection and Prevention
that they cannot Systems
decode or decrypt. • An intrusion detection system (IDS)
is a device, typically another
separate computer, that monitors
Data Loss Prevention (DLP) activity to identify malicious or
• A determined attacker can suspicious events.
frequently find a way to transfer • An IDS is a sensor, like a smoke
data into a system, although an detector, that raises an alarm if
effective DLP solution may slow the specific things occur.
process down or alert security
personnel in time to prevent it. • As with smoke alarms, detecting
danger necessitates action.
• DLP approaches can be integrated
into a firewall, installed in an OS, or
joined to another application Intrusion Detection and Prevention
program that manipulates sensitive Systems
data.
• Whether the response is calling the
• Thus, DLP technologies are not fire department, activating a
restricted to the edge of a protected sprinkler system, sounding an
subnetwork. evacuation alarm, or alerting the
 control team depends on what • Auditing system configuration for
advance plans have been made to vulnerabilities and
handle the incident. misconfigurations

• IDSs also have a response function. • Assessing the integrity of critical

system and data files
• The response is usually to alert a
team who will then decide what • Recognizing known attack patterns
further action is warranted. in system activity

• Sometimes the IDS goes into • Identifying abnormal activity

protection mode to isolate a through statistical analysis
suspected intruder and restrict
• Managing audit trails and
access. Such a system is called an
highlighting user violation of policy
Intrusion Protection System (IPS).
or normal activity

• Correcting system configuration

Model of an Intrusion Detection System errors

• Installing and operating traps to

record information about intruders

• No one IDS performs all of these

functions.

Types of IDSs

• A network-based IDS is a stand-

alone device attached to the
network to monitor traffic
throughout that network.

• A host-based IDS runs on a single

workstation or client or host, to
protect that one host.

• Four basic elements of an IDS Host Based IDS

• An IDS receives raw inputs from • Host-based intrusion detection

sensors. It saves those inputs, (called HIDS) protects a single host
analyzes them, and takes some against attack. It collects and
controlling action. analyzes data for that one host.

• The OS supplies some of that data

to the IDS, passing along approved
IDS Functions and denied requests to access
• Monitoring users and system sensitive resources, logs of
activity applications run, times and dates of
 actions and other security-relevant volume monitors, load balancers,
data. and administrator actions on the
network.
• The device either analyzes data
itself or forwards the data to a 4. The detection software can also
separate machine for analysis and monitor the content of packets
perhaps correlation with HIDSs on communicated across the network,
other hosts. to detect unusual actions by one
host against another.
• If an intruder disables that IDS,
however, it can no longer protect its
host. Being a process on the target
Network based IDS
computer also exposes the HIDS to
the vulnerability of being detected. 1. Dedicated hardware appliances:
These are specialized devices solely
designed to perform NIDS
Host Based IDS functions.

• HIDS collects data from various 2. Software applications on network

sources on the host device, servers: Existing network servers
including: can be leveraged to host NIDS
software, enabling them to perform
o System logs: These logs
network traffic analysis alongside
record events and activities
other server functionalities.
within the operating system
of the host device.

o File access attempts: HIDS Network based IDS

monitors attempts to
1. NIDS can operate in stealth mode-
access files on the host
i.e., observes data but never
device, including successful
sending data onto the network.
and failed attempts.
Hence can protect itself against
o Running processes: HIDS detection or compromise than a
maintains a record of host-based one.
processes currently running
2. Its network interface card can even
on the host device.
be restricted to receive data only,
without revealing its connection to
the network.
Network based IDS

1. NIDS is a separate network

appliance that monitors traffic on
an entire network.

2. To protect the entire network or

some set of specific sensitive
resources, such as a collection of
servers holding critical data.

3. It receives data from firewalls, OS of

the connected computers, traffic
 Signature Based Intrusion Detection

1. An attacker will try to modify a basic

attack such that it will not match
the known signature. e.g., the
attacker may simply convert
lowercase to uppercase letters

2. Such variations could be detected

by an IDS, but more signatures
require additional work for the IDS,
thereby reducing performance.

3. cannot detect a new attack for

which no signature has yet been
installed in the database.

Signature Based Intrusion Detection

• file hashes

• malicious domains

• known byte sequences

Signature Based Intrusion Detection • or even the content of email subject
headings
• Signature-based IDS perform simple
pattern-matching and report
situations that match a pattern
(signature) corresponding to a Suricata – IDS and IPS
known attack type. • Suricata implements a complete
• Signature-based IDSs are limited to signature language to match on
known patterns known threats, policy violations and
malicious behaviour.
o e.g. signature: a series of
TCP SYN packets sent to plaintext
many ports in succession Copy code
like a port scan.
alert http $HOME_NET any ->
• An IDS might find nothing unusual in $EXTERNAL_NET any
the first SYN(e.g., to port 80), and
then another (from the same source (msg:"HTTP GET Request Containing Rule in
address) (to port 25). But as more URI"; flow:established,to_server;
and more ports receive SYN http.method; content:"GET"; http.uri;
packets, especially ports that
normally receive little traffic, this content:"rule"; fast_pattern;
pattern reflects a possible port classtype:badunknown; sid:123; rev:1;)
scan.

Heuristic Intrusion Detection

 • Heuristic IDS (anomaly based) build • The inference engine of an IDS
a model of acceptable behavior and continuously analyzes the system,
flag exceptions to that model; for raising an alert when the system’s
the future, the administrator can dirtiness exceeds a threshold or
mark a flagged behavior as when a combination of factors
acceptable signals likely malicious behavior.

• heuristic IDS learns what constitute

anomalies or improper behavior.
Heuristic Intrusion Detection
• This learning occurs as an artificial
• e.g., A computer belonging to Alice
intelligence component of the
starts to inspect other network
tool(the inference engine) identifies
computers, looking at which ones
pieces of attacks and rates the
have storage areas (files) available
degree to which these pieces are
to other network users.
associated with malicious behavior.
• When Alice probes Bob’s computer,
Bob’s computer denies her access
Heuristic Intrusion Detection and the IDS simply notes the denied
access request.
• a user trying to log in outside of
standard business hours • Then when Alice probes Chen’s
machine the second attempt
• new devices being added to a
becomes more unusual. Now when
network without authorization
Alice tries to copy all of Chen’s files,
• a flood of new IP addresses trying to the IDS recognizes a likely attack
establish a connection with a and triggers an alarm to an
network administrator.

• Any of the actions Alice took is not

significant by itself, but the
Heuristic Intrusion Detection accumulation leads to greater
• Instead of looking for matches, suspicion and alarm.
heuristic intrusion detection looks • To a heuristic intrusion detection
for behavior that is out of the system, all activity is classified in
ordinary. one of three categories:
• For example, one user might always good/benign, suspicious, or
start the day by reading email, write unknown.
many documents using a word • Over time, specific kinds of actions
processor, and occasionally back can move from one of these
up files. These actions would be categories to another,
normal. This user does not seem to corresponding to the IDS’s
use many administrator utilities. inference of whether certain actions
• If that person tried to access are acceptable or not.
sensitive system management • As with pattern-matching, heuristic
utilities, this new behavior might be intrusion detection is limited by the
a clue that someone else was acting amount of information the system
under the user’s identity. has seen (to classify actions into the
 right category) and how well the o A dynamic model of
current actions fit into one of these behavior is built to
categories accommodate variation and
evolution in a person’s
• Heuristic intrusion detection infers
actions over time.
attacks by tracking suspicious
activity. o e.g., except for a few utilities
(log in, change password,
create user), any other
Signature-Based IDS vs Heuristic-Based attempt to access a
IDS password file is suspect.
This form of ID is known as
misuse intrusion detection.

Stateful Protocol Analysis

1. Intrusion detection by pattern

matching is difficult if the pattern to
be matched is long or variable.

2. A SYN flood attack has a simple

pattern (SYN, SYN ACK, no
corresponding ACK), but these are
three separate steps spread over
time; detecting the attack requires
recognizing step one, later finding
step two, and then waiting a
reasonable amount of time before
concluding that step three is true.
State-based and Model-based IDS

• Inference engines work in two ways.

Stateful Protocol Analysis
• State-based IDS:

o Observes the system going

through changes of overall
state or configuration.

o Try to detect when the

system has gone into unsafe
modes.

• Model-based IDS:

o Develops a model of known

bad activity

o IDS raises an alarm when

current activity matches the
model to a certain degree.
 the packet enters the
network.

3. A front-end IDS may be visible on

the outside, and hence may be a
target of attack

4. But a front-end IDS does not see

inside the network, so it cannot
identify any attack originating inside

Front End vs Internal IDSs

• An internal device monitors activity

within the network.

