• Exposure of documents to unauthorized users
• Malicious code on the server by attackers

• Electronic Eavesdropping
• Establishment of bogus vendor web page

Transport Layer Security (TLS)

• Provides confidentiality, integrity, authentication of endpoints
• Developed by Netscape for WWW browsers and servers
• Most common use of SSL: Protecting HTTP communications

Internet protocol version: TLS

• Compatible with SSL
• Not yet Formally adopted for TCP/IP

• Content type: 8 bits
• protocol version number: 8 bits majors, 8 bits minor
• data payload
  • optionally compressed and encrypted
• Message authentication code (MAC)
  • MAC computed before encryption
• maximum length: 16k bytes (2¹⁴=16,384)

• All parts of SSL use them
• Initial phase: public key system exchanges keys
  • Messages enciphered using classical ciphers. checksummed using cryptographic checksums
  • Only certain combinations allowed
    • Depends on interchange algorithms
    • Interchange algorithms: RSA, Diffe-Hellman, Fortezza  

• initially SSL session has null compression and encryption algorithms
• Both are set by the handshake protocol at beginning of session
• Handshake protocol may be repeated during session

• Create SSL connection between client, server
• Server authenticates itself
• Client validates server, begin key exchange
• Acknowledgments all around

• Use dedicated port numbers for every applications that uses SSL
• Negotiate use of SSL during normal TCP/IP connection establishment

https = 443

ssmtp = 465

snntp = 563

sldap = 636

spop3 = 995 

ftp-data = 889

ftps = 990

imaps = 991

telnets = 992

ircs = 993

• IP authentication header (AH)
• IP encapsulating security protocol (ESP)
• Transport layer security (TLS)
• Secure Socket Layer (SSL)
• Routing information protocol (RIP)
• Domain Name Service (DNS)
• Simple network management protocol (SNMP)
• Key management protocols 
• Application layer protocols covered in other modules 

• Flags 
• Fragment Offset
• Source IP Address

• Source Port
• Destination Port
• Sequence Number
• ACK
• RST
• SYN
• FIN

Basic TCP/IP Vulnerabilities

• Many dangerous implementations of protocols 
  • sendmail
• Many dangerous protocols 
  • NFS, X11, RPC
  • many of these are UDP based

Solutions to Basic TCP/IP Vulnerabilities

• allow a restricted set of protocols between selected external and internal machines 
• otherwise known as firewalls

• IP packet carries no authentication of source address
• IP Spoofing is possible 
  • IP spoofing is a real threat on the internet 
  • IP spoofing occurs on other packet switched networks also, such as Novell's IPX

• Can be accomplished in phases using a variety of icmp, tcp and udp packets
  • Bombard the potential addresses with icmp packets
  • send a limited number of tcp packets to all 
  • send a very limited number of udp packets to all

• all traffic between external and internal networks must go through the firewall 
  • easier said than done
• firewall has opportunity to ensure that only suitable traffic goes back and forth
  • easier said than done  

Packet filtering firewalls

Application gateway firewalls

Stateful firewalls

Circuit relay firewalls

combination of these

• filter IP packets
• IP packets are filtered based on 
  • source IP address + source port number
  • destination IP address + destination port number
  • protocol field: TCP or UDP
  • TCP protocol flag: SYN or ACK

• Drop packets based on filtering rules
• generally, no context is kept 
  • dynamic packet filtering keeps context
• Filtering may be done:
  • incoming packets into router
  • outgoing packets from router
  • or both

• packet filtering can be very effective for simple services
• packet filtering is effective for coarse-grained controls

• Not so effective for fine-grained control 
  • can do: allow incoming telnet from a particular host 
  • cannot do: allow incoming telnet from a particular user

• Standard access lists
• Extended access lists

• Use only the source IP address in an IP packet to filter the network

• Check for both source and destination IP addresses, protocol fields in the Network Layer header, and port numbers at the Transport Layer header

• IP source address can be spoofed 
• host-based IP routing 
• hard to configure filtering rules correctly 
• routing information protocol (RIP) is insecure 
• some remote router management tools use cleartext passwords

• All of these vulnerabilities have been and will be exploited
• epidemic of IP spoofing attacks in the late 1994 - early 1995
  • basic principle was published in 1985
  • as easier attacks get closed off, hackers move on to more sophisticated attacks

• allow incoming TELNET from our own users who are traveling 
  • user telnets to gateway machine 
  • gateway does strong authentication and establishes telnet relay to internal machine 
  • user to internal machine telnet session is relayed through gateway
• once established relays do not examine traffice

• Stateful packet inspection (SPI) or stateful inspection
  • Keeps track of the state of network connections traveling across it
  • Only packets matching a known connection state will be allowed by the firewall

• By design, it opens new connections to arbitrary high ports
• The FTP port of the protected network may be recognized by a firewall, it then drops the packet 

