ĐẠI HỌC QUỐC GIA TP HCM TRƢỜNG ĐẠI HỌC BÁCH KHOA NGUYỄN THANH TÙNG KỸ THUẬT GIẢ LẬP TẤN CÔNG DỰA TRÊN PENTESTING KHÔNG GÂY RA HIỆU ỨNG PHỤ TRONG CƠ SỞ DỮ LIỆU Chuyên ngành: Khoa học máy tính LUẬN VĂN THẠC SĨ TP HỒ CHÍ MINH, tháng 09 năm 2011 i CƠNG TRÌNH ĐƢỢC HỒN THÀNH TẠI TRƢỜNG ĐẠI HỌC BÁCH KHOA ĐẠI HỌC QUỐC GIA TP HỒ CHÍ MINH Cán hƣớng dẫn khoa học: PGS TS Đặng Trần Khánh Cán chấm nhận xét 1: TS Võ Thị Ngọc Châu Cán chấm nhận xét 2: TS Nguyễn Chánh Thành Luận văn thạc sĩ đƣợc bảo vệ Trƣờng Đại học Bách Khoa, ĐHQG Tp.HCM ngày 07 tháng 09 năm 2011 Thành phần hội đồng đánh giá luận văn thạc sĩ gồm: TS Thoại Nam TS Võ Thị Ngọc Châu TS Nguyễn Chánh Thành PGS.TS Dƣơng Tuấn Anh TS Nguyễn Tuấn Đăng Xác nhận chủ tịch hội đồng đánh giá luận văn môn quản lý chuyên ngành sau luận văn đƣợc sửa chữa (nếu có) Chủ tịch Hội đồng đánh giá luận văn Bộ môn quản lý chuyên ngành Pentesting không gây hiệu ứng phụ ii TRƢỜNG ĐH BÁCH KHOA TP HCM CỘNG HOÀ XÃ HỘI CHỦ NGHIÃ VIỆT NAM PHÕNG ĐÀO TẠO SĐH Độc lập - Tự - Hạnh phúc Tp HCM, ngày 01 tháng 07 năm 2011 NHIỆM VỤ LUẬN VĂN THẠC SĨ Họ tên học viên: NGUYỄN THANH TÙNG Phái: Nam Ngày, tháng, năm sinh: 06/03/1986 Nơi sinh: Long An Chuyên ngành: Khoa học Máy tính MSHV: 09070476 1- TÊN ĐỀ TÀI: KỸ THUẬT GIẢ LẬP TẤN CÔNG DỰA TRÊN PENTESTING KHÔNG GÂY RA HIỆU ỨNG PHỤ TRONG CƠ SỞ DỮ LIỆU 2- NHIỆM VỤ VÀ NỘI DUNG: _ Nghiên cứu kỹ thuật pentesting lĩnh vực phát lỗ hổng bảo mật sở liệu _ Phát khuyết điểm, hiệu ứng phụ kỹ thuật pentesting _ Khắc phục hiệu ứng phụ gây công sử dụng kỹ thuật pentesting _ Đƣa giải pháp phát triển framework để bảo vệ hệ sở liệu an tồn, khơng gây hiệu ứng phụ giả lập công sử dụng kỹ thuật pentesting 3- NGÀY GIAO NHIỆM VỤ: 4- NGÀY HOÀN THÀNH NHIỆM VỤ: 01/07/2011 5- CÁN BỘ HƢỚNG DẪN: PGS TS Đặng Trần Khánh CÁN BỘ HƢỚNG DẪN (Học hàm, học vị, họ tên chữ ký) CN BỘ MƠN QL CHUN NGÀNH Pentesting khơng gây hiệu ứng phụ iii LỜI CAM ĐOAN Tôi cam đoan rằng, ngoại trừ kết tham khảo từ cơng trình khác nhƣ ghi rõ luận văn, cơng việc trình bày luận văn tơi thực chƣa có phần nội dung luận văn đƣợc nộp để lấy cấp trƣờng trƣờng khác Ngày 01 tháng 07 năm 2011 Nguyễn Thanh Tùng Pentesting không gây hiệu ứng phụ iv LỜI CẢM ƠN Tôi xin gửi lời cảm ơn sâu sắc đến Thầy Đặng Trần Khánh tận tình hƣớng dẫn, giúp đỡ tơi thực đề tài nghiên cứu Tôi xin gửi lời cảm ơn nhóm ASIS Lab hỗ trợ tạo điều kiện nghiên cứu cho suốt thời gian qua Sau cùng, xin gửi lời cảm ơn chân thành đến gia đình bạn bè bên cạnh động viên giúp đỡ Pentesting khơng gây hiệu ứng phụ v TĨM TẮT LUẬN VĂN Ngày có nhiều liệu đƣợc lƣu trữ quản lý hệ thống máy tính chúng ảnh hƣởng ngày nhiều đến đời sống ngƣời Dữ liệu quan trọng có giá trị hấp dẫn tin tặc (hacker) Đó lý vấn đề bảo mật trở nên quan trọng Kỹ thuật pentesting đƣợc sử dụng phổ biến việc phát lỗ hổng bảo mật sở liệu Nhƣng kỹ thuật có số khuyết điểm gây hiệu ứng phụ, làm ảnh hƣởng ngƣợc trở lại tới tính bảo mật hệ sở liệu, nhƣ liệu tính quán, hệ thống tạm ngừng hoạt động hay tạo cổng, lỗ hổng khác để hacker công thật Trƣớc yêu cầu trên, luận văn nghiên cứu kỹ thuật giả lập công dựa pentesting không gây hiệu ứng phụ sở liệu Nội dung luận văn đƣợc trình bày nhƣ sau:  Chương 1: Giới thiệu đề tài, mục đích, phạm vi nghiên cứu ý nghĩa đề tài  Chương 2: Trình bày sở lý thuyết bảo mật sở liệu, gồm bốn yêu cầu bảo mật sở liệu, kiểu công vào sở liệu lỗ hổng bảo mật sở liệu  Chương 3: Giới kỹ thuật pentesting, phân loại pentesting, bƣớc kỹ thuật đƣa ví dụ áp dụng kỹ thuật phát lỗ hổng bảo mật sở liệu Cuối chƣơng nêu lên ƣu / khuyết điểm  Chương 4: Đi sâu vào phân tích đề tài, phân tích hiệu ứng phụ gặp phải sử dụng kỹ thuật pentesting dị tìm lỗ hổng bảo mật sở liệu Chƣơng trình bày mơ hình Attack graphs để mơ hình hóa lỗ hổng gần lại với  Chương 5: Trình bày phƣơng pháp luận cho việc sử dụng kỹ thuật pentesting giả lập công phát lỗ hổng bảo mật sở liệu không gây hiệu ứng phụ  Chương 6: Trình bày kiến trúc tổng quan, kiến trúc chi tiết lƣợc đồ phân tích thiết kế hệ thống quét lỗ hổng bảo mật sở liệu  Chương 7: Trình bày mẫu hệ thống dị tìm lỗ hổng  Chương 8: Trình bày đo lƣờng đánh giá hiệu suất mẫu  Chương 9: Tổng kết ƣu điểm, khuyết điểm nhƣ hƣớng phát triển đề tài  Tài liệu tham khảo: Các tài liệu đƣợc dùng trình nghiên cứu, thực đề tài  Phụ lục: Các báo kết nghiên cứu Pentesting không gây hiệu ứng phụ vi MỤC LỤC NHIỆM VỤ LUẬN VĂN THẠC SĨ ii LỜI CAM ĐOAN iii LỜI CẢM ƠN iv TÓM TẮT LUẬN VĂN v MỤC LỤC vi MỤC LỤC HÌNH x Chƣơng 1: GIỚI THIỆU ĐỀ TÀI 1.1 Giới thiệu 1.2 Tên đề tài 1.3 Mục đích nghiên cứu 1.4 Phạm vi nghiên cứu 1.5 Ý nghĩa đề tài .3 1.5.1 Ý nghĩa khoa học 1.5.2 Ý nghĩa thực tiễn Chƣơng 2: CƠ SỞ LÝ THUYẾT 2.1 Yêu cầu bảo mật sở liệu 2.1.1 Tính bí mật (Confidentiality) .5 2.1.2 Tính toàn vẹn (Integrity) 2.1.3 Tính sẵn sàng (Availability) 2.1.4 Tính chống thoái thác (Non-repudiation) 2.2 Kiểu công vào sở liệu 2.2.1 Phân loại công sở liệu 2.2.2 Truy cập trái phép (Unauthorized access) 2.2.3 Tiêm mã SQL “độc” (SQL Injection) 12 2.2.4 Từ chối dịch vụ (Denial of Service hay Distributed Denial of Service ) 12 2.2.5 Khai thác dịch vụ chức thừa DBMS .13 2.2.6 Lỗ hổng sở liệu công bố vá 13 2.3 Các lỗ hổng bảo mật sở liệu 14 Pentesting không gây hiệu ứng phụ vii 2.3.1 Định nghĩa 14 2.3.2 Phân loại 14 2.4 Đánh giá lỗ hổng bảo mật 16 2.4.1 Tập hợp thang đo sở (Base metrics group): 18 2.4.2 Tập hợp thang đo hƣớng thời gian (Temporal metrics group) 