• If an attacker is instructing a
compromised internal machine to
initiate a DOS attack against other
• Think of an IDS as a state machine,
hosts on that network, a front-end
with a state for each of these steps
IDS will not notice that attack.
• The IDS needs to record which state
• But if one computer begins sending
it is in. Now multiply the number of
threatening packets to another
states to account for hundreds of
internal computer, the internal IDS
thousands of concurrent
can detect that.
connections by many users. The
logic of the IDS is complicated: • An internal IDS is also more
Many handshakes may be in protected from outside attack.
progress at any time, and the IDS
must maintain the state of each of • An internal IDS can learn typical
them. behavior of internal machines and
users so that if, for e.g., user A
suddenly started trying to access
protected resources after never
IDS State Machine
having done so previously, the IDS
could record and analyze that
anomaly.
Front End vs Internal IDSs

1. An IDS can be placed either at the

front end of a monitored Other Intrusion Detection Technology
subnetwork or on the inside.
• Intrusion detection capabilities are
2. A front-end device monitors traffic sometimes embedded in other
as it enters the network and thus devices (such as routers and
can inspect all packets firewalls)

o it can analyze the packets, • Code Modification Checkers

and if it finds something that
o To detect unacceptable
it classifies as harmful, it
code modification,
can block the packet before
 programs can compare the o Protect, act to reduce
active version of software exposure.
code with a saved version of
o Signal an alert to other
a digest of that code.
protection components.
o The Tripwire program is a
o Call a human.
typical static data
comparison program. It can • Monitoring is appropriate for an
detect changes to attack of modest impact.
executable programs and
other data files that should o Goal is to watch the intruder
never or seldom change. to see what resources are
being accessed or what
• Vulnerability Scanners attempted attacks are tried.
o System vulnerability o Monitoring might be to
scanners, such as ISS record all traffic from a given
Scanner or Nessus, can be source for future analysis.
run against a network. They This should be invisible to
check for known the attacker.
vulnerabilities and report
flaws found.
Responding to Alarms

Intrusion Prevention Systems • Protecting: increasing access

controls and making a resource
• An intrusion prevention system, or unavailable (e.g., shutting off a
IPS, tries to block or stop harm. network connection).
• It is IDS with a built-in response o Protecting may be very
capability. visible to the attacker.
• The response is not just raising an • Calling a human allows individual
alarm; but include cutting off a discrimination.
user’s access, rejecting all traffic
from address a.b.c.d, or blocking all o The IDS can take an initial,
users’ access to a particular file or perhaps overly strong,
program. defensive action
immediately while also
generating an alert to a
human, who may take
Intrusion Response
seconds, minutes, or longer
Responding to Alarms to respond but then applies
a more detailed and specific
• IDS raises an alarm when it finds a
counteraction.
match. Possible responses:

o Monitor, collect data,

increase amount of data Alarm
collected.
• The simplest action for an IDS is to
generate an alarm to an
 administrator who will then o Shut down the entire
determine the next steps. network.

• Humans are most appropriate to

judge the severity of a situation and
Counterattack
choose countermeasures.
• A final action is to strike back.
• But a human must be constantly
available to respond to that alarm • Offensive action must be taken with
and the response must be timely great caution:
and appropriate.
o The apparent attacker may
• If multiple sensors generate alarms not be the real attacker.
at the same time, the human can Determining the true source
become overloaded and miss new and sender of Internet traffic
alarms. is not foolproof. Acting
against the wrong party only
• Worse, the second alarm can so
makes things worse.
distract or confuse the human, that
action on the first alarm is o A counterattack can lead to
jeopardized. real-time battles.

o Retaliation in anger is not

necessarily well planned.
Adaptive Behavior
o Taking offensive action
• Due to limitations of humans, an IPS
opens one to legal jeopardy,
can be configured to take action to
comparable to that of the
block the attack or reduce its
attacker.
impact.
o Attacker may take the
o Continue to monitor the
counterattack as a
network.
challenge.
o Block by redirecting attack
traffic to a monitoring host,
discarding the traffic, or Goals for Intrusion Detection Systems
terminating the session.
Goals for IDS
o Reconfigure the network by
bringing other hosts online • Actual IDS products often blend the
(to increase capacity) or signature based and heuristic
adjusting load balancers. approaches.

o Adjust performance to slow • IDS should be fast, simple, and

the attack, e.g., by dropping accurate, while at the same time
some of the incoming traffic. being complete.

o Deny access to particular • An IDS could use some—or all—of

network hosts or services. the following design approaches:

o Shut down part of the o Filter on packet headers.

network. o Filter on packet content.
 o Maintain connection state. attackers to detect its presence by
scanning or probing the network.
o Use complex, multipacket
signatures. • Network Tap or Mirror Port: The
IDS is connected to a network tap or
o Use minimal number of
a mirror port on a switch, allowing it
signatures with maximum
to see all traffic without
effect.
participating in the network
o Filter in real time, online. communication itself. This makes it
invisible to both legitimate users
o Hide its presence. and attackers.
o Use optimal sliding-time • Passive Monitoring: Instead of
window size to match actively responding to threats or
signatures. blocking traffic, the IDS simply
analyses the network traffic and
alerts administrators when it
Stealth Mode detects suspicious behaviour. Its
passive nature helps avoid
detection by attackers.
• Most IDSs run in stealth mode,
whereby an IDS has two network
interfaces: one for the network it is Stealth Mode
monitoring and the other to
generate alerts and perform other • If the IDS needs to generate an alert,
administrative needs. it uses only the alarm interface on a
separate control network.
• The IDS uses the monitored
interface as input only; it never • Stealth mode IDS prevents the
sends packets out through that attacker from knowing an alarm has
interface. been raised.

• The interface is configured so that

the device has no published
address through the monitored
interface; that is, no router can
route anything directly to that
address because the router does
not know such a device exists.

o It is the perfect passive

wiretap.

o No IP Address Assigned

Stealth Mode

• No IP Address Assigned: The IDS

does not have an IP address on the Accurate Situation Assessment
network, making it hard for
 • IDS may raise an alarm for • Similar IDSs may have identical
something that is not really an vulnerabilities, and their selection
attack - a false positive, or type I criteria may miss similar attacks.
error. Knowing how to evade a particular
model of IDS is an important piece
• It may not raise an alarm for a real
of intelligence passed within the
attack (a false negative, or type II
attacker community.
error).
• An IDS limitation is its sensitivity,
• Too many false positives means the
which is difficult to measure and
administrator will be less confident
adjust.
of the IDS’s warnings leading to the
real alarm being ignored. • IDSs will never be perfect, so finding
the proper balance is critical.
• Most IDS implementations allow the
administrator to tune the system’s • An IDS does not run itself; someone
sensitivity to strike an acceptable must monitor its track record and
balance between false positives respond to its alarms.
and negatives.

IDS Strengths and Limitations

IDS Strengths and Limitations
• Attackers may craft packets in a
IDS Strengths and Limitations way that exploits weaknesses in
how the IDS inspects or processes
• IDSs detect an ever-growing number
traffic
of serious problems.
o Fragmentation attacks: An
• Over time, IDSs continue to
attacker splits malicious
improve.
payloads into small,
• They are becoming cheaper and fragmented packets. Some
easier to administer. IDSs may struggle to
reassemble these fragments
• Fortunately, stealth mode IDSs are correctly and, as a result,
difficult even to find on an internal fail to detect the attack.
network.
o Encryption: If an IDS does
• IDSs look for known weaknesses, not inspect encrypted traffic
whether through patterns of known (like HTTPS), attackers can
attacks or models of normal hide malicious payloads in
behavior. encrypted traffic, making it
• Commercial IDSs are pretty good at impossible for the IDS to
identifying attacks. detect.

o Polymorphic attacks:
Malicious software can
IDS Strengths and Limitations change its appearance
• An IDS that is not well defended is (code) frequently to bypass
useless. signature-based detection
methods.
Chapter-4 suppose the banking system
is designed so that a
Security Requirements of DB
message is generated in a
1. Integrity of the Database log each time a transaction
is processed.
• If a database is to serve as a central
repository of data, users must be o At system failure, the
able to trust the accuracy of the system can obtain accurate
data values. account balances by
reverting to a backup copy
• Assure that updates are done only of the database and
by authorized individuals. reprocessing all later
• Data must be protected from transactions from the log.
corruption by outside illegal 2. Element Integrity
program action and by outside force
such as a power failure. • The integrity of DB elements is their
correctness or accuracy.
• Integrity of a DB is affected:
• DBMSs sometimes take special
o when the whole database is action to help catch errors as they
damaged or are made and to correct errors after
o when individual data items they are inserted.
are unreadable. • This corrective action can be taken
• Integrity is the responsibility of the in three ways: by field checks,
DBMS, the OS, and the (human) through access control, and with
computing system manager. change log.

