From: Pete Finnigan (plsql@petefinnigan.com)
Date: Tue Jun 15 2004 - 07:32:18 EDT
Hi,
I thought you guys might be interested in this paper. A technique used
by some expensive Oracle tuning products is to access the low level
dictionary tables (called x$ tables) directly using C by attaching the
shared memory segments and finding the structures in memory where
certain statistics are held. These are then sampled hundreds of times
per second to build up a profile of the Oracle kernels behaviour. This
has an advantage of not affecting the measurement (well not as much as
using SQL inside the database) and also the sampling rates can be much
higher as SQL has its own overhead.
There is very little public information on this technique as the
companies that have used it guard it closely. A presentation some time
ago by an Oracle Tuning and internals expert Kyle Hailey started the
ball rolling. Now Miladin Modrakovic has written a paper extending Kyles
work and presenting a C program that reads the session waits and then
stores them in an Oracle table for later analysis.
What has this got to do with security? - well this technique is
primarily used for tuning but could also be used for snooping. For
instance the Oracle SGA also contains security information on users as
well as all the current SQL statements. It could be used for monitoring
users actions, IDS techniques etc. The database blocks that are read
into memory could be accessed in the same way. Access to the database in
this way is restricted to what is held in shared memory but it could be
accessed without leaving any sort of database audit trail. For a hacker
to use this technique he would need an OS account that probably has the
ability to log in as SYS so its probably a more useful technique for
monitoring silently or for security tool development.
Anyway I thought people here might be interested.
The paper is in my undocumented Oracle and internals page
http://www.petefinnigan.com/other.htm - there is also a link to Kyles
earlier presentation on the same subjects there.
kind regards
Pete
-- Pete Finnigan email:pete@petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT