February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« Threats You Need to Know About | Main | Podcast with IBM Rational: Security Becomes an Important Factor in Application Lifecycle Management »

August 01, 2007
New Database Vulnerability Found

While the folks gather at Black Hat and dig into the depths of security's dark side, I'll just have to keep to the sunny side of the Internet street and keep wearing my white hat proudly.

According to Core Security Technologies -- who will be demonstrating this new-found database vulnerability at Black Hat in Vegas today -- where databases have typically been attacked via authorization or access controls, along with trying to insert bugs in the front-end using SQL injections, this attack goes after BTREE, the much used database indexing algorithm and data structure.

This approach uses timing attacks -- which is a fairly typical technique for cracking cipher system implementations -- on databases. CoreLabs intends to demonstrate how this method can be used to obtain database information by enacting record insertion operations, which are generally available to all users, even anonymous users of front-end Web applications.

"What the attack takes advantage of is some features or some characteristics of the indexing algorithm," Core Security Chief Technology Officer Ivan Arce said. "Some inserts will take more time than others, and that time is measurable. So if you control what you are inserting and you can measure the time that it takes to insert into BTREE, you can infer what other contents the BTREE has before you did the insert."

"It's a theoretical attack," he said. "There are a lot of implementation details for an attack like this. Doing an attack like this against a specific database requires a lot of knowledge about the settings of the database and how it was tuned, what the table content, the table structure is."

This attack is still almost entirely theoretical, and one of the key things working against is that, while trying to almost measure the database in isolation, other people are often signed onto the database at the same time, making change in a database a constant.

But with CoreLabs giving their demo today, I'm sure more information will come to light for those who tread in the dark.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2184

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map