• One way of protecting the DB is to o DBMS can apply field

regular back up. checks: activities that test
for appropriate values in a
• Integrity of the Database: position. A field might be
o Sometimes an admin needs required to be numeric, an
to be able to reconstruct the uppercase letter, or one of a
database at the point of a set of acceptable
failure. e.g., when the power characters.
fails, a bank’s clients may ▪ Ensures that a value
be in the middle of making falls within specified
transactions or students bounds.
may be registering online for
their classes. ▪ Prevent simple
errors as the data
o Here, owners must restore are entered.
the systems to a stable point
without forcing users to redo o By access control: multiple
their recently completed programmers make changes
transactions. to a system at the same
time; the configuration
o So, the DBMS must maintain management database
a log of transactions. e.g., must ensure that the correct
 and most recent changes Robertson, flagging
are stored. Charles W.
Robertson as
▪ Two programmers
ineligible to
fixing different
participate in varsity
problems
athletics.
sometimes make
changes to the same ▪ Upon discovering
component. this error, the DBA
obtains Charles W.’s
▪ If they do not
original eligibility
coordinate access, it
value from the log
may introduce
and corrects the
additional problems.
database.
▪ So, files are
3. Auditability
controlled by
locking. • An audit record of all access (read
or write) to a DB can help to
▪ A group of people
discover who had affected what
called a
values and when.
configuration control
board ensure that no • Granularity can be a hindrance in
changed file is put auditing. Audited events in OS are
back into production actions like open file or call
without the proper procedure; they are not as specific
checking and as write record 3 or execute
testing. instruction I.

o Maintain a change log for • DB audit trails should include

the database: accesses at the record, field, and
even element levels.
▪ A change log lists
every change made • Auditability:
to the database; it
1. DBMS may access a record
contains both
but not report the data to a
original and modified
user, as when the user
values.
performs a select operation.
▪ Using this, a DBA
2. e.g., a hall advisor wants the
can undo changes
count of students who have
that were made in
failed in English, and the
error.
DBMS reports 450.
▪ For example, a
3. Here, the system inspects
library fine might
all student records and
erroneously be
notes those with F grade,
posted against
and it performed this lookup
Charles W.
on behalf of the advisor who
Robertson, instead
is listed in the log as
of Charles M.
receiving the data.
 4. Thus, in a sense, the advisor be able to determine one
accessed all those student data element just by reading
grades, although from the others. The problem of
number 450 the advisor obtaining data values from
cannot determine the grade others is called inference.
of any individual student.
o i.e., you can access data by
5. Accessing a record or an inference without needing
element without transferring direct access to the secure
to the user the data received object itself.
is called the pass-through
problem.

6. Thus, a log of all records

accessed directly may both
overstate and understate
what a user learns.

4. Access Control

• Databases are often separated

logically by user access privileges.

• e.g., all users can be granted access

to general data, but only the
personnel department can obtain
salary data and only the marketing
department can obtain sales data.

• Databases are useful because they

centralize the storage and
maintenance of data. Limited
access is both a responsibility and a
benefit of this centralization.

• The database administrator

specifies who should be allowed
access to which data, at the view,
relation, field, record, or even
element level.

• Operating system objects, such as

files, are unrelated items, whereas
records, fields, and elements in DB
are related.

• Access Control:

o Although a user probably

cannot determine the
contents of one file by
reading others, a user might
 maintain the same row order
as the Inventory table, he
can merge the two views to
construct the table (c).

• Access Control:

o Restricting inference may

mean prohibiting certain
paths to prevent possible
inferences.

o But restricting access to

control inference also limits
queries from users who do
not intend unauthorized
access to values.

o Also, attempts to check

requested accesses for
possible unacceptable
inferences may degrade the
DBMS’s performance.

5. User Authentication

• The DBMS can require rigorous user

authentication.

• For example, a DBMS might insist

that a user pass both specific
password and time-of-day checks.

• Typically, the DBMS runs as an

application program on top of the
OS.

• This system design means that

there is no trusted path from the
DBMS to the operating system, so
the DBMS must be suspicious of
any data it receives, including a user
identity from the operating system.
• Access Control:
• Thus, the DBMS is forced to do its
o Users of these views are not own authentication.
authorized to access the
6. Integrity/Confidentiality/Availability
relations between Item and
Cost. • Integrity applies to the individual
elements of a database as well as to
o If a user knows the structure
the database as a whole.
of the Inventory table and
that the view tables
 • Confidentiality is important ▪ These concerns are
because databases are often used addressed by OS
to implement controlled sharing of integrity controls
sensitive data. and recovery
procedures.
• Access to data can be direct or
indirect. ▪ Element integrity:
concern that the
• Controlling direct access employs
value of a specific
the access control techniques.
data element is
• Indirect access, however, is more written or changed
difficult to control. only by authorized
users. Proper access
• Availability is important because of controls protect a
the shared access motivation database from
underlying database development. corruption by
Reliability and Integrity unauthorized users.

• Reliability: the software runs for ▪ Element accuracy:

very long periods of time without concern that only
failing. correct values are
written into the
• Users expect a DBMS to be reliable, elements of a
since the data are key to database. Checks
organizational needs. on the values of
• Also, users entrust their data to a elements can help
DBMS and expect it to protect the prevent insertion of
data from loss or damage. improper values.
Also, constraint
• A DBMS guards against loss or conditions can
damage in several ways. detect incorrect
values.
• However, the controls are not
absolute: No control can prevent an Protection Features from the OS
authorized user from inadvertently
entering an acceptable but • A responsible system administrator
incorrect value. backs up the files of a DB
periodically along with other user
• Reliability and Integrity: files.
o Database concerns about • During normal execution, the OS's
reliability and integrity can standard access control facilities
be viewed from three protect the files against outside
dimensions: access.
▪ Database integrity: • Finally, the OS performs certain
concern that integrity checks for all data as a part
database as a whole of normal read and write operations
is protected against for I/O devices.
damage, e.g., failure
of a disk drive.
 • These controls provide basic • Charge the accounting dept (also in
security for databases, but the the DB) for 50 boxes of clips.
database manager must enhance
• Check remaining quantity on hand
them.
(57) to determine the need to
Two-Phase Update reorder. YES! So generate a notice
to order paper clips, and flag the
• A serious problem for a database
item as “on order” in the DB.
manager is the failure of the
computing system in the middle of • Prepare a delivery order of 50 boxes
data modification. of paper clips to accounting.

• If the data item to be modified was a o In steps 2, 3, and 4, if a

long field or a record consisting of failure occurs then, the
several attributes, only some of the values in the database are
new data might have been written to inconsistent.
permanent storage.
o Transaction cannot be
• Therefore, the database file would reprocessed because:
contain incorrect data that had not
▪ a requisition would
been updated.
be deducted twice or
• Even if errors of this type were
▪ a department would
spotted easily (which they are not),
be charged twice or
a more subtle problem occurs when
several fields are updated, and no ▪ two delivery orders
single field appears to be in obvious would be prepared.
error.
o Shadow values are
• The solution to this problem uses a maintained for key data
two-phase update. points.
Two-Phase Update o A shadow data value is
computed and stored locally
Assume central stockroom that has an
during the intent phase and
inventory of a company’s office supplies.
is copied to the actual
Each department requests supplies and
database during the commit
they are charged based on the order.
phase.
Consider the accounting department
requisition for 50 boxes of paper clips. Let Two-Phase Update Solution
there be 107 boxes in stock and a new order
is placed if the quantity in stock ever falls Intent:
below 100. • Check the value of COMMIT-FLAG in
• Stockroom checks the DB if 50 the DB. If it is set, this phase cannot
boxes of paper clips. If NO, the be performed. Halt or loop,
requisition is rejected and end the checking COMMIT-FLAG until it is
transaction. not set.

• If YES, deduct 50 from the inventory • Compare number of boxes of paper

value in DB (107 – 50 = 57). clips on hand to number requested;
if more are requested than are on
hand, halt.
 • Compute TCLIPS = ONHAND – o These codes can be applied
REQUISITION. to single fields, records, or
the entire database.
• Obtain BUDGET, the current
supplies budget remaining for o Each time a data item is
accounting dept. Compute placed in the database, the
TBUDGET = BUDGET – COST, where appropriate check codes are
COST is the cost of 50 boxes of computed and stored; each
clips. time a data item is retrieved,
a similar check code is
• Check whether TCLIPS is below
computed and compared to
reorder point; if so, set TREORDER =
the stored value.
TRUE; else set TREORDER = FALSE.
o If the values are unequal,
Commit:
they signify to the DBMS that
• Set COMMIT-FLAG in database. an error has occurred in the
database.
• Copy TCLIPS to CLIPS in database.
o Some of these codes point
• Copy TBUDGET to BUDGET in out the place of the error;
database. others show precisely what
• Copy TREORDER to REORDER in the correct value should be.
database. o The more information
• Prepare notice to deliver paper clips provided, the more space
to accounting department. Indicate required to store the codes.
transaction completed in log. • Shadow Fields
• Unset COMMIT-FLAG. o Entire attributes or entire
Chapter-5 records can be duplicated in
a database.
Reliability and Integrity
o If the data are
Redundancy/Internal Consistency irreproducible, this second
• Many DBMSs maintain additional copy can provide an
information to detect internal immediate replacement if
inconsistencies in data. an error is detected.

• The additional information can o Requires substantial storage

range from check bits to duplicate space.
or shadow fields, depending on the Redundancy/Internal Consistency
importance of the data.
• Recovery
Types of redundancy
o DBMS can maintain a log of
• Error Detection and Correction user accesses, particularly
Codes changes.
o e.g., parity bits, Hamming o In the event of a failure, the
codes, and CRC. database is reloaded from a
backup copy and all later
 changes are then applied ▪ ASSIGN ‘EDWARDS’
from the audit log. TO PASSENGER-
NAME
• Concurrency/Consistency
▪ as well as
o Accesses by two users
commands for seats
sharing the same database
11E and 11F.
must be constrained so that
neither interferes with the o Then, two passengers have
other. been booked into the same
seat.
o Simple locking is done by
the DBMS. o During the time delay
between reading a value
o If two users attempt to read
from the database and
the same data item, there is
writing a modification of that
no conflict because both
value, another user has
obtain the same value.
accessed the same data.
Concurrent Modification Example
o To resolve, a DBMS treats
• Database with seat reservations for the entire query–update
a flight. cycle as a single atomic
operation.
o Agent A, booking a side seat
for passenger Mock, ▪ The command from
submits a query to find the the agent must be:
available seats. The agent
▪ “read the
finds that seats 5D, 11D,
current value
and 14D are open.
of
o At the same time, Agent B PASSENGER-
queries the database for NAME for
three seats and finds that seat 11D; if it
8A–B–C and 11D–E–F are the is
free groups of three ‘UNASSIGNE
adjacent unassigned seats. D’, modify it
to ‘MOCK'”.
o Agent A submits the update
command. ▪ The read–modify
cycle must be
▪ SELECT (SEAT-NO = uninterrupted, i.e.,
‘11D’) without allowing any
▪ ASSIGN ‘MOCK’ TO other users access
PASSENGER-NAME to the PASSENGER-
NAME field for seat
o Meanwhile, Agent B submits 11D.
the update sequence.
o Another problem in
▪ SELECT (SEAT-NO = concurrent access is read–
‘11D’) write.
 ▪ Suppose one user is defense-related, are wholly
updating a value sensitive.
when a second user
• These two cases can be covered by
wishes to read it.
access controls to the database as
▪ If the read is done a whole.
while the write is in
Sensitive Data
progress, the reader
may receive data
that are only partly
updated.

▪ Consequently, the
DBMS locks any read
requests until a write
has been
completed.

Concurrency o Many people may have

legitimate access to name,
Database Disclosure
some to sex and race, and
• Databases contain thoughts, relatively few to financial
preferences, opinions, activities, aid, parking fines, or drug
fantasies, friends, and connections. use.

• People can draw inferences from o Knowledge of the existence

DBs that may be accurate or false: of fields such as drug use
Jamie is your friend. Jamie likes may itself be sensitive.
frogs. Ergo, you like frogs. This is
• Sensitivity Levels:
faulty logic, although it might also
be true. o Least sensitive

• How people and computers analyze o Medium sensitive

such databases for data
o Most sensitive
connections that lead to
unacceptable data disclosure? Sensitive Data
Sensitive Data • Sensitivity might be of different
degrees.
• Some databases contain sensitive
data (data that should not be made • e.g., financial aid, parking fines, and
public). drug-use fields may not have the
same kinds of access restrictions.
• Determining which data items and
fields are sensitive depends on the • The access control problem forces
individual DB and the underlying us to ensure that sensitive data are
meaning of the data. not released to unauthorized
people.
• Some databases, such as a public
library catalog, contain no sensitive • Databases protect sensitive data by
data; other databases, such as controlling direct or indirect access
to the data.
Sensitive Data o The user may
knowingly/unknowingly
Several factors can make data sensitive:
request sensitive data.
• Inherently Sensitive: The value
o A faulty database manager
itself may be so revealing that it is
may deliver sensitive data by
sensitive. e.g., locations of
accident, without the user
defensive missiles.
having requested it.
• From a Sensitive Source: The
o Result is the same: security
source of the data may indicate a
breach.
need for confidentiality. e.g.,
information from an informer whose • Bounds
identity would be compromised if
o Disclosing bounds on a
the information were disclosed.
sensitive value, i.e.,
• Declared Sensitive: The DBA or the indicating that a sensitive
owner of the data may have value, y, is between two
declared the data to be sensitive. values, L and H.
e.g., classified military data or the
o Sometimes the user may
name of the anonymous donor.
narrow down the range to
• Part of a Sensitive Attribute or determine y to any desired
Record: In a database, an entire precision.
attribute or record may be classified
o Sometimes, however,
as sensitive. e.g., salary attribute of
bounds are a useful way to
a personnel database or a record
present sensitive data.
describing a secret space mission.
o e.g., a company may
• Sensitive in Relation to Previously
announce that its salaries
Disclosed Information: Some data
for programmers range from
become sensitive in the presence of
$50,000 to $82,000. This
other data. e.g., the longitude
does not disclose who are
coordinate of a secret gold mine
the highest- and lowest-paid
reveals little, but the longitude
programmers.
coordinate in conjunction with the
latitude coordinate pinpoints the • Negative Result
mine.
o Sometimes we can query to
Types of Disclosures determine a negative result,
i.e., we can learn that z is
• Some data are sensitive.
not the value of y.
• Even descriptive information about
o e.g., knowing that 0 is not
data (existence or whether there is a
the total number of offenses
nonzero element) is a form of
for a person reveals that the
disclosure.
person was charged for an
• Exact Data offense. This can be a
significant disclosure.
o The most serious disclosure
is the exact value of a o e.g., if a student does not
sensitive data item. appear on the honors list,
 you can infer that the o From these queries, you
person’s grade point conclude there is a 25
average is below 3.50. percent likelihood that the
president is a registered
• Existence
Tory.
o In some cases, the
Chapter-6:
existence of data is itself a
sensitive piece of data, Inference - Preventing Disclosures
regardless of the actual
Inference
value.

o e.g., an employer may not

want employees to know
that their telephone use is
being monitored.

o In this case, discovering a

NUMBER OF PERSONAL
TELEPHONE CALLS field in a
personnel file would reveal
sensitive data.

• Probable Value

o It may be possible to
determine the probability
that a certain element has a
certain value.

o e.g., to find out whether the

president of the United
• Inference is a way to infer or derive
States is registered in the
sensitive data from nonsensitive
Tory party.
data.
o Knowing that the president
• AID: amount of financial aid a
is in the database, you
student is receiving.
submit two queries to the
database: A database • FINES: parking fines
manager can control access
by direct queries; disclosure • DRUGS: result of a drug-use survey:
can occur in more subtle 0 means never used and 3 means
ways that are harder to frequent user (confidential).
control. • AID, FINES, and DRUGS are
o Count(Residence=“1600 sensitive fields, although only when
Pennsylvania Avenue”) = 4 the values are related to a specific
individual.
o Count(Residence=“1600
Pennsylvania Avenue” AND Inference: Direct Attack
Tory=TRUE) = 1 1. A user tries to determine values of
sensitive fields by seeking them
 directly with queries that yield a few • An attack by sum tries to infer a
records. value from a reported sum.

2. Example Query: List NAME where • For example, with the sample
GENDER=M ∧ DRUGS=1 database, it might seem safe to
report student aid total by gender
3. This is clearly an attack because it
and dorm.
directly queries DRUGS.
• This seemingly innocent report
4. This query discloses that for record
reveals that no female living in Grey
ADAMS, DRUGS=1.
is receiving financial aid.
5. The DBMS might reject the query
• Thus, we can infer that any female
because it selects records for a
living in Grey (such as Liu) is
specific value of the sensitive
certainly not receiving financial aid.
attribute DRUGS.
This approach often allows us to
Inference: Direct Attack determine a negative result.

• Example Query: List NAME where

(GENDER=M ∧ DRUGS=1) ∨
(GENDER=M ∧ GENDER=F) ∨
(DORM=AYRES)

• This query retrieves only one record,

revealing a name that corresponds
to the sensitive DRUG value. •

• The second and third clauses will Inference by Arithmetic: Count

not select any record.
• Count with the sum can produce
Inference by Arithmetic more revealing results.

1. Another procedure to gather • A table shows the count of records

sensitive data is by statistics. for students by dorm and gender.
This table is innocuous by itself.
2. Organizations suppress individual
names, addresses, or other • Combined with the sum table, this
characteristics by which a single table demonstrates that the two
individual can be recognized. males in Holmes and West are
receiving financial aid in the amount
3. Only statistics, such as count, sum, of $5000 and $4000, respectively.
and mean, are released.
• Names can be found using NAME,
4. The indirect attack seeks to infer a DORM, which is not sensitive.
result based on one or more
intermediate statistical results.

5. A statistical attack seeks to use

some apparently anonymous
statistical measure to infer
individual data.

Inference by Arithmetic: Sum

Inference by Arithmetic: Mean

• The arithmetic mean (average)

allows exact disclosure if the
attacker can manipulate the subject
population.

• For example, given the number of

employees, the mean salary for a
company, and the mean salary of all • For example, there are 5 males and
employees except the president, it 3 persons whose drug use value is
is easy to compute the president’s 2.
salary.
• Arranged in order of AID, these lists
Inference by Arithmetic: Median are shown.

• We can determine an individual • Notice that Majors is the only name

value from the median, the midpoint common to both lists, and that
of an ordered list of values. name is in the middle of each list.

• The attack requires finding • Someone at the Health Clinic might

selections having one point of be able to find that Majors is a Male
intersection that happens to be whose drug-use score is 2. That
exactly in the middle. identifies Majors as the intersection
of these two lists and pinpoints
Inference by Arithmetic: Median
Majors’ financial aid as $2000.

• Query: q = median(AID where

GENDER = M)

• Query: p = median(AID where

DRUGS = 2)

Tracker Attacks

• A tracker attack can fool the DB

manager into locating the desired
data by using additional queries that
produce small results.

• The tracker adds additional records

to be retrieved for two different
queries; the two sets of records
 cancel each other out, leaving only
the statistic or data desired.

• The approach is to use intelligent

padding of two queries.

• Instead of trying to identify a unique

value, we request n–1 other values
(where there are n values in the
database).

• For example, to know how many 1. With a little logic, algebra, and luck
female Caucasians live in Holmes in the distribution of the database
Hall: count((GENDER=F) ∧ contents, it may be possible to
(RACE=C) ∧ (DORM=Holmes)). construct an algebraic linear
system of equations that returns
Tracker Attacks results relating to several different
• The DBMS finds the answer is 1 and sets.
blocks the answer to the query 2. For example, q1 – q2 = c3 + c5 and
because one record dominates the q3 – q4 = c3 – c5. Then, subtracting
result of the query. these two, we get c5 = ((q1 – q2) –
• Query: q = count((GENDER =F) ∧ (q3 – q4))/2.
(RACE=C) ∧ (DORM=Holmes)) 3. We can derive the others.
• This is of the form q = count(a ∧ b ∧ 4. Inference is difficult to control
c). because it can occur from algebraic
• Using rules of logic and algebra, we calculations beyond the scope of
can transform this query to: DBMS.

o q = count(a ∧ b ∧ c) = Aggregation
count(a) - count(a ∧ ¬(b ∧ • Building sensitive results from less
c)). sensitive inputs.
• So, the original query is equivalent • By knowing either the latitude or
to nonsensitive queries: longitude of a gold mine does you
o count(GENDER =F) minus no good. But if you know both
latitude and longitude, you can
o count((GENDER =F) ∧ pinpoint the mine.
((RACE≠C) ∨
(DORM≠Holmes))). • Think of police investigation as
starting with the entire population
• Because count(a) = 6 and count(a ∧ and narrowing the analysis to a
¬(b ∧ c)) = 5, we can determine the single person.
suppressed value easily: 6 – 5 = 1.
• If the police officers work in parallel,
• Neither 6 nor 5 is a sensitive count. one may have a list of possible
suspects, another may have a list
Linear System Vulnerability
with possible motive, and another
may have a list of capable persons.
 • When the intersection of these lists friends can turn up in anybody’s
is a single person, the police have searches.
their prime suspect.
Geotagging
Aggregation
• Between 1 percent and 5 percent of
• Aggregation is nearly impossible for photos at sites such as Flickr,
a database management system to YouTube, and Craigslist contain
control because combining the data header data that gives the location
can occur outside the system, even where the picture was taken.
by multiple colluding users.
Tracking Devices
• For example, suppose the security
• Cell phones continually search for a
policy is that anyone can have either
nearby tower, RFID tags for
the latitude or longitude of the mine,
transportation or identification can
but not both.
be read by off-the-shelf devices,
• Nothing prevents you from getting and GPS navigation devices both
one, your friend from getting the send and receive position data.
other, and the two of you talking to
• Although we use these technologies
each other.
for good, we should be aware that
Analysis on Data they can be used to build a relatively
complete trail of our movements
Hidden Data Attributes
throughout the day.
• Objects such as pictures, music
• The problem with metadata is that it
files, and documents are complex
is not obvious to the object’s owner,
data structures having properties or
but it is well structured and readily
attributes that add meaning to the
available to anyone who wants to
data.
use it.
• These properties, called metadata,
Preventing Disclosure
are not displayed with the picture or
document, but they are not Data Suppression and Modification
concealed.
• There are no perfect solutions to the
• Numerous applications support inference and aggregation
selecting, searching, sorting, and problems.
editing based on metadata.
• Three methods to control them:
File Tags
o Suppress obviously
1. One use of attributes is tags for sensitive information,
pictures. thereby restricting the
usefulness of the database.
2. You might organize your photo
collection with tags telling who or o Track what the user knows.
what landmarks are in each photo.
▪ Extremely costly.
3. With Facebook, Picasa, Dropbox,
▪ Information must be
and hundreds of sharing sites,
maintained on all
photos intended for a few close
users.
 ▪ Does not check what must be withheld to
any two people may maintain security.
know together and
3. Concealing: The answer is close to
cannot address what
but not exactly the actual value.
a single user can
accomplish by using o It releases part or an
multiple IDs. approximation of sensitive
data.
o Disguise the data.
o More results can be given,
▪ Random
but their precision is lower.
perturbation and
rounding can inhibit 4. The choice between suppression
statistical attacks and concealing depends on the
that depend on exact context of the database.
values for logical
and algebraic Security Versus Precision
manipulation.

▪ The users of the

database receive
slightly incorrect or
possibly
inconsistent results

Data Suppression and Modification

• There are two ways to protect

against inference attacks:

o Apply controls to the

queries.

o Apply controls to individual

items within the database.

Suppression and Concealing

1. It is difficult to determine if a given • For reasons of confidentiality, we

query discloses sensitive data. want to disclose only those data
Thus, query controls are effective that are not sensitive.
primarily against direct attacks. • The conservative philosophy
2. Suppression: Sensitive data values suggests rejecting any query that
are not forthcoming; the query is mentions a sensitive field. We may
rejected without response. thereby reject many reasonable and
non-disclosing queries.
o It blocks the release of
sensitive data. o E.g., a researcher may want
a list of grades for all
o Any results given are students using drugs, or a
correct, yet many responses statistician may request lists
 of salaries for all men and • But it does no good to suppress the
for all women. Male–Holmes cell when the value 1
can be determined by subtracting
• These queries may not compromise
Female–Holmes (2) from the total
the identity of any individual. We
(3) to determine 1.
want to disclose as much data as
possible so that users of the • When one cell is suppressed in a
database have access to the data table with totals for rows and
they need. columns, it is necessary to
suppress at least one additional cell
• This goal, called precision, aims to
on the row and one on the column
protect all sensitive data while
to confuse a snooper.
revealing as much nonsensitive
data as possible. • Using this logic, all cells (except
totals) would have to be suppressed
• The ideal combination of security
in this small sample table.
and precision allows us to maintain
perfect confidentiality with
maximum precision.

o But achieving this goal is not

as easy as it might seem.

Statistical Suppression

• Statistics give clues to counter

some attacks.

Limited Response Suppression

• Eliminates certain low-frequency

elements from being displayed. It is Combined Results
not sufficient to delete them,
• Another control combines rows or
however, if their values can also be
columns to protect sensitive values.
inferred.
• The table below shows several
• The data in this table suggest that
sensitive results that identify single
the cells with counts of 1 should be
individuals.
suppressed; their counts are too
revealing. • These counts, combined with other
results such as sums, permit us to
infer individual drug-use values for
the three males, as well as to infer
that no female was rated 3 for drug
use.

•
 • Government statistics show this
well: Census data, labor statistics,
and school results show trends and
patterns for groups (such as a
neighborhood or school district),
but do not violate the privacy of any
single person.

Blocking Small Sample Sizes

• The rule of “n items over k percent”

To suppress such sensitive information,
means that data should be withheld
one can combine the attribute values
if n items represent over k percent
for 0 and 1, and for 2 and 3, producing
of the result reported.
the less sensitive results.
• Inference and aggregation attacks
work better nearer the ends of the
distribution.

o E.g., If very few points are in

a database subset, a small
number of equations may
disclose private data.

o The mean of one data value

• Another way of combining results is is that value exactly. With
to present values in ranges, e.g., three data values, the
present financial aid in the ranges means of each pair yield
$0–1999, $2000–3999, and $4000 three equations in three
and above. unknowns, which you know
• Another method of combining is by can easily be solved with
rounding. linear algebra.

Random Sample Random Data Perturbation

• With this control, a result is not • It is sometimes useful to change the

derived from the whole database; values of the database by a small
instead, the result is computed on a error.
random sample of the database. • For each xix_ixi that is the true value
• The sample chosen is large enough of data item iii in the database, we
to be valid. can generate a small random error
term ϵi\epsilon_iϵi and add it to
Concealment xix_ixi for statistical results.
• Aggregation need not directly • Statistical measures such as sum
threaten privacy. and mean will be close but not
necessarily exact.
• An aggregate (such as sum, median,
or count) often depends on so many Swapping
data items that the sensitivity of any
single contributing item is hidden. Correlation involves joining databases on
common fields. That act of joining or linking
permits researchers to draw conclusions by
inference.

To counter this kind of linking, some

database administrators randomly perturb
the data.

The gender for Bailey and Chin might be

interchanged, as might the race of Dewitt
and Earhart.

The count of individuals with these values

would still be correct.
The phone shown for Garland is her private
Query Analysis line, not available to the public.
A more complex form of security uses query Davis is a temporary employee hired for a
analysis. special project, and his whole record has a
different sensitivity from the others.
Here, a query and its implications are
analyzed to determine whether a result Characteristics of DB Security
should be provided.
The security of a single element may be
Query analysis can be difficult. different from the security of other
elements of the same record or from other
One approach involves maintaining a query
values of the same attribute. This situation
history for each user and judging a query in
implies that security should be
the context of what inferences are possible,
implemented for each individual element.
given previous results.
Two levels - sensitive and nonsensitive - are
Chapter-7:
inadequate to represent some security
Multilevel Databases situations.

Attribute-Level Sensitivity The security of an aggregate (a sum, a

count, or a group of value) may be higher or
(Sensitive attributes are shaded)
lower than that of the individual elements.

Multilevel Database

A multilevel database is a type of database

system that enforces multiple security
levels to control access to data, ensuring
that users or processes with different
security clearances can only access the
data they're authorized to view.

Commonly used in environments where

data sensitivity varies, such as military,
Data and Attribute Sensitivity
government, or highly regulated industries.

E.g., A multilevel database might store

information about military operations. Data
about routine missions might be classified
as "Confidential," while information about In DB, a high-level user should not be able
highly sensitive covert operations might be to write a lower-level data element.
classified as "Top Secret."
Problem occurs when the DBMS must be
Recall able to read all records in the database and
write new records. E.g., backup.

Either the process cleared at a high level

cannot write to a lower level or the process
must be a "trusted process."

Confidentiality

Some means of protecting confidentiality

may result in small changes to the data.
(Concealing)

In the multilevel case, two different users

operating at two different levels of security
Granularity might get two different answers to the same
Classifying an entire file as sensitive is query.
easy. To preserve confidentiality, precision is
Classifying a codeword (e.g., Manhattan sacrificed.
project) as sensitive is complicated. Polyinstantiation
The word Manhattan by itself is not Enforcing confidentiality may lead to
sensitive, nor is project. unknowing redundancy.
Not only can every element of a database E.g., Bob is a secret agent in a company.
have a distinct sensitivity, but every Suppose a specialist works at one level of
combination of elements can also have a access permission. The specialist knows
distinct sensitivity. that Bob Hill works for the company.
How to associate a sensitivity level with Because of his special position, Bob's
each value of a database? record is not accessible to the specialist.
First, we need an access control policy to The specialist assumes this omission is an
dictate which users may have access to error and creates a record for Bob. The
what data. DBMS cannot reject the record from the
Second, we need a means to guarantee that specialist because it would reveal that
the value is not changed by an unauthorized there is already such a record at a high
person. sensitivity.

Security Issues Result: Two records for Bob Hill—one

sensitive and one not.
Integrity
One record can appear (be instantiated)
-property for access control: A process that many times, with a different level of
reads high-level data is not allowed to write confidentiality each time.
a file at a lower level.
 Each record's fields can be encrypted with
a different key, or all fields of a record can
be cryptographically linked, as with cipher
block chaining.

Proposals for Multilevel Security

Partitioning

The multilevel database is divided into

separate databases, each at its own level of
sensitivity.

Is like maintaining separate files in separate

file cabinets.

Destroys a basic advantage of databases:

elimination of redundancy and improved
accuracy through having only one field to
update.

Also does not address the problem of a

high-level user who needs access to some
low-level data combined with high-level
data.

Encryption

Each level of sensitive data can be stored in

a table encrypted under a key unique to the
level of sensitivity.

But a user can mount a chosen plaintext • Each field must be decrypted when users
attack. E.g., party affiliation of REP or DEM perform DB operations such as "select all
is stored in encrypted form in each record. records with SALARY > 10,000."
A user who achieves access to these
encrypted fields can easily decrypt by • Decrypting the SALARY field, even on
creating a new record with party=DEM and rejected records, increases the time to
comparing the resulting encrypted version process a query. • Thus, encryption is not
to that element in all other records. often used to implement separation in
databases.
Worse, if authentication data are
encrypted, the malicious user can Integrity Lock
substitute the encrypted form of his or her The lock is a way to provide both integrity
own data for that of any other user. and limited access for a database.
Using a different encryption key for each Each data item has three pieces:
record can solve this.
Checksum is computed across both data A sensitivity lock is a combination of a
and sensitivity label to prevent unique identifier (record number) and the
unauthorized modification of the data item sensitivity level.
or its label.
Each lock relates to one particular record.
Data item is stored in plaintext for
A malicious subject should not be able to
efficiency.
identify two elements having identical
sensitivity levels or identical data values
just by looking at the sensitivity level of the
lock.

Encryption protects the secrecy of the

sensitivity level of that record.

Sensitivity label should be:

Unforgeable: A malicious subject cannot

create a new sensitivity level for an
element.

Unique: A malicious subject cannot copy a

sensitivity level from another element.
Designs of Multilevel Secure Databases
Concealed: A malicious subject cannot
even determine the sensitivity level of an Integrity Lock
element.

The intention was to be able to use any

To guarantee that a data value or its (untrusted) database manager with a
sensitivity classification has not been trusted procedure that handles access
changed, this checksum must be unique for control.
a given element.
Issues:
Sensitivity Lock
Space requirement - one label for every
element.
Sensitivity label must be decoded every Untrusted front end transmits formatted
time a data element is passed to the user to data to the user.
verify that the user's access is allowable.
Enhancing the security of the existing
Untrusted database manager sees all data, systems with minimal change to the
so it is subject to Trojan horse attacks by system.
which data can be leaked through covert
The trusted front end serves as a one-way
channels.
filter, screening out results the user should
Trusted Front End (guard) not be able to access.

The scheme is inefficient because

potentially much data is retrieved and then
discarded as inappropriate for the user.

Commutative Filters

A commutative filter is a process that forms

an interface between the user and a DBMS.

The filter reformats the query so that the

database manager does as much of the
work as possible, screening out many
unacceptable records.

The filter then provides a second screening

to select only data to which the user has
access.
Front end authenticates the user's identity.
Filters can be used for security at the
User issues a query to the front end. record, attribute, or element level.

Front end verifies user's authorization to When used at the record level, the filter
data. requests desired data plus cryptographic
checksum information; it then verifies the
Front end issues a query to the DB
accuracy and accessibility of data to be
manager.
passed to the user.
DB manager performs I/O access,
At the attribute level, the filter checks
interacting with low-level access control to
whether all attributes in the user's query are
achieve access to actual data.
accessible to the user and, if so, passes the
DB manager returns the query result to the query to the database manager. On return,
trusted front end. it deletes all fields to which the user has no
access rights.
The front end analyses the sensitivity levels
of the data items in the result and selects At the element level, the system requests
those items consistent with the user's desired data plus cryptographic checksum.
security level. When these are returned, it checks the
classification level of every element of every
Front end transmits selected data to the record retrieved against the user's level.
untrusted front end for formatting.
 by the front-end filter, invisible to the
user.

Distributed Databases

A trusted front end controls access to two

unmodified commercial DBMSs: one for all
low-sensitivity data and one for all high-
sensitivity data.

The front end takes a user's query and

formulates single-level queries to the
databases as appropriate.

