Establishing Independent Audit Mechanisms for Database Management Systems Alexander Rasin James Wagner Karen Heart Jonathan Grier School of Computing School of Computing School of Computing Grier Forensics DePaul University DePaul University DePaul University Pikesville, MD, USA Chicago, IL, USA Chicago, IL, USA Chicago, IL, USA [email protected] [email protected] [email protected] [email protected] Abstract—The pervasive use of databases for the storage curity holes in a Database Management System of critical and sensitive information in many organizations (DBMS), OS code or through other means (e.g., has led to an increase in the rate at which databases are social engineering). Thus, in addition to deploying exploited in computer crimes. While there are several tech- preventive security measures (e.g., access control), niques and tools available for database forensic analysis, such tools usually assume an apriori database preparation, it is necessary to 1) detect security breaches in such as relying on tamper-detection software to already be a timely fashion, and 2) collect evidence about in place and the use of detailed logging. Further, such tools attacks to devise counter-measures and assess the are built-in and thus can be compromised or corrupted extent of the damage (e.g., what data was leaked along with the database itself. In practice, investigators or perturbed). Such measures are most vital when need forensic and security audit tools that work on poorly- the user is operating from a position of elevated configured systems and make no assumptions about the extent of damage or malicious hacking in a database. privilege, which may enable them to suspend secu- In this paper, we present our database forensics meth- rity components, alter audit logs or raw data while ods, which are capable of examining database content avoiding detection. The resulting forensic evidence from a storage (disk or RAM) image without using can also provide preparation for legal action or help any log or file system metadata. We describe how these prevent future attacks. methods can be used to detect security breaches in an DBMSes are targeted by criminals because they untrusted environment where the security threat arose serve as repositories of data. Therefore, investigators from a privileged user (or someone who has obtained such privileges). Finally, we argue that a comprehensive must have the capacity to examine the contents of and independent audit framework is necessary in order to a DBMS. Currently, an audit log with SQL query detect and counteract threats in an environment where the history is a critical (and perhaps only) source of security breach originates from an administrator (either evidence for investigators [4] when a malicious at database or operating system level). operation is suspected. In field conditions, a DBMS Index Terms—database forensics, security audit, evi- may not provide the necessary logging granularity dence gathering (unavailable or disabled). Moreover, the storage itself might be corrupt or contain multiple DBMSes. I. INTRODUCTION The field of Digital Forensics strives to provide Cyber-crime (e.g., data exfiltration or computer tools for independent analysis with minimal as- fraud) is a significant concern in today’s society. A sumptions about the environment. A particularly im- well-known fact from security research and practice portant and well-recognized technique is file carv- is that unbreakable security measures are virtually ing [9], which extracts files (e.g., PDF or DOC, impossible to create. For example, 1) incomplete but not DBMS files) from a disk image, including access control restrictions allows users to execute deleted or corrupted files. Traditional file carving commands beyond their intended roles, and 2) users techniques rely on presence of file headers to detect may illegally obtain privileges by exploiting se- and interpret individual files. DBMS files, on the other hand, do not maintain a file header and are recover from failure, data integrity validation, and never independent (e.g., table contents are stored a common language (SQL) DBMSes take over all separate from table name and logical structure infor- aspects of data storage and management within the mation). Even if DBMS files could be carved, they OS. However, for the many features they provide, cannot be meaningfully imported into a different DBMSes ultimately operate as a black-box and, by DBMS and must be parsed to retrieve their content. design, do not provide insight as to the current state To accomplish that task, DBMSes need their own of the data and potential breaches or current activity. set of digital forensics rules and tools. The important question is, therefore, what hap- Even in an environment with ideal log