18 2.4.3 Tập hợp thang đo môi trƣờng (Environmental metrics group) 19 2.5 Mơ hình phối hợp lỗ hổng bảo mật 20 2.5.1 Mơ hình cơng dựa (Attack Trees model) .20 2.5.2 Mơ hình đồ thị cơng (Attack graphs model) 21 2.5.3 Mơ hình mạng công (Net Attack model) .22 Chƣơng 3: KỸ THUẬT PENTESTING 24 3.1 Giới thiệu kỹ thuật pentesting 24 3.2 Phân loại pentesting 24 3.3 Các bƣớc kỹ thuật pentesting 26 3.4 Minh họa pentesting .28 3.5 Ƣu điểm khuyết điểm 29 Chƣơng 4: PHÂN TÍCH ĐỀ TÀI 32 4.1 Các hiệu ứng phụ gặp phải sử dụng kỹ thuật pentesting việc phát lỗ hổng bảo mật sở liệu 32 4.1.1 Tính tin cậy (Confidentiality) 32 4.1.2 Tính nguyên vẹn (Intergrity) .33 4.1.3 Tính sẵn sàng (Availability) 33 4.1.4 Khả chống thoái thác (Non-repudiation) 34 4.2 Áp dụng mơ hình Attack graph dị tìm lỗ hổng .34 4.3 Giải pháp đề nghị .37 Chƣơng 5: PHƢƠNG PHÁP LUẬN 38 5.1 Phân quyền ngƣời dùng 38 5.2 Phƣơng pháp luận tổng quát 40 5.3 Các sách hệ thống 44 Chƣơng 6: PHÂN TÍCH VÀ THIẾT KẾ 46 Pentesting không gây hiệu ứng phụ viii 6.1 Kiến trúc hệ thống 46 6.1.1 Kiến trúc Client 47 6.1.2 Kiến trúc Developer 49 6.1.3 Kiến trúc Scanning server 51 6.2 Kiến trúc chi tiết 52 6.2.1 Đặc tả lỗ hổng bảo mật 52 6.2.2 Thực thi dị tìm lỗ hổng .54 6.2.3 Giám sát tài khoản khả nghi 54 6.3 Các lƣợc đồ 56 6.3.1 Lƣợc đồ usecase cho Developer: .56 6.3.2 Lƣợc đồ usecase cho Scanning server: 57 6.3.3 Lƣợc đồ use case cho Client: .59 Chƣơng 7: BẢN MẪU (DEMO) 61 7.1 Máy chủ dị tìm lỗ hổng (Scanning server) .61 7.1.1 Cửa sổ quản lý tiến trình 61 7.1.2 Cửa sổ định nghĩa sách giám sát 62 7.2 Công cụ phát triển hệ thống (Developer tool) 63 7.2.1 Cửa sổ đăng nhập .64 7.2.2 Cửa sổ quản lý loại script 65 7.2.3 Cửa sổ quản lý script 66 7.2.4 Cửa sổ quản lý loại lỗ hổng .70 7.2.5 Cửa sổ quản lý lỗ hổng 71 7.2.6 Cửa sổ quản lý Attack graphs 72 7.2.7 Cửa sổ quản lý phiên chƣơng trình .74 7.2.8 Cửa sổ liên hệ ngƣời dùng 76 7.3 Công cụ quản trị bảo mật hệ thống (Client tool) .76 7.3.1 Cửa sổ đăng nhập .76 7.3.2 Cửa sổ quản lý thông tin ngƣời dùng 78 7.3.3 Cửa sổ quản lý tài khoản ngƣời dùng 81 7.3.4 Cửa sổ quản lý sở liệu ngƣời dùng 81 Pentesting không gây hiệu ứng phụ ix 7.3.5 Cửa sổ quét lỗ hổng 84 7.3.6 Cửa sổ giám sát tài khoản sở liệu 89 7.3.7 Cửa sổ liên hệ 91 Chƣơng 8: ĐÁNH GIÁ 94 8.1 Phƣơng pháp đánh giá .94 8.2 Tập liệu .94 8.3 Kết đánh giá 94 Chƣơng 9: KẾT LUẬN 97 9.1 Ƣu điểm 97 9.2 Khuyết điểm .97 9.3 Hƣớng phát triển đề tài 99 TÀI LIỆU THAM KHẢO 100 PHỤ LỤC 104 TOWARDS A COMPREHENSIVE FRAMEWORK FOR SECURING DATABASE SYSTEMS IN THE HOUSING SERVICE MODEL 104 A PRAGMATIC DATABASE PENTESTING SOLUTION TO DEAL WITH SECURITY-RELATED SIDE EFFECTS 115 LÝ LỊCH TRÍCH NGANG 124 Pentesting không gây hiệu ứng phụ 110 Step 6: Clear up The cleaning up process is done to clear any mess that has been produced as a result of the penetration test, such as the temporary data, script files, 3.2.2 The monitoring process Figure The scanning process Figure The monitoring process Step 1: Planning & Preparation The DO uses the Scanning tool to make a plan and preparation for the penetration test to be performed on his server successfully Step 2: Information gathering & analysis The DO uses the Scanning tool to define and store the necessary information such as IP address, port, etc into the program database The system will retrieve the information of the DO’s server from the program database Step 3: Vulnerability detection This step is to predict whether the vulnerabilities exist in his server or not The result of the vulnerability detection will produce a list of targets to investigate Step 4: Penetration attempt Each target, the scanning server will load the scripts, set the value of parameters, generate the executable scripts, then execute them by calling the SQL console of DBMS [1, 2] Step 5: Analysis & Reporting Based on the result of previous step, this step analyses and detects flaws in the DO’s database system As finished, it will generate a report for the DO The monitoring process includes the following steps: Step 1: Setting policies DOs should create audit policies to define what need to be monitored, such as the monitoring time, which users, objects and/or kind of activities they want to monitor with successful or unsuccessful execution, etc Besides, they can specify the way of application to response if any risk happens, etc in the alerting policy Step 2: Collecting data Based on the predefined audit policies, the data collection gets database activities captured by the standard auditing feature of DBMSs and transfer to the application layer to analyze Step 3: Analysis The system analyzes the captured data in the step and check whether it satisfies with the alerting policies or not If not, it will go to the step for alerting to users Step 4: Alert This step performs the response methods according to the monitoring policies if the analyzed data in Pentesting không gây hiệu ứng phụ 111 the previous step violates the alerting policies Step 5: Reports This step generates a total report for DO in the end of process Besides, the report also gives some solutions to fix the detected flaws as well as evaluate the risk level of the target database system 3.3 Other advanced security issues In this section, we present some security issues concerned with our above system to improve in the future 3.3.1 Towards side-effects-free database penetration testing