C20.0046: Database
Management Systems
Lecture #19
M.P. Johnson
Stern School of Business, NYU
Spring, 2008
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
1
Agenda

Security





Web issues
Transactions
RAID?
Stored procedures?
Implementation?
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
2
Review: hashes




Hash tables
Hash functions
Secure hash functions
Families of secure hash functions
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
3
New topic: Security on the web

Authentication


If the website user wants to pay with George’s credit card,
how do we know it’s George?
If the website asks George for his credit card, how does he
know it’s our site?


Secrecy


Maybe it’s a phishing site…
When George enters his credit card, will an eavesdropper
be able to see it?
Protecting against user input

Is it safe to run SQL queries based on user input?
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
4
Security on the web

Obvious soln: passwords

What’s the problem?

Slightly less obvious soln: passwords + encryption

Traditional encryption: “symmetric” / “private key”


DES, AES – fast – solves problem?
“Newer” kind: “asymmetric” / “public key”



Public key is published somewhere
Private key is top secret
RSA – slow – solves problem?
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
5
Hybrid protocols (SSH,SSL/HTTPS, etc.)

Neither private- nor public-key alone suffices

They each only solve half of each problem

But together they solve almost everything

Recurring strategy:



We do private-key crypto
Where do we get the key?
You send it (encrypted) to me
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
6
SSH-like authentication (intuition)

sales has a public-key

When you connect to sales,
1.
2.
3.
4.

You pick a random number
Encrypt it (with the cert) and send it to them
They decrypt it (with their private key)
Now, they send it back to you
Since they decrypted it, you trust they’re sales
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
7
HTTPS-like authentication (intuition)

Amazon has a public-key certificate


Encrypted with, say, Verisign’s private key
When you log in to Amazon,
1.
2.


They send you the their Verisign-encrypted cert
You decrypt it (with Verisign’s public key), and
check that it’s a cert for amazon.com
Since the decrypt worked, the cert must have
been encrypted by Verisign
So this must really be Amazon
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
8
Authentication on the web

Now George trusts that it’s really Amazon



But: What if, say, Dick guessed George’s
password?


Assuming Amazon’s private key is secure
And excluding man-in-the-middle…
Another way: What if George claims Dick guessed
his password?
Soln: same process, but in reverse

But now you need to get your own cert…
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
9
Hybrid protocol for encryption

Amazon just sent you their public-key cert

When you log in to Amazon,
1.
2.
3.


You pick a random number (“session key”)
You encrypt it (with the cert) and send it to them
They decrypt it (with their private key)
Now, you both share a secret key
can now encrypt passwords, credit cards, etc.
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
10
Query-related: Injection attacks



Here’s a situation:
Prompt for user/pass
Do lookup:
SELECT * FROM users
WHERE user=u AND password=p;

If found, user gets in

test.user table in MySQL

http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.php / txt
http://pages.stern.nyu.edu/~mjohnson/dbms/php/users.php / txt


Modulo the no hashing, is this a good idea?
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
11
Injection attacks
SELECT * FROM users
WHERE user = u AND password = p;

We expect to get input of something like:



user: mjohnson
pass: topsecret
SELECT * FROM users
WHERE user= 'mjohnson' AND password
= 'topsecret';
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
12
Injection attacks – MySQL/Perl/PHP
SELECT * FROM users
WHERE user = u AND password = p;

Consider another input:
user: ' OR 1=1 OR user = '
SELECT * FROM users
 pass: ' OR 1=1 OR pass = '
WHERE user = ''


OR http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.php
1=1
http://pages.stern.nyu.edu/~mjohnson/dbms/eg/injection.txt
OR user = ''
SELECT
* FROM
users
AND
password
= ''
WHEREOR
user
1=1= '' OR 1=1 OR user = ''
AND password
' OR 1=1 OR pass = '';
OR pass = '
'';
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
13
Injection attacks – MySQL/Perl/PHP
SELECT * FROM users
WHERE user = u AND password = p;

Consider this one:


user: your-boss' OR 1=1 #
pass: abc
http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.php

SELECT
SELECT ** FROM
FROM users
users
WHERE
WHERE user
user == 'your-boss'
'your-boss' OR 1=1 #'
AND password
'abc';
OR 1=1 #'= AND
password = 'abc';
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
14
Injection attacks – MySQL/Perl/PHP
SELECT * FROM users
WHERE user = u AND password = p;

Consider another input:


user: your-boss
pass: ' OR 1=1 OR pass = '
http://pages.stern.nyu.edu/~mjohnson/dbms/php/login.php

SELECT * FROM users
SELECTuser
* FROM
users
WHERE
= 'your-boss'
WHEREAND
user
= 'your-boss'
AND password
password
= ''
= '' OR
OR 1=1
1=1 OR pass = '';
OR pass = '';
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
15
Multi-command inj. attacks (other DBs)
SELECT * FROM users
WHERE user = u AND password = p;

Consider another input:



user: '; DELETE FROM users WHERE user =
'abc'; SELECT FROM users WHERE
password = '
pass: abc
SELECT
SELECT ** FROM
FROM users
users WHERE user = '';
DELETE
FROM =users
WHERE user
'abc';
WHERE user
''; DELETE
FROM =users
SELECT
FROM =users
WHERE
password
WHERE user
'abc';
SELECT
FROM = ''
password
= 'abc';
usersAND
WHERE
password
= '' AND
password = 'abc';
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
16
Multi-command inj. attacks (other DBs)
SELECT * FROM users
WHERE user = u AND password = p;

Consider another input:



user: '; DROP TABLE users; SELECT FROM
users WHERE password = '
pass: abc
SELECT
SELECT ** FROM
FROM users
users WHERE user = '';
DROP
WHERETABLE
user users;
= ''; DROP TABLE users;
SELECT FROM
FROM users
users WHERE
WHERE password
password == ''
SELECT
ANDpassword
password=='abc';
'abc';
'' AND
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
17
Multi-command inj. attacks (other DBs)
SELECT * FROM users
WHERE user = u AND password = p;

Consider another input:



user: '; SHUTDOWN WITH NOWAIT; SELECT
FROM users WHERE password = '
pass: abc
SELECT
SELECT ** FROM
FROM users
users WHERE user = '';
SHUTDOWN
WITH
NOWAIT;
WHERE user
= '
'; SHUTDOWN WITH
NOWAIT;
SELECT
FROM
users
WHERE = ''
SELECT
FROM
users
WHERE
password
AND password
'abc'; = 'abc';
password
= '' AND=password
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
18
Injection attacks – MySQL/Perl/PHP
DELETE FROM users
WHERE user = u AND password = p;

Consider another input:


user: your-boss
pass: ' OR 1=1 AND user = 'your-boss
http://pages.stern.nyu.edu/~mjohnson/dbms/php/users.php
DELETE
FROM
users
 Delete
your
boss!
DELETE
FROM
users
WHERE user = 'your-boss'
WHERE user = 'your-boss' AND pass = '
= '' = 'your-boss';
' OR AND
1=1 pass
AND user
OR 1=1
AND user
= 'your-boss';
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
19
Injection attacks – MySQL/Perl/PHP
DELETE FROM users
WHERE user = u AND pass = p;

Consider another input:



user: ' OR 1=1 OR user = '
pass: ' OR 1=1 OR user = '
DELETEhttp://pages.stern.nyu.edu/~mjohnson/dbms/php/users.php
FROM users
WHERE user = ''
OR 1=1
Delete
everyone!
DELETE
FROM users
OR user = ''
WHERE user = '' OR 1=1 OR user = ''
AND pass = ''
AND pass = '' OR 1=1 OR user = '';
OR 1=1
OR user = '';
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
20
Preventing injection attacks


Ultimate source of problem: quotes
Soln 1: don’t allow quotes!


Q: Is this satisfactory?


Reject any entered data containing single quotes
Does Amazon need to sell O’Reilly books?
Soln 2: escape any single quotes



Replace any ' with a '' or \'
In Perl, use taint mode – won’t show
In PHP, turn on magic_quotes_gpc flag in .htaccess

show both PHP versions
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
21
Preventing injection attacks

Soln 3: use prepare parameter-based queries

Supported in JDBC, Perl DBI, PHP ext/mysqli

http://pages.stern.nyu.edu/~mjohnson/dbms/perl/loginsafe.cgi
http://pages.stern.nyu.edu/~mjohnson/dbms/perl/userssafe.cgi


Even more dangerous: using tainted data to
run commands at the Unix command prompt


Semi-colons, prime char, etc.
Safest: define set if legal chars, not illegal ones
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
22
Preventing injection attacks



When to do security-checking for quotes,
etc.?
Temping choice: in client-side data validation
But not enough!


can submit GET and POST params manually
 Must do security checking on server



Even if you do it on client-side too
Same with data-validation
Example of constraints
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
23
POST vars




Because of hand-coded HTTP requests, can’t rely on
post vars being either safe or “true”
Actual past websites: send price by post (why?)
More secure than GET

Fewer users will know how to break POST than GET

But some do!
Attack: hand-code the POST request
sales% telnet amazon.com 80
POST http://amazon.com/cart.cgi HTTP/1.0
Content-Type:application/x-www-form-urlencoded
Content-Length: 32
title=Database+Systems&price=.01
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
24
Hand-written POST example

POST version of my input page:

http://pages.stern.nyu.edu/~mjohnson/dbms/php/post.php

Not obvious to web user how to hand submit
And get around any client-side validation


But possible:

http://pages.stern.nyu.edu/~mjohnson/dbms/eg/postbyhand.txt
sales% telnet pages.stern.nyu.edu 80
POST http://pages.stern.nyu.edu/~mjohnson/dbms/php/post.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
val=6&submit=OK
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
25
More info

phpGB MySQL Injection Vulnerability


"How I hacked PacketStorm“


http://www.securiteam.com/unixfocus/6X00O1P5PY.html
http://www.wiretrip.net/rfp/txt/rfp2k01.txt
Google hacking…

inurl:"ViewerFrame?Mode="
intitle:"Live View / - AXIS" | inurl:view/view.sht
intitle:"toshiba network camera - User Login"

http://200.71.42.48/ViewerFrame?Mode=Motion&Language=0

http://141.211.44.254/view/index.shtml
http://66.186.226.189/view/index.shtml



M.P. Johnson, DBMS, Stern/NYU, Spring 2008
26
New-old topic: Transactions

So far, have simply issued commands


Recall, though: an xact is an operation/set of
ops executed atomically


Ignored xacts
In one instant
ACID test:


Xacts are atomic
Each xact (not each statement) must leave the DB
consistent
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
27
Default xact behavior (in Oracle)


An xact begins upon login
By default, xact lasts until logoff



Except for DDL statements
They automatically commit
Examples with two views of tbl…


But with TYPE=innodb !
mysql> set autocommit = 0
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
28
Direct xact instructions

At any point, may explicitly COMMIT:




Conversely, can ROLLBACK



SQL> COMMIT;
Saves all statements entered up to now
Begins new xact
SQL> ROLLBACK;
Cancels all statements entered since start of xact
Example: delete from emp; or delete junk;
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
29
Direct xact instructions



Remember, DDL statements are autocommitted
 They cannot be rollbacked
Examples:
drop table junk;
rollback;
truncate table junk;
rollback;

Q: Why doesn’t rollback “work”?
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
30
Savepoints (in Oracle?)

Xacts are atomic
Can rollback to beginning of current xact

But might want to rollback only part way


Make 10 changes, make one bad change
Want to: roll back to before last change

Don’t have Word-like multiple undo


But do have savepoints
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
31
Savepoints

Create a savepoint:
SAVEPOINT savept_name;
--changes
 emp example:
SAVEPOINT sp1;
--changes
 Can skip savepoints
SAVEPOINT sp2;
 But can ROLLBACK --changes
only backwards
SAVEPOINT sp3
--changes
 Can ROLLBACK
only to last COMMIT ROLLBACK TO SAVEPOINT sp2;
ROLLBACK TO SAVEPOINT sp1;
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
32
AUTOCOMMIT (in Oracle?)

Finally, can turn AUTOCOMMIT on:




SQL> SET AUTOCOMMIT ON;
Can put this in your config file
Can specify through JDBC, etc.
Then each statement is auto-committed as its
own xact

Not just DDL statements
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
33
RAID levels


RAID level 1: each disk gets a mirror
RAID level 4: one disk is xor of all others


Each bit is sum mod 2 of corresponding bits
E.g.:




Disk 1: 10110011
Disk 2: 10101010
Disk 3: 00111000
Disk 4:

How to recover?

What’s the disadvantage of R4?

Various other RAID levels in text…
M.P. Johnson, DBMS, Stern/NYU, Spring 2008
34