• Maintain a table of open connections and intelligently associating new connection requests with existing legitimate connections 

Stateful Firewall VS. Application Gateway Firewall

Stateful packet inspection can determine what type of protocol is being sent over each port

Application-level filters look at what a protocol is being used for (such as webpage  or file sharing by HTTP traffic)

• IPv4 and IPv6 packets
  • data origin authentication 
  • data integrity
• keyed message digest on IP packet headers and data payload 
  • keyed MD5, HMAC

• keyed message digest 
• security parameter index (SPI)
  • in context
  • id of shared secret key
• key agreement is by internet key agreement protocols

• security parameter index (SPI)
• cleartext, e.g., Initial Value for DES-CBC
• encrypted portions if appropriate

• Identification and authentication 
• Security through views
• Stored procedures
• Grant and Revoke 
• MLS-Security Level

• I&A provided by DBMS can be distinct from I&A provided by the underlying Operating System 
• For example, in SQL
  • Connect <user> IDENTIFIED BY <password>

• The user who compiles a program becomes the owner of the stored procedure, and give others execute using the RUN command
• GRANT RUN ON program-A TO Alice
  • Suppose program_A needs to access the relation EMP. Alice can execute program_A even though she does not have permission to access EMP
• Stored procedure runs with owners permissions 

Database Security Issues:

Granularity of Protection

• In operating systems protected objects are files 
• In databases, there are several possibilities: relations, attributes, tuples, data elements

Database Security Issues:

What should be implement in a DBMS?

• Relation level is easier to implement, but may be too inflexible
• Data element level aggravates  many problems(such as polyinstantiation)

• Each Relation
• Each Tuple
• Each Attribute
• Each Element 

• Primary Key value are same
• Key class is different
• Two conflict entities

Attribute Polyinstantiation

• Primary Key value are same 
• Key class is same
• Conflicting information about the same entity

• Single access class for primary key
• Partitioning the domain of the primary key
• Limit insertions to be done by trusted sunjects

• Prevent protocol [Jajodia-Sandhu]

• Web applications take user input from a web form
• This attack involves injecting SQL statements as part of user input

• Input validation
  • Verify the input is a valid string in the language
  • Need to exclude quotes and semicolons
  • Have Length Limits on input
  • Attempt to bind inputs to variables inside a SQL statement
• Control database permissions and segregate

• User, process actions conform to statistically predictable pattern
• User, process actions do not include sequences of actions that subvert the security policy
• Process actions correspond to a set of specifications describing what the processes are allowed to do 
• Systems under attack do not meet at least one of these

• Attack tool is automated script designed to violate a security policy
• Example a rootkit 

• Rootkit configuration files cause ls,du, etc. to hide information 
  • ls lists all files in a directory
    • Except those hidden by configuration file
  • dirdump(local program to list directory entries) also lists all files 
    • Need to run both and compare results

• Hypothesis: exploiting vulnerabilities requires abnormal use of normal commands or instructions
  • Includes deviation from usual actions 
  • Includes execution of actions leading to break-ins 
  • Includes actions inconsistent with specifications of privileged programs

• Detect wide variety of intrusions
  • Previously known and unknown attacks 
  • Suggests need to learn/adapt to new attacks or changes in behavior
• Detect intrusions in timely fashion
  • May need to be real-time, especially when system responds to intrusion
    • Problem: analyzing commands may impact response time of system

• Present analysis in simple, easy to understand format
  • Ideally a binary indicator
  • Usually more complex, allowing analyst to examine suspected attack
  • User interface and effective visualization are critical, especially when monitoring many systems
• Be accurate
  • Minimize false positives, false negatives (correctness)
  • Minimize time spent identifying and verifying attacks

• Anomaly detection
• Misuse detection
• Specification-based detection

• What is usual, is known
• What is unusual, is bad

Misuse detection is...

• What is bad, is known
• What is not bad, is good

• What is good, is known
• What is not good, is bad

• Counts number of events that occur
  • Between m and n events (inclusive) expected to occur
  • If number falls outside this range, anomalous
• Example 
  • Windows: lock user out after k failed sequential login attempts. Range is (0, k-1)
    • k or more failed logins deemed anomalous

• Analyzer computes standard deviation (first two moments), other measures of correlation (higher moments)
  • Check if measured values fall outside expected interval for particular moments 

• Adversarial
• Non-Adversarial
• Natural

• Unique
• Define and analyze to understand degree
• Consider environment, objectives, motivations,Intetions and capabilties

• Unintentional
• Human or system failures
• Consider capability to assess degree

• Predictable according to location

• Policy assurance 
• Design assurance
• Implementation assurance
• Operational assurance

• Evidence establishing that the set of security requirements in policy is complete, consistent, technically, technically sound

Evidence that establishing implementation is consistent

security requirements of security policy 

• Evidence that establishing implementation is consistent with security requirements of security policy