For a user cleared for high-sensitivity data,

the front end submits queries to both the
high- and low-sensitivity databases.
If the current user should not be allowed to
But if the user is not cleared for high-
access the Washington physicists' names
sensitivity data, the front end submits a
in the database,
query to only the low-sensitivity database.
Query: retrieve NAME where
Distributed Databases
((OCCUP=PHYSICIST)∧(CITY=WASH
DC)). If the result is obtained from either backend
database alone, the front end passes the
Re-form the original query as:
result back to the user.
retrieve NAME where ((OCCUP=PHYSICIST)
If the result comes from both databases,
∧ (CITY=WASHDC))
the front end has to combine the results
from all records R where appropriately.
((NAME-SECRECY-LEVEL(R) ≤ USER-
For example, if the query is a join query
SECRECY-LEVEL) ∧ (OCCUP-SECRECY-
having some high-sensitivity terms and
LEVEL(R) ≤ USER-SECRECY-LEVEL) ∧ (CITY-
some low, the front end has to perform the
SECRECY-LEVEL(R) ≤ USER-SECRECY-
equivalent of a database join itself.
LEVEL))
The distributed database design is not
The filter works by restricting the query to
popular because the front end, which must
the DBMS and then restricting the results
be trusted, is complex, potentially including
before they are returned to the user.
most of the functionality of a full DBMS
In this instance, the filter would request itself.
NAME, NAME-SECRECY-LEVEL, OCCUP,
Also, the design does not scale well to
OCCUP-SECRECY-LEVEL, CITY, and CITY-
many degrees of sensitivity; each sensitivity
SECRECY--LEVEL values and would then
level of data must be maintained in its own
filter and return to the user only those fields
separate database.
and items that are of a secrecy level
acceptable for the user. Window/View

• Although even this simple query Each user is restricted to a picture of the
becomes complicated because of the data reflecting only what the user needs to
added terms, these terms are all added see.
e.g., the registrar may see only the class
assignments and grades of each student at
a university, not needing to see
extracurricular activities or medical
records.

The university health clinic, on the other

hand, needs medical records and drug-use
information but not scores on academic
tests.

Now suppose the airline created some

passenger flights that could be booked only
directly through the airline; the flights are
made more sensitive, making them
unavailable to travel agents.

The travel agent's view of the database is

expressed as:

Window/View

The view is specified as a set of relations in

the database, so the data in the view subset
change as data change in the database.

This subset guarantees that the user does

not access values outside the permitted
ones, because nonpermitted values are not
even in the user's database.

For example, a travel agent might have

access to part of an airline's flight
information database.

Records for cargo flights would be

excluded, as would the pilot's name and the Chapter -8:
serial number of the plane for every flight.
Database Attacks

Enterprise database and information

storage infrastructures are subject to a
wide range of abuses and attacks, Monitor your cloud perimeter for insecure
particularly when left vulnerable by poor data services.
system design or configuration.
SQL injection
Cloud database configuration errors
SQL injection vulnerabilities occur when
SQL injection application code contains dynamic
database queries which directly include
Weak Authentication
user-supplied input.
Privilege abuse
Preventing SQL injection:
Excessive privileges
Avoid the use of dynamic queries within
Inadequate logging and weak auditing applications.

Denial of Service Use of prepared statements with

parameterized queries will stop SQL
Exploiting unpatched services injection (SQL injection is impossible in this
Insecure system architecture case because user inputs are handled
safely as data, not part of the SQL
Inadequate backup command).
Cloud DB configuration errors Implement user input validation before that
Data breaches are caused by insecurely input is passed to the application.
configured cloud databases or storage Weak Authentication
services.
Implement brute force controls such as
Public Cloud service IP addresses are not account lockout after a set number of
secret and are continually scanned for invalid attempts.
vulnerabilities by malicious persons and
security researchers. Use password blacklisting to prevent users
choosing common passwords.
Cloud DB configuration errors
Consider implementing multi-factor
Avoid them finding your crucial information authentication.
by:
Don’t store user passwords in the clear.
Knowing what data you hold, where it is Use a strong password hashing algorithm
located (in the cloud, on-premises servers, such as bcrypt and salt each password with
or other storage solutions) by implementing a long, random, unique string.
effective infrastructure configuration and
change management. Strongly protect the application database
credentials and make sure they are
Cloud databases and other data stores may unguessable. Storing credentials in the
default to being open to the internet on clear in a configuration file is not secure
creation and rely on the service user to (but often done). Use a key vault or other
properly secure them (e.g., by database secure means of storage.
firewall).
Privilege abuse
Ensuring all databases and data stores are
configured with strong authentication by Users may abuse legitimate data access
default. privileges for unauthorized purposes.
E.g., a user in sales with privileges to view Think on what information you need to
individual customer records may abuse collect at the application and database
that privilege to retrieve all customer query layer.
records to pass to a competitor.
Consider how your logging data will be
Good hiring policies. secured.

Enforce technical measures, effective Implement procedures for auditing the data
logging, and monitoring to detect abuse. collected so you know when something is a
miss.
User access to data should be limited. E.g.,
limiting the number of records accessible in Consider whether you could justify
a day, access location restrictions, time of implementing network-based audit
day restrictions, etc. appliances which monitor all database
requests at a granular level and are
If there is a business need to perform
independent of all users.
arbitrary queries on data, access to and use
of this interface should be logged, regularly Denial of service (DoS)
audited, and limited to as few people as
Network-level Denial of Service (DoS)
possible.
attacks from the internet can overwhelm
Excessive privileges your system regardless of the capacity of its
internet connection.
If users hold privileges that exceed the
requirements of their job function, these Cloud-based DoS protection services.
privileges may be abused by the individual,
Resource consumption-based attacks,
or an attacker who compromises their
such as repeatedly sending complex search
account.
queries to exhaust server resources, require
When people move roles, they may be given a different approach, such as request rate
the new privileges they need. limiting.

Role-Based Access Control. Exploiting unpatched services

Procedures which ensure that when staff Operating vulnerable unpatched services
change roles, their permissions are will significantly increase the likelihood of
updated to reflect this, with those no longer being compromised.
required being removed.
Make sure you maintain a complete and up-
Reviews of who holds which roles to to-date inventory of the software
confirm the procedures are working. components in your systems, including
third-party and open-source libraries in use.
Inadequate logging and weak auditing
Establish a vulnerability management
Logging and auditing are key to deterring
process which enables you to ascertain, on
and detecting misuse and enabling
a regular basis, what vulnerabilities are
investigation of suspected data
present within your systems and prioritize
compromise.
remediation.
Logging is the collection of data and
Insecure system architecture
auditing is someone actually looking at it.
While controls against specific DB threats
When considering your logging and auditing
are important, they must form part of a
requirements:
design that is secure overall.
If your DB contains mostly data used Impact of an SQL injection attack
internally but has a subset of data available
A successful SQL injection attack can result
externally, consider pushing the external
in unauthorized access to sensitive data,
data to an entirely separate database with
such as:
its own external application. That prevents
compromise of the public interface Passwords.
impacting internal data.
Credit card details.
Internet-facing remote access services
must be properly designed and robust. Personal user information.

Inadequate backup In some cases, an attacker can obtain a

persistent backdoor into an organization's
All backups should be encrypted. systems, leading to a long-term
compromise that can go unnoticed for an
Proper key management.
extended period.
If your backups are all online and reachable
Types of SQL injection attacks
over a file share, for example, ransomware
will encrypt them. 3 categories based on the methods they
use to access backend data and their
Resilience within cloud services, e.g., geo-
damage potential.
replication, is not the same as backup. It’s
possible for an attacker to delete so much In-band SQLi
cloud infrastructure and customer data that
an organization can’t survive. The attacker uses the same channel of
communication to launch their attacks and
Make sure that your backups are not to gather their results.
subject to the same threats as the live data
and that full compromise of the live data Most common type of SQLi attack.
environment cannot also compromise your Error-based SQLi—the attacker performs
backups. actions that cause the database to produce
Test your restore procedures regularly. error messages. The attacker uses the data
provided by these error messages to gather
SQL Injection Attacks information about the structure of the DB.
SQL injection (SQLi) is a web security Union-based SQLi—UNION SQL operator
vulnerability that allows an attacker to fuses multiple select statements generated
interfere with the queries that an by the DB to get a single HTTP response.
application makes to its database. This response may contain data that can be
leveraged by the attacker.
This can allow an attacker to view data that
they are not normally able to retrieve. Error-based SQLi
In many cases, an attacker can modify or To extract more information from the
delete this data, causing persistent database, the attacker injects a query
changes to the application's content or designed to cause an error.
behavior.
username: user' AND EXTRACTVALUE(1,
In some situations, an attacker can CONCAT(0x7e,@@version)) --
compromise the underlying server or other
back-end infrastructure. It can also enable This generates the query:
them to perform denial-of-service attacks.
SELECT * FROM users WHERE username = behavior of the server to learn more about
'user' AND EXTRACTVALUE(1, its structure.
CONCAT(0x7e,@@version)) --' AND
Blind SQL injections rely on the response
password = '[ignored]';
and behavioral patterns of the server, so
@@version returns the current version of they are typically slower to execute but may
the DB. be just as harmful.

