Core Security to Reveal New DB Attack Vector

At Black Hat, researchers will reveal how timing attacks can be used to recover entries from database engines.

Researchers at Core Security Technologies have donned their black hats and are preparing a presentation about a new database attack vector that relies solely on the inherent characteristics of the indexing algorithms.

The attack, which will be demonstrated Aug. 1 against the MySQL database engine at Black Hat USA in Las Vegas, affects database management systems using BTREE, the popular database indexing algorithm and data structure. Traditionally, database security breaches are mostly due to the abuse of wrongly configured authorization and actual control permissions or the exploitation of bugs in front-end Web applications through SQL injection, said Core Security Chief Technology Officer Ivan Arce.

The presentation will involve the use of timing attacks, a common technique for breaking cipher system implementations, on database engines. Researchers from CoreLabs will explain how this technique can be used to extract information from a database by performing record insertion operations, which are typically available to all database users – including anonymous users of front-end Web applications.

"What the attack takes advantage of is some features or some characteristics of the indexing algorithm," Arce said. "Some inserts will take more time than others, and that time is measurable. So if you control what you are inserting and you can measure the time that it takes to insert into BTREE, you can infer what other contents the BTREE has before you did the insert."

Arce said that while this attack affects many types of databases, it would be difficult for a hacker to exploit.

"Its a theoretical attack," he said. "There are a lot of implementation details for an attack like this. Doing an attack like this against a specific database requires a lot of knowledge about the settings of the database and how it was tuned, what the table content, the table structure is."

In addition, Arce said there are a high number of inserts and transactions going on constantly on a live, large database.

"The problem would be to measure timing for your inserts accurately and to notice the differences in your inserts accurately at the same time as a lot of other users are doing similar things," he said. "Nonetheless, we feel that it is important to talk about these things and expose them so that practitioners know that this is possible and they plan accordingly."

During the presentation at Black Hat, CoreLabs researchers Damian Saura and Ariel Waissbein will present ongoing research on this attack and explain in greater detail how this technique makes it possible to extract private data from a database. In addition, the presentation will also review BTREE and how the security vulnerability was discovered, Core Security officials said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.