Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Core Security to Reveal New DB Attack Vector



 By: Brian Prince
2007-07-30
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
At Black Hat, researchers will reveal how timing attacks can be used to recover entries from database engines.

Researchers at Core Security Technologies have donned their black hats and are preparing a presentation about a new database attack vector that relies solely on the inherent characteristics of the indexing algorithms.

The attack, which will be demonstrated Aug. 1 against the MySQL database engine at Black Hat USA in Las Vegas, affects database management systems using BTREE, the popular database indexing algorithm and data structure. Traditionally, database security breaches are mostly due to the abuse of wrongly configured authorization and actual control permissions or the exploitation of bugs in front-end Web applications through SQL injection, said Core Security Chief Technology Officer Ivan Arce.

Resource Library:
The presentation will involve the use of timing attacks, a common technique for breaking cipher system implementations, on database engines. Researchers from CoreLabs will explain how this technique can be used to extract information from a database by performing record insertion operations, which are typically available to all database users – including anonymous users of front-end Web applications.

"What the attack takes advantage of is some features or some characteristics of the indexing algorithm," Arce said. "Some inserts will take more time than others, and that time is measurable. So if you control what you are inserting and you can measure the time that it takes to insert into BTREE, you can infer what other contents the BTREE has before you did the insert."

Arce said that while this attack affects many types of databases, it would be difficult for a hacker to exploit.

"Its a theoretical attack," he said. "There are a lot of implementation details for an attack like this. Doing an attack like this against a specific database requires a lot of knowledge about the settings of the database and how it was tuned, what the table content, the table structure is."

In addition, Arce said there are a high number of inserts and transactions going on constantly on a live, large database.

"The problem would be to measure timing for your inserts accurately and to notice the differences in your inserts accurately at the same time as a lot of other users are doing similar things," he said. "Nonetheless, we feel that it is important to talk about these things and expose them so that practitioners know that this is possible and they plan accordingly."

During the presentation at Black Hat, CoreLabs researchers Damian Saura and Ariel Waissbein will present ongoing research on this attack and explain in greater detail how this technique makes it possible to extract private data from a database. In addition, the presentation will also review BTREE and how the security vulnerability was discovered, Core Security officials said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Core Security to Reveal New DB Attack Vector
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}v69yDى)RVK}d[Ķ<-EBc䐔////ϸUxӅ|Izki$PU(?;;o$rhiOȹc-J3TI<Λ7omwL-GFgPSrD廚wW3]̉k7v#<7oe"|l 4jG40,Rs2 j9ӛyٜi6&8bp,FmgM5d{=B -6s!%7DRงEQ߱LAǎH0 g&>4ob!)+Bd+B(?cR͵~Gx+fv^B(lʛz[ikidd9 r4Ȋ=yΰ{ /\1r.bL{y74_ *Y)NrDƖHA d#LJN`:r,#"G^C]ݱ:Z.Xk3ӂhYlɧ9]oԏPL0HO)t|@ɠi!Zdq3m9e(F42MYnjR9P(|а߉"www;6;2CtgFovT( ? n84h;ZCJyMSKtyES(PK K'Y̮gfVҘ gbQ9@f9v'򳹥s1\]^u28vN}1f(j PEfP+ԩZu\\?_s\w/Nz}rڻ"'ONY3a ɟk*Ꟈz 6O{uHYz>5TY0^H;dOzǃϗ2 ǣ1I|]: 247Q[h,w.r$R&JGXE,, Q`FU tA%m"-kh:sP;L~sE#nVӔj 9BÌܼm掁49kPYT`k6R 9b*B̄H )&]U){IK _VP*B؃_. jFTwEQQ#=fA.r)i! 6=cLTt+뛹(-j\G֛esJ֖t]`xaZVpx=ivڃWҿ]{t;0,>cq4Q`A-& 8ñ:ʩmn:Al:-Rz -,b(7Z`Lm,5,Ltͭy0`贉;mF3jYsvk(|?ƒ$6hhƋMri}0MH/j0i|3wG ݺOnž+ Qm0CGE 6\LRmb;>49 HhR0<sx70ܚ[3h_#]Ѽk:F?a'/Z- Be^~m¢PsܧmMrAݛ39ڭfZȴc@%B~`X&4$ 7uXu-^\#0oUKF;aNv gv;6P0*CMrFs)wdm˴o*RЛv39n(!++׬UPM 1g2)*hs< 9:[ȭ 7)\EYb꾪5X"a5?%ӻfR/0}ԙQ3BZ9z٧l)3-$֒e]Gy_Noʾԭ uPei,a-XtR\D֑Rk(XK+ezdxчhKlZ?HpSw{!jaaC3gQKEY9϶?62ei[ax K6ʸ@1$sPQ_؄͆rir>::X9點vgıw@~P9G SǏipB)e ֤Pbb 35.F  _ǂ%K ރȁUrrX3lib?, {E[Iq6O: V 2D+ه`M E=͝l|àSI_(b1&C ԑq,Yri L*gXsM>QȚ@­(mEVBM{ i pjZDZ < ıLRUaT88]7 2qŝa8'?@:R)æ13gdi'{ǙXT'/咢T'$o+:#XIpHE@xZkhpL@\RZr>j 7VD07pl)UtlSKm[hA x X\> *oҵ@)ЧCizh}~هF9#,!'HHo?YDzTZ-+FXp|"0xϹoƼL]Cg<ޗ8kC }w=(i4^Sz3t~ gn-!s㑏.S0)c#1okFW#S@TWHFH/h1 Ε TN:hb4B1_RN]C& ],W`1>qUǐV89'&R9&GJtɂu!Xe0ջ1u(bH}#G`JEWY)yPлe=UN᧜ZЁQ}?pkh豸4] QD|f0f&T0ӛ.YTjR_ZIg7{i64F@2<"#8zl: ӁjFB -Қ}vsVUx9JbMW2ED5ExrC골 |l9s@NqL+ 30sIl x@̬kG:aۤs:&2pclZ`|yQU+ ̿,X`c1s*? .=xփu8왗X]?`gsT`p1\An#\>+b*r6=?J}[LߴǸbNw).<0{L3gF=6 Phn`$dmAU+-G}X%2n-!?s/ROR0spsGci mmXTNU;9&P@ZhO \ ?k898$D$Ee"[pe l&SrVaokAaf\ԋՆ3+(G݉C/ PNJ]C~g$<@|)AU%uTjŊP?YTAtE襤#\EZ`;ZAY_ kkhs!6-ܛ`@O|C!OTJ0%6&4e3ꅛ_|q[rn)1uyĂ5]h-BwYb `0W?Li&I?t/鉚ƺR`dg Yj(X%T/I$t` [m:J"e2qy27)ۚk-n@, +_n31Ý)Ms#ZV2hwĶVUsvc"a8!`0\+D("YKrrzJ5+tF2RyGBBXxO+א4CN\6ǗWXO\ dM!O%EDK!ښVi e&6'JUqmr7A'ˏ<^+F-b }* NS[5al 9)e:w~y0;o'e@:mw> }~l?<w!0 zŽcr O(mU^t~9$Iz/Ny}] {y;dB*;PvB,& { F1n6bd۫MP^ON+^a~; 2ߧD4,r zy}B};]z rֽHVKQ~\M }}qbU4WHN*<Shmƛ&% $¬xI]a+"AKsřU/l|&֓mU=C덵hlQ´VXȬE`.>T1L׀zB*q_?G':KY=6PV+*Q+RJ)"4FYO |DN:ǽ6g <"@69FxDw;^4} y*}y:}_exL+%GBY3`Gg]+z+9ƭNHl NAn*|>p_uS4 jGYsN&6l->oprr PR)'&Q(hiQj5Kbs4tJ9SBt+02yO PSLO\LzJ,RTeD$SQSKnfr5Z!zs gnMv6unϼ K﷮ Ó l; .VH0_Ӹ\btg@ XY+oxta}ɫI-jٷΫ؁OK>Cp01z@°+CxP(vгOj[l3{ttm, OXqD2UP(s6s}=BvӅceЦw'9vT%st7wϴ2a5}JA0ف9~@ϝ̀(|iЧx"l _@(P~4q4\xj3y<->Am ,:\?=K|, g6!'=r٠sE@ $U <{ݽ9{Qwp]^zz'AEvkN ~\0q[Ko?w;VSYlzC\[8S|/KtN,Tfx J}~l't6D(B^-d_"e.tїNt2<>:k ,zsd3tT?#z>2Po!.M81wKx/y~3ϤaW*]c2-. wfVD*]K\~Qhr;Dʂ)8Y(qR ) {"F%y#YN Ģ]Wپg{sL&~d_#@/u,v k4XaDVA;'hs4ٮGTgL.}`ˤ.VO֏8__bjqBe5xsERw^ y~lbF}:3mZ-'.krxY>v< ہѠmY w<3ʙQcpEνk9&Ĝ0'L]˷^؟AOPSߜJU-%ir?9D#''N#nS?DŁx#5!? YЋ렳h._s\ClbdU>R9e rF+0<7<8Va"Ql  c}Y20S~tNӚX,qC0|dTR+[beb+\$5%z\|o߻/]gG6 zW!bd! (!8)#Plof7GM$vR@v)8_& K)ѐsҊV6H<ؙ[4<f5.<ҵǞt\*z]*z?䆦 NBqtC$ }!># =䘤LU2 SHgQW*WeηvQbQ*2XS}qּ<{Bg(3R&}[`(`+I;åHA@)gd |@# I ň"JHiںx)^ ]7[j0;#8k.bq?O$T*2X-J8P`Z,bP%$SzBKORqq^ڗ.5O,C]4nJDT,Z܄OBנ;nCSJ=!6eʋ+/f> zjwY҉eRTR*'OB$Hץ_R!GֳoϡjiSbP2iÙe{0δ v/gI=ߓݲa>I JjZKHB̝C w aү_$!5@k9먽",*a~  @b+R{׏X ؾO00x׏RuOEH-Qom%W4±R>f___U oooo\绚c}mzy:vzKd0_2pp80<g8$D/,;Yc_[ZtZR66v9XK`(\uP^$z,Zkz$DYI%~|9CAa? :''_>rIA&1F%̻f=/)_!HGU_ϸ2TY;6&Dk"yo<+++++wzM\y>ynO(Lljte#{ 0]px~C`ic#7ŵiο̇7R31}F|g(@ -ֵE~5$eN3s1Gx_Nvo!-z/~Ʈh(v}j=-Le| HGlD=ĸv}"$K8دI@ϣJY_O!I W]{l1"fIqarh&= C{V#x9*$!./ujhT2[ڶp9Bw> z|:g\YI/Ŋ˫3 q\XkM;V!ZO:rpI}Kw!i°m:sl[fY #zNB3˵v6EuIG@kyϣ[13U ^f#%`ܐ +lxӫ_OC@黎Y_rD%R|ד _|#[xx5:0ڨ^k찊w~ǀ@vڈCs3"s{nZ@5&`f#*(U3.|i ȲK٥Gg-]-mjfy50':tLC-jif-0kĚPSa-Iior?/#VD4R 5 `pEXS*vpt?c1F ApnU 7b~v/.uv؋GCǗy00B2О$^M#mp]$&尧6P]oހ^<=C!y FFPCݿ{[noo[*f M[O?̓}e_+ x{o|Ԋ^A5iξCm<`!\k>1mͨ4$pF[#Ow!L8tO/ :ä۴5,hM,wh67f`nVfoۿAWmݤɷە1V^{C`2-?S$]zB7g4 EIA02XD2.E>~}Bt (7Iė;2n2nGlmUEk)'>ş;Z>^1 nb+>]*M BakD0qa1ʱ, <ۉ0"% ZkVYJ:+ȈZnj\!1cPA1iAK5ؽBRU BJOEsϫu HP)$6tk718_|}P.BozQwӸFk.6jS&AbU볯K{᷍mslӳOb Hۡ蚛[н,%&hPjߚc뛫u)Ǹqf`HWlfmmX%d[ۨ4 ,bPH)ieP&}ꦆ_/HHuTxW"Y l=@Ƃ Bֿ&|Ic%M.