EXTRACTVALUE() -> forces the database to Boolean attack.

return the result as part of an error
Time-based attack.
message.
Boolean-based blind SQL injection
If successful, DB would throw an error, and
the attacker might see: Attacker observes the behavior of the DB
server and the application after combining
Error: XPATH syntax error: '~MySQL 5.7.32'
legitimate queries with malicious data using
Reveals the version of MySQL, providing the boolean operators.
attacker with useful information for further
To display details of a product from the
exploitation.
database:
Union-based SQLi
SELECT * FROM products WHERE id =
If the user searches for a category product_id
"Electronics", the query:
An attacker uses the application in a
SELECT product_name, price FROM legitimate way to discover at least one
products WHERE category = 'Electronics'; existing product ID (e.g., product 42). Then,
they can provide the following two values
The attacker puts the following into the
for product_id:
category field:
42 AND 1=1
' UNION SELECT username, password
FROM users -- 42 AND 1=0

This modifies the original query to: If this query is executed in the application
using simple string concatenation, the
SELECT product_name, price FROM
query becomes respectively:
products WHERE category = '' UNION
SELECT username, password FROM users - SELECT * FROM products WHERE id = 42
-'; and 1=1

The UNION SELECT part combines the SELECT * FROM products WHERE id = 42
result of the second query (from the users and 1=0
table) with the first query (from the products
If the application behaves differently in
table). The -- comments out the rest of the
each case, it is susceptible to boolean-
original query to prevent syntax errors.
based blind SQL injections.
Types of SQL injection attacks 2.
For Microsoft SQL Server, the attacker can
Inferential (Blind) SQLi
now supply the following value for
The attacker sends data payloads to the product_id:
server and observes the response and
42 AND (SELECT TOP 1 substring(name, 1,
1) FROM sysobjects WHERE id=(SELECT
TOP 1 id FROM (SELECT TOP 1 id FROM AND ascii(lower(substring(name, 1, 1))) =
sysobjects ORDER BY id) AS subq ORDER 'a')) WAITFOR DELAY '0:0:10'
BY id DESC)) = 'a'
If the name of the first table in the DB
The sub-query after 42 AND checks whether structure begins with the letter a, the
the name of the first table in the DB starts second part of this query will be true, and
with the letter a. the application will react with a 10-second
delay.
If true, the application will behave the same
as for the payload 42 AND 1=1. Rest of it like Boolean-based blind SQL
injections
If false, the application will behave the
same as for the payload 42 AND 1=0. Types of SQL injection attacks

The attacker can iterate through all letters Out-of-band SQLi

and then go on to the second letter, third
The attacker does not receive a response
letter, etc.
from the attacked application on the same
So, the attacker can discover the full name communication channel but instead is able
of the first table in the database structure. to cause the application to send data to a
They can then try to get more data about the remote endpoint that they control.
structure of this table and finally – extract
Out-of-band SQL injection is only possible if
data from the table.
the server that has commands that trigger
Time-based blind SQL injection DNS or HTTP requests.

An attacker observes the behavior of the Instead of inferring content in the DB

database server and the application after through something like Boolean logic, you
combining legitimate queries with SQL can request the target system transmit the
commands that cause time delays. information over protocols such as HTTP,
SMB or DNS.
An attacker may provide the following
product_id value: How to detect SQL injection
vulnerabilities?
42; WAITFOR DELAY '0:0:10'
Check each of these:
The query becomes:
Submit the single quote character ' and look
SELECT * FROM products WHERE id = 42;
for errors or other anomalies.
WAITFOR DELAY '0:0:10'
Some SQL-specific syntax that evaluates to
If the DB server is Microsoft SQL Server and
the base (original) value of the entry point,
the application is susceptible to time-based
and to a different value, and look for
blind SQL injections, the attacker will see a
systematic differences in the application
10-second delay in the application.
responses.
Now that the attacker knows that time-
Boolean conditions such as OR 1=1 and OR
based blind SQL injections are possible, he
1=2, and look for differences in the
can provide the following product_id:
application's responses.
42; IF(EXISTS(SELECT TOP 1 * FROM
Payloads designed to trigger time delays
sysobjects WHERE id=(SELECT TOP 1 id
when executed within a SQL query, and
FROM (SELECT TOP 1 id FROM sysobjects
look for differences in the time taken to
ORDER BY id) AS subq ORDER BY id DESC)
respond.
OAST (Out of band Application Security For this reason, second-order SQL injection
Testing) payloads designed to trigger an is also known as stored SQL injection.
out-of-band network interaction when
executed within a SQL query, and monitor
any resulting interactions.

Alternatively, you can find the majority of

SQL injection vulnerabilities quickly and
reliably using Burp Scanner.

SQL injection in parts of the query

Most SQL injection vulnerabilities occur

within the WHERE clause of a SELECT
query.

SQL injection vulnerabilities can occur at

any location within the query, and within
different query types.

In UPDATE statements, within the updated

values or the WHERE clause.
Second-order SQL injection
In INSERT statements, within the inserted
Second-order SQL injection often occurs in
values.
situations where developers are aware of
In SELECT statements, within the table or SQL injection vulnerabilities, and so safely
column name. handle the initial placement of the input
into the database.
In SELECT statements, within the ORDER
BY clause. When the data is later processed, it is
deemed to be safe, since it was previously
placed into the database safely.
Second-order SQL injection
At this point, the data is handled in an
First-order SQL injection occurs when the unsafe way because the developer wrongly
application processes user input from an deems it to be trusted.
HTTP request and incorporates the input
Refer to Varutra on second-order SQL
into an SQL query in an unsafe way.
injection attack.
Second-order SQL injection occurs when
Second-order SQL injection
the application takes user input from an
HTTP request and stores it for future use. Some core features of the SQL language are
implemented in the same way across
This is usually done by placing the input into
popular database platforms, and so many
a database, but no vulnerability occurs at
ways of detecting and exploiting SQL
the point where the data is stored. Later,
injection vulnerabilities work identically on
when handling a different HTTP request, the
different types of database.
application retrieves the stored data and
incorporates it into a SQL query in an However, there are also many differences
unsafe way. between common databases. These mean
that some techniques for detecting and
exploiting SQL injection work differently on that are otherwise blocked due to WAFs
different platforms. For example: and other defense mechanisms.

Syntax for string concatenation. Weak implementations often look for

common SQL injection keywords within the
Comments.
request, so you may be able to bypass
Batched (or stacked) queries. these filters by encoding or escaping
characters in the prohibited keywords.
Platform-specific APIs.
SQL injection in different contexts
Error messages.
For example, the following XML-based SQL
Examining the database injection uses an XML escape sequence to
After you identify a SQL injection encode the S character in SELECT:
vulnerability, it's often useful to obtain xml
information about the database. This
information can help you to exploit the Copy code
vulnerability.
<stockCheck>
You can query the version details for the
<productId>123</productId>
database. Different methods work for
different database types. This means that if <storeId>999 &#x53;ELECT * FROM
you find a particular method that works, you information_schema.tables</storeId>
can infer the database type. For example,
</stockCheck>
on Oracle you can execute:
This will be decoded server-side before
SELECT * FROM v$version
being passed to the SQL interpreter.
You can also identify what database tables
SQL injection in different contexts
exist, and the columns they contain. For
example, on most databases you can You can prevent most instances of SQL
execute the following query to list the injection using parameterized queries
tables: instead of string concatenation within the
query. These parameterized queries are
SELECT * FROM
also known as "prepared statements."
information_schema.tables
The following code is vulnerable to SQL
Examining the database
injection because the user input is
In the previous labs, you used the query concatenated directly into the query:
string to inject your malicious SQL payload.
java
However, you can perform SQL injection
Copy code
attacks using any controllable input that is
processed as a SQL query by the String query = "SELECT * FROM products
application. WHERE category = '"+ input + "'";
For example, some websites take input in Statement statement =
JSON or XML format and use this to query connection.createStatement();
the database.
ResultSet resultSet =
These different formats may provide statement.executeQuery(query);
different ways for you to obfuscate attacks
 How to prevent SQL injection? It's easy to make mistakes about the
possible origin of data, or for changes in
You can rewrite this code in a way that
other code to taint trusted data.
prevents the user input from interfering with
the query structure:

java

Copy code

PreparedStatement statement =
connection.prepareStatement("SELECT *
FROM products WHERE category = ?");

statement.setString(1, input);

ResultSet resultSet =
statement.executeQuery();

How to prevent SQL injection?

You can use parameterized queries for any

situation where untrusted input appears as
data within the query, including the WHERE
clause and values in an n INSERT or
UPDATE statement.

They can't be used to handle untrusted

input in other parts of the query, such as
table or column names, or the ORDER BY
clause.

How to prevent SQL injection?

• Application functionality that places

untrusted data into these parts of the query
needs to take a different approach, such as:

Whitelisting permitted input values.

Using different logic to deliver the required

behavior.

For a parameterized query to be effective in

preventing SQL injection, the string that is
used in the query must always be a hard-
coded constant.

It must never contain any variable data

from any origin. Do not be tempted to
decide case-by-case whether an item of
data is trusted, and continue using string
concatenation within the query for cases
that are considered safe.