New Database Attack Technique Will Be Difficult To Mitigate
A new database attack technique will be described at Black Hat by Damian Saura and Ariel Waissbein of Core Security Technologies. The technique is based on a timing attack that uses a series of insert operations to learn about weaknesses in the database’s indexing algorithm. A big problem for database administrators and data modelers is that the recommended way to deal with this threat is to not index confidential data. This is often the kind of data that is used to uniquely identify a row or perform a lookup operation.
SearchSecurity is reporting:
According to Core Security CTO Ivan Arce, digital miscreants could use a so-called timing attack to lift sensitive information from database tables. He described timing attacks as a technique typically used to break cipher system implementations and pinpoint inherent weaknesses in the indexing algorithms used by most commercial database management systems. Attackers can extract private data from a database by performing record insertion operations that are typically available to all database users, including anonymous users of front-end Web applications, he said.
To mitigate this threat,
Asked about defensive measures, Arce said, "If you have confidential data, don't index it. Don't use confidential data as the index key." He also suggested monitoring the database for insertion attempts. "If you see a bunch of inserts into a table over a short period, something's up," he said.
It sounds simple in theory to not index on confidential data but it isn’t. Off course databases can use meaningless keys for primary keys but other identifying features, like credit card numbers and Social Security numbers are also used to retrieve data. I've gone into my bank a number of times without my account number and they looked up my records using my SSN. I wouldn’t want to wait for a full table scan to search every row in the account table to find my data. The bank is indexing on SSNs.
Even when confidential data is not used for lookup functions, complex joins across multiple tables depend on indexes to find efficient query plans to retrieve data. Pulling indexes off these tables can have a significant impact on performance.
This timing attack shows a whole different kind of attack we now need to understand. Databases aren’t just vulnerable to poor access control policies, weak passwords, listener vulnerabilities and some of the others we’ve come to expect. This attack analyzes data in much the same way one would analyze large volumes of cipher text to find a weakness in a cryptography algorithm. There is no good fix for this one right now.
UPDATE
8/1/07 Actually, I should have said there is no good fix for existing databases that depend on indexing confidential data. I'll post a solution in my next entry that can be used for new designs.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