~OeBѹǛf'>SO L-& H!47\#P <>+CG\ )Uպk$r&C>+h|&W;ҹfZ,E1B/5>o۶ɀ+8NB}d[RZ#=qhxqـjEl~%:tdK8؃~VP߹ԓGą)׀gv_ ;Ba-Xnh *>I/Ht H]Y# `xI(Vo~hwE :W} d!?8s&g/KL ~ eVw@A|!/vQ^ cMTOaSvSF+eڽ#7L>>BX!inf立rp#{~6L-o?hHIED#ThbGB#Ws~I79tN-րၰ5"$TDCeDRRa  X29L[lDLNۮPNS{%oP$P` +vdcB r,+D:]R"V4Q:&.H oIYPXP؞?pk'H0 7ȌS,0A52"ܟ.ӻh34隸*ۤD n 0VY K<ɚMG͚#_iCg0&?/X9P|\KF$Ѕ:y,@#!sFHMO_} =3#\k}OZݓth_7}^dCkH ק 0ڵ3?ggsAs<s <A!#sH?H ^~eK 寀23  鿬O1>AtS~~2w Y{ _g wɱN2!HogY'NϯR8G\(_*UYk OY08H? }VU =_`ektrf_3 ̭L_ǽBX\ ȍ({^-3Lk[K2PKȣ_( ^敭I<$xEqF. 3l?V\[[LOнۺ{JJݓs+z`O뀷 d^ WsU}ӉZZ?Ś\/Jߙd3,FE Xð=Y#/ܺ Gz‰n}(s ҟL~<̊bnOArtr e>ov+y]ć^`MCkNYh!rE>=]nx6X6EYŠe @ q0Z@Z;i^jIⵊm&S/Uf]ӧ2w;'י icо(u4Qb5f$Gѡx_%06:)+xlӕQfr{^f$JAmXr憄-)gxp1k϶{3[ٷu7jvܙ%O_|y ${l;;!'k&ص_9$2FrǃBxr(pIi/yF'@>:bI39L$&~2giKM}x} %4Ie`'Կsg9 C{)B9 H|\kƊ,!#1苌Y Uc{kͅ*q8wiJ#~4ZEbBtN[a~$Xl!׽d,3u'{I5>?>V@6AՋpǵzBXt$,ዪJ6AG}J垓$Gg_ bzy*b3@p6+L@*9"Zo P@EakA/?H3ۉd&%}Y.H& ]a ш%$yHRbP/9"űoPmJO 0wOoy㴁E"`S wl#fSC~X읚fxٲq1cbV!qmeVӧW-[$@#5E`piЀΧ^p롎PgU|J6AO1-i?׈K8!A]}_vs[>/'B`d鎎Fhd G:$_)04oAs^nT0]~ r@c]Pn3@FWD0;"6.菳Y& hUaaWvbb~Y;fI|9jE G"9"U]<#66sQ/>yKW}na|dt%KFzH%!1Ӷ\)fbʥ.lSܟCaҟE7"o,ϱ{ QFbvB#q얢U .D-c}`qȏ:<6UDlw|p,ulPozc;|6gna({B}Ay@~ւ!8g̮h]1nBM ga+gܡ4b޻Yy&tW[OPS;| ,݈bVS"ND׊7'Z:tsh;h[sTHчlj qP.X-n&B@wS Z'GٖBY^lʩSe=CV{XN1|aF|iOxpٓ9탸/OܘtģG~ycn/4I <5 ?`]2/{? Qnm ~q?vP e\k0uzlb8$pe,5 582&(1Hdo*xs(GERb|SDm ku|os`]i6IB?,0) 7'Rnk8:N.v5y 0 hWƻ{$=;UgRD~{nYH }cqFNŢZh:  Ůkd}bJ#Ӗu ɂkcW07ft̓rGs4_-)5Ua?иh±`e_Z9TMoLhGHv{b=5;,}OkePl|Xؑf}W NV+i9j"YG<~FCltf*ތ}ÉyxAT~e9 *}K~:qʶy&L Z 'X%v o&KN/zW?ꝝ苕 㣸Zfo]:kzj#q'4 O^WwN`l;$\#oveZTysB:kqAmexƙqI]|<@",5S5F\@7@` ]XpOomůRQ -F`xA|H >e57!x +{X޼='!|R%T\hBфA-ơA*M~O-C(KOhYlY`C`l_le $xqi-[a=JK1֐D@ .>' L#^x3wcޑw>WRF[N t>jMؼ$AJخxk)s*!fE.f˼JVB6K]oR0酳a67|TI76X2[#yЦ,xZ<o֒4E48?R0jx>plv/>q8 ""w`;nsǧHxTn|mÉ}濿59fy=O˝+IO%w&&<MR«V,ʤ{B$t<sЫ:,—OwQ_ޚ0Ea:cGmm'X#Ken}vޑϕz}ͭe;MfG =K2Mn_]r+29 /hDlAYgk|~pڻHCAO+z}z5(a'(Ur'_w? W$zW){G*}Nj)h!>P\yzW'4!q w>9^Of[AͼY[D໡FpϷį];ޙ.paQD4;߷[1c}@)K`mNeĺ^n:%cT,B/?V.D'!&-Sfr"1u}̭MlN76&uX~/C ΰr2,_ {km?