Besides the advantages of penetration testing in exploring real security vulnerabilities without false results, this technique might lease side effects for the target systems, such as incomplete testing, time consuming, disclosed sensitive information, etc if it is used unwarily The authors of paper [5] reviewed the penetration testing process and deeply analyzed the security problems that can happen during testing in detection of database security flaw They also proposed the enhanced penetesting methodology to provide the guideline for developers of testing program or the organizations to detect database security flaws in the secure environment Hence, we will apply this research to our framework in order for sideeffects-free penetesting in detection of database security flaws 3.3.2 Protect sensitive scanning history The scanning history of one database system is very important because it contains the healthy information of the target database system If one person obtains this information, he can take advantage of detected flaws of this database which have been not fixed yet Or based on results of scanning steps, he tries new or potential flaws which can be interfered from the discoverd flaws, and uses them to attack the target database system It means that we must protect the scanning history from anyone (except its owner, especially administrator of Service Provider) who accesses it Beside, the reports which are created by the administrator of Data Owner need to be protected, because it is the healthy conclusion of the target database system We propose that these reports must be encrypted by the administrator of Data Owner and signature by the service server before they are delivered to him Therefore only he has the password to read his reports PROTOTYPE AND EVALUATION 4.1 Prototype The prototype of architecture is implemented with C# and Oracle Database 10g and 11g [6] It also employs Crystal Report and other controls such as Microsoft TreeMap, Microsoft Chart controls to create necessary reports zLib is also used to compress data packages for updating new versions of application for the Dos and compress the healthy reports of the target database system sent from the server to Data Owner The flaws in the program database focus on the Oracle database 10g and 11g However, the prototype can be extended to scan flaws or monitor accounts of other DBMSs such as SQL Server, MySQL, DB2, etc by specifying new scripts to attack the database and monitor the account of those DBMS We tested the prototype with most of known database security flaws in Oracle 10g and 11g which are published on Oracle exploits websites [7], and especially the Pentesting không gây hiệu ứng phụ 112 flaws due to SQL injection attack [19] The results show that our prototype can be used to scan the database security flaws and to monitor the account of Oracle database system in practice 4.2 Evaluation The architecture provides an approach to build the automated testing tools Data Owners can control the penetration testing process, customize their policies to monitor, audit and alert, choose which flaws they want to scan, make the scanning schedule, etc Therefore, the system can scan database security flaws, fix or ignore a detected flaw in the automatic process based on the predefined policies Besides, the system can automatically lock or disconnect an account when s/he tries to attack or makes the target database system injured Moreover, this architecture saves much cost of resources of DOs because the primary functions are centralized in the service server However, if a lot of clients are connecting to the service server concurrently, the service server can be overloaded The SP need to supply the server which is enough strong to work with multiple clients RELATED WORK There are some methods to detect security flaws such as foot printing [17, 18], version checking [1,2], anomaly detection [16, 19], or penetration testing [9,10,11,14] Foot printing or version checking can give false positive results in which flaws may not exist actually in the system Besides, anomaly detection belongs to the design of rules too much [19] If the rules are not enough or built incorrectly, it will impact on the effect of detecting flaws for the systems Meanwhile, penetration testing is the simple way but sound [1, 2, 10, 14] It is used popularly in the network systems or web applications In the database systems, penetration testing is also helpful to look for security flaws which attackers can exploit Some scientists use this methodology to find out flaws for DBMSs and publish them to websites such as [7, 15] The users must check by themselves However, a comprehensive system for users can detect a mass of flaws automatically is also the new trend Besides, however monitoring is the traditional solution [6, 20], there are a lot of issues related to the performance and how to capture activities exactly In this paper, we provide the solution to monitor database activities by using the standard auditing of DBMSs with the specific policies set by users for activities need to be observed With this selected solution, the performance of database systems is not impacted significantly Therefore, the clients in the housing service model will feel more satisfied and secured in use CONCLUSION AND FUTURE WORK In this paper, we proposed the