Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Nov 22nd, 2024, 6:08am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   VPD vs Views
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: VPD vs Views  (Read 7567 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
VPD vs Views
« on: Nov 22nd, 2005, 5:08am »
Quote | Modify

In all the documentation about Virtual Private Databases, I have not seen any discussion as to why they are better than views.  Eg. one could write
 
CREATE VIEW RESTRICTED_CUSTS AS  
  SELECT * FROM CUSTOMERS WHERE
     CUST_ID IN  
   (SELECT CUST_ID FROM USER_AUTHS
  WHERE USER_ID = USER)
 
This seems much cleaner than appending code to a WHERE clause.
 
Also, the methods of generating the clauses shown in the VPD examples are subject to sql injection.  Bad things would happen if a CUST_ID contained a ' (single quote) character, say.
 
Finally, what about the USER.  In most applications this is just a generic user passed in the connection.  Is there a way to pass/access a fine grained token that represents the real, human user?
 
Thanks,
 
Anthony
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: VPD vs Views
« Reply #1 on: Nov 22nd, 2005, 5:14pm »
Quote | Modify

Hi Anthony,
 
Allow me to express some views (no pun intended!). The reason VPD is better than views is that the protection is at the data level and the where clause is appended by the Oracle kernel in the SQL VM. If you simply have views on base tables then it would still be possible to access the base data in the view and bypass the security that you have set up.
 
I am not sure that you could SQL Inject a predicate in VPD. First you would need permission to craete the predicate in the VPD policy so why bother SQL Injecting, youl would already have permission to access the data. That is not to say that it is not possible!
 
You do not need to use just USER in VPD, you can use all sorts of values to identify the user running the code, the normal practice is to use contexts.  
 
Have a look at the two part paper I wrote on Row Level Security for security focus. There are links on my [url http://www.petefinnigan.com/orasec.htm]Oracle Security white papers page[/url].
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: VPD vs Views
« Reply #2 on: Nov 22nd, 2005, 11:43pm »
Quote | Modify

Hello Pete,
 
Thanks for your reply.  I think that you are saying that VPDs are more secure than Views, but that there is no functionality than can be achieved with VPDs that cannot be achieved with Views.  I was wondering if that was the case.
 
Have there been any known bugs in the Oracle kernal that could be used to subvert the View/Table approach that could not also be used to subert the VPD approach?  I understand that both the table beneath the view approach and the VPD are protected by the same role based security.
 
As to SQL injection, it just feels like asking for trouble to *assume* that the concatenated strings never have funny characters.  That sort of code gets jumped on in application code reviews.  Is there an Oracle provied function that safely quotes funny characters in strings?  (And knows exactly what those characters are?)
 
Thanks,
 
Anthony
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: VPD vs Views
« Reply #3 on: Nov 28th, 2005, 1:21am »
Quote | Modify

Ultimately, they both mechanisms for applying a filter to a query. The main benefit of VPD over Views is that it is easier to combine restrictions.
 
There's been mention on the XE forum about the lack of VPD in XE. I believe it is also not part of Standard Edition. In most cases, I don't see it as a real barrier, since simple applications can use views just as securely. Its only in the more complex organisations where different groups have users have different restrictions (eg one can only see employees in the same departement, another can see all depratments but only employees of a certain grade etc) that VPD is needed.
 
As long as grants are made just on the views and not on the underlying objects, views can be just as secure.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: VPD vs Views
« Reply #4 on: Dec 4th, 2005, 9:13pm »
Quote | Modify

Hi Gary,
 
I am not convinced that a view based approach is always as secure as VPD. VPD is built into the SQL VM and as such cannot be bypassed as easilly as a view based apprach could be. With VPD the data is protected at source. With views there is a layered approach and it is always more easy to come in at a different layer and get to the data.  
 
But as you point out if you use XE then Views would have to be the way forward.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: VPD vs Views
« Reply #5 on: Dec 5th, 2005, 1:09am »
Quote | Modify

Thinking more on this (and trying to come up with a more definitive list of the added VPD functionality) :
 
VPD allows protection from users with SELECT ANY TABLE privileges, and even the SCHEMA owner.
With a view, the owner of the underlying table will always be able to see all data in it, as would a user with SELECT ANY TABLE (or a specific grant on the table).  
 
So VPD could allow, for example, an environment where a person can replace a procedure or function but still not see data in the tables in the same schema (or even truncate a table for which they cannot see the data). I think that's something for bigger organisations where 'DBA' responsibilities may be split between different people.
 
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: VPD vs Views
« Reply #6 on: Dec 5th, 2005, 6:12pm »
Quote | Modify

Hi Gary,
 
This is the power of VPD over views. you can limit access to the data even from some DBA's. Of course anyone with EXEMPT ACCESS POLICY system privilege or SYS will bypass VPD but its better than views. I would agree to some extent that its bigger companies that will and do use VPD but anyone affected by regulatory needs could also use it.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues