Oracle Database Server Security
This article is focused on Oracle Database Server Security. It is divided in three main parts. The First is about Oracle history, database products and architecture. The Second part is about basic methods of Oracle Hacking. The last part is about Oracle Defense methods.
Author: MIKOLÁŠ PANSKÝ
WHAT YOU WILL LEARN…
- General information about Oracle
- Basic Hacking Oracle method
- Basic Oracle Defence methods
WHAT YOU SHOULD KNOW…
- Basic knowledge of Oracle Database System
Oracle Corporations history started in 1977 when the company was founded as Software Development Laboratories. In 1979 SDL was renamed to Relation Software, Inc. (RSI). That year the Company released Oracle v2 as one of the first commercial Relational Database Systems. This version implemented basic SQL functions: query and joins. The company name was changed to Oracle in 1983 the year it an released version 3 written in C and supported transactions. In 1984 there was version four, 1985 – version five (client-server model). In 1989 Oracle Corp. entered the Application market with Oracle Financial and implemented PL/SQL. In 1992 there was version 7h – data Warehouse with the relational integrity support, stored procedures and triggers. In 1997 version 8 was developed. It supported object-orientated approach and multimedia applications. Version 8i was released in 1999 along with support of Internet and Java Virtual Machine (JVM). Year 2001 brought Oracle 9i with the possibility of reading XML documents and RAC (Real Application Clusters) support. Today’s, version is 10g Release 2 with the Grid support available. Oracle released various versions. Each had different implemented features. This article focuses on Oracle Dataset. Oracle Database has several editions: Standard Edition (SE allow maximum 4 CPU, with no memory limit and it’s usable in a Cluster), Enterprise Edition (EE) includes some Advanced Security Functions. It’s possible to add Database Vault, that allows data protection against Database Administrators (DBA). Advanced Security allows the network communication encryption, encryption of the data in database, stronger authentication and finally – Label Security that allows the security privileges definition and user’s label – the security on the row-level. Along with that Standard Edition One comes, with the support of 2 CPU’s maximum, Personal Edition without RAC is targeted at developers and Express Edition with the single CPU, 1GB RAM and 4 GB data limit. At first glimpse, Oracle Database System is composed of processes, that run on host operating systems; logical memory structure (Instance) and physical file structure – Database. Processes are divided into user processes and server processes. Every time user runs an application, user process connects to an Instance. If the Communication is established, the Session gets started. For each user, Server allocated a Program Global Area (PGA) where session variables are stored. Oracle Instance is made by main memory structure System Global Area (SGA) and processes that are run in the background. The most important processes are System Monitor – SMON (responsible for the disaster recovery and compacting free space in a Database), Process Monitor – PMON (monitoring running processes and ensure it’s support), Database Writer (DBW) and Log Writer (LGWR) (writes the records, which enables a roll back). Oracle Database is composed of Control Files (control files that includes Database name, Data files placement and Redo Logs), Data Files and Redo Logs (the files that that record all changes in Database). Information of the running processes is placed in the tables V$PROCESS and V$SESSION. The communication with outer world is handled by Oracle Listener. It’s configuration is sorted in the listener.ora file. The SID (Oracle System Identifier, that resolves database Instance and identifies database), protocol and port are stored in listener.ora. Listener listens for database requests. After receiving any connection, it sends the TCP port number to the client. The Client then connects to the port and authenticates itself. Listener could be also used by PL/SQL package or external procedures.