framework to secure the database systems of clients in the housing service model It can be used in other cases which would like to detect database security flaws and monitor database activities in general However, it is designed more efficiently in the housing service model because the clients only need to install a small program to perform all functions Meanwhile, the web services are located on the service server side of provider Therefore, towards the clients, they not need to waste much resource to run the system but secure their database systems during the housing time We also got the results of prototype for Oracle Database Server It can be used to detect Pentesting không gây hiệu ứng phụ 113 most of database flaws written in SQL and published on the famous websites based on the penetration testing methodology and monitor all database activities of the database systems In the future, we will add more functions into the current system which overcome disadvantages mentioned in 3.3 In addition, the performance of scanning and monitoring need to be improved in order to warn and prevent more earlier REFERENCES T.K Dang, Q.C Truong, P.H CuNguyen, T.Q.N Tran, “An Extensible Framework for Detecting Database Systems Flaws”, ACOMP, Ho Chi Minh City, Vietnam, 2007 T.K Dang, T.T Nguyen, T.Q.N Tran, Q.C Truong.: “Security Issues in Housing Service Outsourcing Model with Database Systems Technical Report”, http://www.cse.hcmut.edu.vn/~asis, 2010 S Hansman, “A Taxonomy of Network and Computer Attack Methodologies”, M.S Thesis, Department of Computer Science and Software Engineering, University of Canterbury, New Zealand, 2003 D Knox, “Effective Oracle Database 10g Security by Design”, Oracle Press, 2004 T.Q.N Tran, T.K Dang, “Towards Side-Effects-free Database Penetration Testing”, Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, ISSN 20935374, 1(1), 72-85, June 2010 R B Natan, “How to Secure and Audit Oracle 10g, 11g”, Auerbach Publications, 2009 Three well-known security websites: http://www.red-database-security.com, http://www.petefinnigan.com, http://www.securityfocus.com S Jeloka, “Oracle Database Security Guide 10g Release 2”, retrieved from Oracle website, No B14266-01, 2005 C.T Wai, “Conducting a Penetration Test on an Organization”, The SANS Institute Reading Room site, 2002 10 Federal Office for Information Security (BSI), “Study: A Penetration Testing Model”, URL: https://ssl.bsi.bund.de/_english/_publicati ons/_studies/_penetration.pdf, 2003 11 J Shewmaker, “Introduction to Network Penetration Testing”, the 7th Annual IT Security Awareness Fair, 2008 12 L David, A Chris, H John, G Bill, “The Database Hacker’s Handbook: Defending Database Servers”, Wiley Publishing, 2005 13 L David, “The Oracle Hacker's Handbook: Hacking and Defending Oracle”, Wiley Publishing, 2007 14 J S Tiller, “A Framework For Business Value Penetration Testing”, Auerbatch publications, pp 60-67, 2005 15 Three well-known database testing tools: http://www.imperva.com, http://ww.ngssoftware.com, http://www.nessus.org 16 V Chandola, A Banerjee, V Kumar, “Anomaly Detection : A Survey”, ACM Computing Surveys, September 2009 17 R Bace, “Intrusion Detection”, MacMillan Technical Publishing, USA, 2000 18 S Shah, “Web hacking: Attacks and Defense”, Addison Wesley, 2002 19 M Stamp, “Information Security, principles and practice”, A John Wiley & Sons, Inc., Publication, 2006 Pentesting không gây hiệu ứng phụ 114 20 M., Rich: Understanding and Selecting a Database Activity Monitoring Solution http://securosis.com/_publications /_DAM- Whitepaperfinal.pdf (2008) Pentesting không gây hiệu ứng phụ 115 Bài báo hội nghị ACOMP 2011 (International Conference on Advanced Computing and Applications) từ 19-21 tháng 10 năm 2011, Hồ Chí Minh, Việt Nam A PRAGMATIC DATABASE PENTESTING SOLUTION TO DEAL WITH SECURITY-RELATED SIDE EFFECTS Thanh Tung NGUYEN, Tran Khanh DANG Faculty of CSE, HCMC University of Technology, VNUHCM, Ho Chi Minh City, Vietnam Corresponding author: khanh@cse.hcmut.edu.vn Received June 24, 2011 ABSTRACT Penetration testing (pentesting) is among the most traditional methods for assessing a computer system security The idea behind pentesting methodologies is that the penetration tester should follow a pre-scripted format during test as dictated by the methodology In this paper, we propose a pragmatic pentesting methodology that is pragmatic and more specific than the common one for side-effects-free database pentesting We focus on the model of separated roles and policies that should be followed in the testing process A flexible architecture and system prototype for detecting security flaws in Oracle database server are also developed and evaluated to establish the practical value of our newly proposed methodology Keywords penetration testing, attack graph, CVSS, database security flaws, side-effects-free INTRODUCTION Pentesting is defined as the simulation of attacks like real hackers against the target systems to identify security vulnerabilities without false positive results [1] Database administrators, in turn, use pentesting techniques to identify database security flaws [4] Moreover, this is also a suitable means of evaluating the effectiveness of security measures in database systems such as access control policies, database auditing policies, user management policies, etc However, pentesting