ࡱ> ;=:M  bjbj== .WW4l   8H \ $,2 $^ ~!         ;hw ['& w40,J" J"w Approach to taking Embedded Oracle to the Next Step In order to make eHealth more secure. Submitted by keef, 9-August-2002 This approach achieves the following purposes: Essentially embeds the nhiPassword utility (new program currently being discussed) into a wrapper so that our customers never see the actual passwords for system and nhuser Oracle accounts. Essentially turns off SQL*Net access for system and nhuser Oracle accounts (similar to how most UNIX machines turn off remote access for root and force you to login as another user, and then do an su) see the next section, Why Would We Do This? to understand the motivation. Possibly gives tech support some additional tools to understand what Oracle DBAs (at our client sites) have done through sqlplus (if we desired to log peoples activities). This is an approach that we are not considering seriously at the moment, but Joe is documenting for a few purposes: We may wish to revisit it someday Not everyone had a chance to understand it Robin asked me to ( Why Would We Do This? My basic fear of turning on the SQL*Net port (i.e. running tnslistener) is that Im not sure Oracle has taken enough measures to discourage hacking of the known Oracle super-user accounts (system). To the extent that our customer tend to pick similar nhuser account names (like ehealth, nhuser, etc.), we introduce another easy target for hacking. The basic nature of hacking a known account (like UNIX root, Win32 System Administrator, Oracle system, Sybase sa, etc.) is the batting ram method: Guess the password Try to log-in On failure, return to step 1 With computing power being what it is and networks being as powerful as they are, this approach is extremely effective (in an evil sort of way). On most operating systems, more and more measures have been taken over time to prevent break-ins as super-user (via the battering ram). For instance: If you type an incorrect password on Solaris, you will notice that there is a static sleep before you are given the error message. This simple step slows the hacking process down (increasing the likelihood that someone will catch your battering ram in process). Also on Solaris, if you successively type the wrong password for root about 5 times in a row, Solaris will close the: forcing you to establish a new connection to the box (another measure to slow down the battering ram). Finally if/when you actually guess the root password on most default UNIX configurations and you are telneting or rshing from a remote location, you will receive a brief shut-out message stating: not on system console which means you cannot log in as root, because you are not on the system console. This forces a hacker to guess at an actual user account name (like fred), then once hacking the fred account, run a local batting ram to hack root via su. The fred layer is essentially an additional password (or private key) unless the hacker has some understanding of the companys employees. Furthermore, running the battering ram on the local machine (as fred) consumes machine resources and is kind of like standing in central park naked. What my approach offers for SQL*Net is the closest approximation I can muster for the not on system console shut-out by increasing the Oracle system and nhuser passwords to 30 hex digits (providing a total of 16^30 different passwords). This is not impossible to hack, it just means the battering ram will typically run for months before the system password could be discovered (and this already assumes that they know that its a 30 digit hex key). How It Works Concord would rename the real Oracle DBA tools (sqlplus, imp, exp, etc.) and replace them with compiled C programs acting as proxying wrappers (a common wrapper for all Oracle tools would be fine: it can key off $0). The Concord customer selects their own password(s) for the Oracle system and nhuser accounts and these passwords can be stored somewhere in clear text or munged. For all intents and purposes, the Oracle DBA assumes this is the true password. They invoke Oracle utilities exactly the same way: % sqlplus system/freddie123 % imp nhuser/sammie456 . . . % exp nhuser/sammie456 . . . We use the customer selected password, but combine this private key with additional information like: the hostId of the server, a private secret key like the word concord spelled in control characters, etc. The actual password for the Oracle accounts system and nhuser are created programmatically by an MD5 hashing algorithm which yields a non-decryptable 30 character hash which no one actually sees: e.g. f3908ab980d489f098e98a0c0d826d (so far, if you think this is complicated dont lose me: this is the basic nature of most web-based encryption schemes) Our proxy wrapper does OS-level authentication (or whatever authentication we want to enforce), strips off the password (e.g. freddie123) from the users original command line arguments and invokes the real Oracle tool with the rest of the arguments via popen(). The Oracle tool (sqlplus, imp, exp, etc.) prompts interactively for the password (because we stripped it off) and our proxy gives it to the Oracle tool via the opened pipe. All other interactions with the Oracle tools are simply passed through the pipe. Stdin to our proxy wrapper is sent to stdin on the real tool via the stream. Stdout and stderr of the tool, is passed back accordingly (see Basic Pseudo Code at the end, if you are interested). Basic Pseudo Code (for Proxy Wrapper) int main (int argc, argv[]) { enum {MAXLN = 1000}; FILE* pipe = popen (sqlplus.real, rw); char csLine[MAXLN+1]; FlushResponse (pipe); // ( Oracle welcome banners ParseAndRespondToPassword (argc, argv); while (pipe) { while (fgets (stdin, csLine, MAXLN)) { fputs (csLine, pipe); // ( stdin pass-through FlushResponse (pipe); // ( stdout pass-through If (feof(pipe)) // ( test for prog exit { pclose (pipe); pipe = NULL; } } } return (0); } // main Keef Oracle Proxy Wrapper Approach July 9, 2002 6IOTZ35Un  #$ * ? F H N :O?A5Bu|~bhmsGbl OJQJ^JCJ5OJQJ\^J 5CJ\ jJCJmHnHu 6CJ]CJS6\]~l2345   #$  2 @ ]  & Fh^h & F & F & F] ^ m kl235BC  & F & Fh^h\z  QR  jOJQJ^JmHnHu OJQJ^J5OJQJ\^J 6CJ]CJ  "Nfg4g p@ P h^`h p@ P ^  p@ P ^ / =!"#$% i0@0 Normal_HmH sH tH 0`0 Heading 1$@&CJ6`6 Heading 2$@& 5CJ\6`6 Heading 3$@& 5CJ\>`> Heading 4$h@&^h 5CJ\<A@< Default Paragraph Font,@, Header  !, @, Footer  !  . 6\]~l2345   #$2@]^m k l 235BC   "Nfg4g!000000 0 0 00000 0 0 00000000 0 0 00000 0 0 00000(@0@05 05 05 05 05 05 05 05@0 0 0 80 0000000000000000000000000000000@0 03336 ]  jn35_j  ? A I M   '-##(KQ 058DHJU[hu  !&7DSYnr!9?3 = RZ OS ns!333333333333333333Joseph Kuefler]C:\WINNT\Profiles\jkuefler\Application Data\Microsoft\Word\AutoRecovery save of Document1.asdJoseph Kuefler'U:\jkuefler\doc\OracleProxyApproach.docJoseph Kuefler'U:\jkuefler\doc\OracleProxyApproach.docJoseph Kuefler'U:\jkuefler\doc\OracleProxyApproach.docJoseph KueflergC:\WINNT\Profiles\jkuefler\Application Data\Microsoft\Word\AutoRecovery save of OracleProxyApproach.asdJoseph Kuefler'U:\jkuefler\doc\OracleProxyApproach.docJoseph Kuefler'U:\jkuefler\doc\OracleProxyApproach.docSS͎dXxmw alؾMp^}L|Bo/h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(h^`.h^`.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h88^8`.h^`.h L ^ `L.h  ^ `.hxx^x`.hHLH^H`L.h^`.h^`.hL^`L.h 88^8`OJQJo(h ^`OJQJo(oh   ^ `OJQJo(h   ^ `OJQJo(h xx^x`OJQJo(oh HH^H`OJQJo(h ^`OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh pp^p`OJQJo(h @ @ ^@ `OJQJo(h ^`OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh PP^P`OJQJo(SS}L|dXw aMp                                               R!@pv @UnknownGz Times New Roman5Symbol3& z Arial;Wingdings?5 z Courier New"qhlJgFJgF_u *$2072Q5Approach to taking  Embedded Oracle to the Next StepJoseph KueflerJoseph KueflerOh+'0( @L h t 6Approach to taking Embedded Oracle to the Next StepapprJoseph Kueflerioseose Normal.dotlJoseph Kuefleri5seMicrosoft Word 9.0@vE @N'@w['u՜.+,0  hp  Concord* 7 6Approach to taking Embedded Oracle to the Next Step Title  !"#$%&'()+,-./013456789<Root Entry F['>1TableJ"WordDocument.SummaryInformation(*DocumentSummaryInformation82CompObjjObjectPool['['  FMicrosoft Word Document MSWordDocWord.Document.89q