is not absolutely a perfect testing because it can result in side effects on the target system if it was performed without certain well-controlled process and methodology For example, in the case of incomplete testing, a target database system may contain “garbage” or a simulated account with higher privileges Another example is that during pentesting, penetration testers can exceed their scopes, take advantage to escalate his privilege or exploit the system’s sensitive information [16] Hence, in this paper, we propose a side-effects-free pentesting methodology extended from the traditionally common one [2, 3, 4] for existing commercial DBMSs The main idea behind our newly proposed methodology is that the pentesting process should be done by separate security groups, and all activities during testing should be verified, monitored and audited based on policies pre-defined by organizations and pentesters Also, we employ attack graphs [5] to model how multiple vulnerabilities may be combined for an attack Based on this, we will develop an elastic system architecture for DBMSs and build a prototype on Oracle 10/11g [11, 12] to establish the practical value of our proposed method Pentesting không gây hiệu ứng phụ 116 The rest of this paper is organized as follows Section presents possible side effects by database pentesting Section presents an extended pentesting methodology without side effects for DBMSs Section shows a prototype for Oracle Concluding remarks is given in section DATABASE PENETRATION TESTING AND SIDE-EFFECTS Based on the four basic requirements for database security [6, 16], we elaborate on side effect potentials as using pentesting techniques in DBMSs as follows: Confidentiality: Basically, pentesting is a technique used to evaluate the database security system (or any other security systems) by simulated attacks Therefore, it can collect sensitive information of the target database system, such as information about database names, opening ports, IP address, simulated accounts, etc On the other hand, to avoid unexpected results during and after a test, we must pay attention to the way of attacking the database from unexpected users Thus, the pentesting process must use some authorization mechanism for users who write scripts (for simulated attacks), and control the applications employed to scan the target system Integrity: During the pentesting process, simulated users and temporary objects (such as tables, procedures/functions, etc.) can be created or modified However, they may also be accessed (by other users/attackers) at the same time as the running test For example, as a pentesting user is performing a scan operation on the target database, s/he can insert or update new rows into the existing tables and other users is able to read or update those tables before the system clears up these temporary rows In this case, both semantic integrity constraints and data confidentiality can be compromised Moreover, the system has also to ensure that if the pentesting process suddenly terminates due to some unplanned reason, the cleaning up phrase will still be done completely Building such a pentesting method on the top of existing DBMSs with all these requirements is not a trivial task Availability: Attacking database systems has a variety of types, such as SQL injection, Denial-of-service, Buffer overflow, etc [8, 9, 10] Although pentesting techniques just create simulated attacks in order to detect real security vulnerabilities that may exist in the target database system, the testing process can slow down the performance of the system or even disrupt databases and cause data lost if it is not well-controlled Therefore, the testing system should allow the database administrator to select security flaws to scan, and also to make a response plan for scanning them Besides, the system will be able to send warning messages to the administrator if the ongoing penetration testing is considered dangerous or unreliable Non-repudiation: Our framework allows the administrator to monitor some accounts of the target database system Therefore, the system can prove the origin of database changes, who made these changes, what were done, etc in order to make reports and the response plan as well as to provide criminal evidences if the target system damaged by these monitoring accounts [13] TOWARDS A SIDE-EFFECTS-FREE DATABASE PENTESTING METHODOLOGY We focus on three aspects of a security system, people, pentesting process, and policies, to develop our database pentesting methodology The difference segments of pentesting along with the specific requirements of people and techniques should be satisfied in every phrase Besides, the methodology highlights policies that enforce the pentesting in the secure environment 3.1 Attack Graphs The attack graphs [5] model how multiple vulnerabilities may be combined for an attack We represent the states of a database system using a collection of security-related conditions Vulnerability exploitation is modeled as a transition between the system states In the attack graph below (see Figure 1), attacker exploits are steps described in “ovals”, with edges’ notes for their pre-conditions and post-conditions The authenticated service is initial network conditions, and the valid account (illustrated in the triangle) is the attacker’s initial capability The overall attack goal is a lowest hexagonal The attack graph includes four Pentesting không gây hiệu ứng phụ 117 attack paths and each path is equal to a possible flaw In the scanning process, we move between attack graph’s nodes At a specific node, we know the true direction leading to the final destination In order to ensure side-effects-free database pentesting, we must prevent this scanning process from going to a (known) wrong way that will create new vulnerabilities Furthermore, we employ attack graphs to determine the system state of a monitoring account, i.e when moving to a vulnerability database state, our system will prevent this account from doing any harm Figure The attack graph 3.2 Separation of Duties To prevent a single system’s member from exploiting the organization, our methodology requires that the organization should be divided into small security groups as shown in Figure These groups are involved in the penetration testing process as follows: Developer: Has the main responsibility to enlarge the system, such as flaws, scripts, and policy specification, or working DBMS versions, etc Scanning server: Has the main responsibility to collect information of systems, generate scripts, and simulate attacks into the target database systems When the Client requests a security report, the Scanning server will generate reports for the found security flaws Client: Makes related plans before testing, finds the best time to conduct a test, selects suspicious flaws, resolves the after-testing issues, manages discovered flaws, reviews the reports of detected vulnerabilities, etc Moreover, the Client also has the main responsibility to set up all system policies, such as scanning policy, auditing policy, etc Client Scanning server Figure Security groups Pentesting không gây hiệu ứng phụ Developer 118 We must separate duties in the system because the pentesting process is sensitive: If all privileges of this process are delegated to a group, this group may take advantage of penetration testing techniques to exploit the target system Therefore, our methodology clearly defines responsibilities and limitations of each team to manage them easier The Scanning server does not have the privilege to simulate attacks into all aspects of the system The Developer, in turn, does not have the privilege to define the way of attacking into systems The Client just has enough privilege(s) to manage the pentesting process at a high level without knowledge of the issues related to the pentesting techniques 3.3 An extended penetration testing methodology for database systems In Figure 3, we illustrate a pentesting process in database systems that is more specific than the existing methodology [3, 5, 7] The new methodology consists of seven steps as follows: Planning and preparation: Before the Scanning server carries out pentesting on a target database system, a great deal and clear plan need to be done The Client decides organization’s objectives, scopes, time, duration of pentesting, which are suitable for his running database He also sets up policies such as scopes, the permitted scanning period, the maximum duration of testing, and list the security risks (for the test), methods of fixing the detected flaws, etc Information gathering: The pentesters start to gather as much information as possible about the target database system such as scanning TCP ports, database version, server names, IP address, system identifier, etc by using available tools or scripts [10, 11, 12, 14] We gather information of the target in two phrases First, the Client provides the Scanning server with necessary information of his database system Second, the Scanning server may further gather the target system’s information if it is needed Because of the sensitive nature of such information, the Client should set up limitations for the Scanning server, audit all gathering activities, and install the access control into the target system Vulnerability detection: Using the information found in the previous step, the Scanning server makes a diagnosis of the target system state, lists the selected flaws, specifies relevant scripts to test, and gives the estimated time as well as possible risks and proposes solutions associated with the penetration tests Moreover, the simulation script is very sensitive because it contains the algorithm to detect the system’s flaws The Developer can write some abnormal scripts to serve his malicious purpose Therefore, the Scanning server should verify and sign it or request author to confirm it Penetration attempt: As the Scanning server attempts a pentest, it can open new problems, e.g creates temporal objects, accesses sensitive information illegally, etc For this reason, the Scanning server provides mechanisms to manage the pentesting process, audit all running activities, verify the script before executing, and monitor processes If any problem occurs, the Scanning server, thanks to the Monitoring process policy, will solve this problem, e.g continue or halt the scanning process Moreover, this step has a mechanism that can prevent conflicts between objects being tested and used by other sessions during the pentesting time Analysis and Reporting: This step will check whether the simulated attack has succeeded or not If it is successful, meaning that the target database system contains current scanning flaw, the Scanning server will record the result and send an alert message to the Client based on the scanning policy Pentesting không gây hiệu ứng phụ 119 Figure Extended pentesting methodology Clearing up: During the test, intermediate objects (such as procedures/functions, tables/views) or simulated accounts, which were created temporarily, must be cleaned up because an attacker can exploit them later on Therefore, the clearing-up step must be done completely and verified This step needs to be audited to prevent the Scanning server from recovering the target database system carelessly Measuring security risk: The Scanning server uses a Common vulnerability security system to evaluate the vulnerabilities of the target systems based on the scanning reports, and proposes the action plans to Pentesting không gây hiệu ứng phụ 120 address them These activities need to be audited and the target system needs to be verified after fixing to make sure that the detected flaws have been fixed properly 3.4 Penetration testing control policies In our methodology, we develop the testing system should have five kinds of policies: Scanning policy: This policy is set by the Client to decide what flaws will be scanned and their priorities, make a plan to perform the pentests Also, when detecting a flaw, the scanning system will base on this policy to have some proper action, such as send an alert email to Client or automatically fix the detected flaw Monitoring process policy: The Client determines thresholds of scanning process The Scanning server uses them to determine the status of scanning process (such as safe, attention, alarm) and suitable actions Protecting policy: The Developer defines this policy and the Client decides if the system will protect temporary objects and simulated accounts, or the scope of pentesting process Auditing policy: This policy is used to decide what should be audited such as users, objects and database activities, etc instead of auditing all database activities [11, 13, 16] It improves the system performance by reducing unnecessary audit activities Monitoring user policy: The Client creates monitoring user policy to define which users, objects and/or kinds of activities they want to monitor with successful or unsuccessful execution, what need to be monitored, the monitoring time, etc [13] 3.5 Common Vulnerability Security System Version 2.0 There are four basic aspects of the database security [6] but different flaws may have effect on different aspects For example, a flaw could cause a partial loss of integrity and availability, but no loss of confidentiality, and others may compromise data confidentiality Therefore, we propose the Common Vulnerability Scoring System [15] (CVSS) as a framework for communicating the characteristics and impacts of database flaws CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities It provides a universal open and standardized method for rating IT vulnerabilities, and is composed of three metric groups: Base, Temporal, and Environmental Each of the three consists of a set of metrics as shown in Figure Figure CVSS metric groups Pentesting không gây hiệu ứng phụ 121 TOWARDS SIDE-EFFECTS-FREE DATABASE PENTESTING ARCHITECTURE In this section, we present the architecture for side-effects-free database pentesting (see Figure 5) The Client can audit what happened during the pentesting process, protect simulated accounts and temperate objects, verify script and prevent issues occur in the scanning process Figure The architecture of pentesting process 4.1 Architecture The separation of duties is applied to our design to reduce the potential damage from intentional actions of end users We use attack graphs (cf Section 3) to determine the relationship between flaws, and so the system can prevent the sophisticated attack that is combined from multiple states of flaws Based on the analyses of the above problems, we propose architecture and build a prototype for sideeffects-free database penetration testing Our architecture includes five layers:  User interface layer provides application forms for users to interact with the system According to the authorization mechanism, each role performs several separate functions  Functions layer includes necessary services for users in the system  Pentesting engine layer has functionalities to manage the pentesting process  Control layer includes mechanisms for controlling users in the system  Data layer contains a program database, a database library, scripts, policies and metadata Pentesting không gây hiệu ứng phụ 122 4.2 Preliminary evaluation The major philosophy of our approach is to build penetration testing tools for side-effects-free database pentesting With such tools, the end users can control the testing process, define their policies to scan, monitor and audit, protect the scanning process, recovery ability of program after testing, and review/visualize the auditing logs We also monitor simulated accounts and temporary objects during the test, and then prevent them from accessing/using by other operations This paper proposes a simple scanning solution to perform tests using scripts with a pre-defined structure and parameters The Scanning server will load the scripts, set the value of parameters through the target database information and generate the executable scripts We will be able to use the SQL console of DBMSs to execute these scripts, e.g sqlplus.exe in Oracle Besides that, the Developer defines the verifying algorithm based on matching rules, which can not detect the complicated dynamic SQL scripts Therefore, these rules are limited by the scope of knowledge of the Developer and need to be improved in the future CONCLUSION AND FUTURE WORK In this paper, we have introduced an ongoing research work towards side-free-effects database penetration testing Firstly, we have reviewed the penetration testing procedure, and deeply analyzed security issues in the use of penetration testing against a target database system We have then introduced a methodology and architecture for side-free-effects database penetration testing The penetration testing methodology populates attack graphs and provides the guideline for the Developer to detect database security flaws in the secure environment The proposed system combines the Scanning server and system’s policies into the automated testing tool to illustrate our methodology To prove the practical value and effectiveness of our approach, a prototype has been implemented to detect and evaluate security flaws in Oracle 10g/11g In the future, we will focus on improving the attack graphs module This module will automatically detect the relationship between separate attack graphs base on auditing logs Take an example that if one account of the target database makes a new attack path through two separate graphs then the Scanning server will combine two graphs into one Furthermore, we will study more protecting rules, alert rules, and verifying algorithms for side-effects-free database penetration testing Last but not least, developing and evaluating on other existing commercial DBMSs will also of our great interest REFERENCES J Shewmaker - Introduction to Network Penetration Testing The 7th Annual IT Security Awareness Fair, USA (2008) Y.F Sattarova, A.F Alisherov, K Tai-hoon - Methodology for Penetration Testing, International Journal of Grid and Distributed Computing, Korea (2009) 2(2) 43-50 Best practice guide: Commercially Available Penetration Testing In National Infrastructure Security Coordination Centre, UK (2006) J.S Tiller - A Framework for Business Value Penetration Testing Auerbatch publications (2005) S Noel, S Jajodia - Measuring Security Risk of Networks using Attack Graphs International Journal of Next-Generation Computing (2010) 1(1) 135-147 T.K Dang, Q.C Truong, P.H Cu-Nguyen, T.Q.N Tran - An Extensible Framework for Detecting Database Security Flaws International Workshop on Advanced Computing and Applications, Vietnam (2008), pp 68-77 T Dimkov, W Pieters, P Hartel - Two methodologies for physical penetration testing using social engineering Annual Computer Security Applications Conference, USA (2010), pp 399-408 M Stamp - Information Security: Principles and Practice, John Wiley & Sons, USA (2006) Pentesting không gây hiệu ứng phụ 123 S Hansman - A Taxonomy of Network and Computer Attack Methodologies University of Canterbury, New Zealand (2003) 10 D Litchfield - The Database Hacker’s Handbook: Defending Database Servers John Wiley & Sons, USA (2005) 11 D Knox - Effective Oracle Database 10g Security by Design Oracle Press (2004) 12 L David - The Oracle Hacker's Handbook: Hacking and Defending Oracle Wiley Publishing (2007) 13 R.B Natan – How to Secure and Audit Oracle 10g and 11g Auebach Publications (2009) 14 P Finnigan - Oracle and Oracle Security Information URL: http://www.petefinnigan.com (2011) 15 Incident Response and Security URL: http://www.first.org/cvss/cvss-guide.html (2011) 16 T.Q.N Tran, T.K Dang - Towards Side-Effects-free Database Penetration Testing Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, Japan (2010) 1(1) 72-85 Pentesting khơng gây hiệu ứng phụ 124 LÝ LỊCH TRÍCH NGANG Họ tên: NGUYỄN THANH TÙNG Ngày sinh: 06/03/1986 Nơi sinh: Bến Lức, Long An Email: hithanhtung@yahoo.com Điện thoại: 0989 167 224 Quá trình đào tạo: Thời gian Trƣờng đào tạo 2004 – 2009 Trƣờng Đại học Bách khoa, Khoa học máy tính Tp Hồ Chí Minh Kỹ sƣ 2009 – 2011 Trƣờng Đại học Bách khoa, Khoa học máy tính Tp Hồ Chí Minh Thạc sĩ Chuyên ngành Trình độ đào tạo Q trình cơng tác: Thời gian Vị trí cơng tác Đơn vị cơng tác 9/2008 – 7/2009 Lập trình viên Cơng ty cổ phần tin học Lạc Tiên Địa chỉ: 4C1 Đƣờng 32, Phƣờng Tân Phong, Quận 7, Tp Hồ Chí Minh 8/2009 – 10/2009 Lập trình viên Cơng ty TNHH TMDV Tin học Hợp Phát Địa chỉ: 73 Đặng Dung, phƣờng Tân Định, Quận 1, Tp Hồ Chí Minh 10/2009 – Giảng viên Khoa Khoa học Kỹ thuật máy tính, trƣờng Đại thỉnh giảng học Bách Khoa, Tp Hồ Chí Minh Địa 268 Lý Thƣờng Kiệt, Quận 10, Tp Hồ Chí Minh Pentesting không gây hiệu ứng phụ ... TÀI: KỸ THUẬT GIẢ LẬP TẤN CÔNG DỰA TRÊN PENTESTING KHÔNG GÂY RA HIỆU ỨNG PHỤ TRONG CƠ SỞ DỮ LIỆU 2- NHIỆM VỤ VÀ NỘI DUNG: _ Nghiên cứu kỹ thuật pentesting lĩnh vực phát lỗ hổng bảo mật sở liệu. .. điểm, hiệu ứng phụ kỹ thuật pentesting _ Khắc phục hiệu ứng phụ gây công sử dụng kỹ thuật pentesting _ Đƣa giải pháp phát triển framework để bảo vệ hệ sở liệu an tồn, khơng gây hiệu ứng phụ giả lập. .. cứu kỹ thuật pentesting đƣa framework để kiểm sốt, khắc phục khuyết điểm, khơng gây hiệu ứng phụ sử dụng pentesting việc phát lỗ hổng bảo mật sở liệu 1.2 Tên đề tài Kỹ thuật giả lập công dựa pentesting