settings, a pens when the DBMS itself is compromised? When DBMS cannot necessarily guarantee log accuracy a built-in security component is disabled, or when or immunity from tampering. For example, log data is accessed or altered without a trace in au- tampering is a concern when a breach originated dit logs, the DBMS is incapable of detecting or from a privileged user such as an administrator reporting such an attack. In every other context, (DBA or an attacker who obtained DBA privileges). when dealing with significant amount of valuable Tamper-proof logging mechanisms were proposed or sensitive data, tools and well-defined system- in related work [7], [10], but these only prevent atic approaches for performing an external audit logs from atypical modifications and do not account are already required. Nonetheless, a systematic and for attacks that skirt logging (e.g., logging was generalized (i.e., open source tools, even for closed- disabled). Interestingly, even privileged users have source databases) auditing and forensic DBMS tools little control of how the low level (internal) DBMS are yet to be developed. storage behaves – therefore, an analysis of forensic We have developed a generalized approach (cur- artifacts provides a unique approach to identify rently supported across row-store relational DBM- tampering in a compromised environment. Ses) to database forensic analysis [14]–[16], and The rest of the paper is organized as follows: several applications to security breach detection Section II further motivates the pronounced need for [12], [13] for both DBA and SysAdmin attack developing standalone audit tools that can indepen- threats. Our current focus is on transitioning this dently verify DBMS behavior. Section III provides research into tools that can be used by forensic and an overview of our prior work on database forensic security analysts, and in developing a comprehen- and storage analysis. Finally, Section IV presents sive audit framework for DBMSes by combining two attack vector categories and countermeasures our prior work, detecting other types of security we developed, and further argues for the need of breaches and malicious access, and developing anti- a more organized and comprehensive approach to and anti-anti-forensics techniques for DBMSes. combat malicious behavior within a DBMS. III. DATABASE FORENSICS II. THE NEED FOR INDEPENDENT DATABASE AUDIT TOOLS Unlike traditional files (e.g., PDF), DBMS files The effort to ensure cybersecurity has increased do not contain headers that allow for file identifi- substantially over the years – and a great deal of at- cation. Instead, DBMS data is both accessed and tention has been directed towards network defense, cached in page units. All row-store DBMSes use intrusion detection systems, and malware counterac- fixed-size pages to store user data, auxiliary data tion. Surprisingly, far less attention has been paid to (e.g., indexes and materialized views), and the sys- detecting and preventing security vulnerabilities and tem catalog. Pages maintain a consistent structure, forensic analysis mechanisms in database systems whereas individual record structure varies through- that actually store data being guarded. One of the out DBMS storage, which is why we approach reasons for such discrepancy is due to DBMSes database forensics at the page level. In this section, providing an extensive support for their own built- we briefly describe page carving including our im- in access control and security audit tools. In or- plementation (DBCarver), planned future work to der to deliver desirable features such as ability to answer forensic questions from DBCarver output, and anti-forensics techniques that can sanitize and eralized pointer deconstruction and pointer-record hide data in DBMS storage. mapping algorithms in [13]. Row 44 A. Page Carving Delimiter Row 2, 9, 24 0, 0, 0, 1 Database page carving is a method we previously Customer1 Customer1 Identifier Customer1 Row1 Raw Data introduced for the reconstruction of relational DBM- Joe Delimiter Joe Joe 60 Ses without relying on file system or the DBMS Delete 2, 14, 24 Delete 0, 226, 0, 57 Customer2 Customer2 Customer2 itself. Page carving is similar to traditional file Row2 carving [9] in that data, including deleted data, can Jane Jane Jane 44 Row Meta be reconstructed from images or RAM snapshots 2, 9, 24 0, 0, 0, 3 Customer3 Data Customer3 Customer3 without the use of a live system. Forensic tools, Row3 Jim Jim Jim such as Sleuth Kit [1] and EnCASE Forensic [2], 1 2 3 are commonly used by investigators to reconstruct Fig. 1. Deleted row examples: 1-MySQL/Oracle, 2-PostgreSQL and file system data but are incapable of parsing DBMS 3-SQLite files. None of the third party recovery tools (e.g., Figure 1 visualizes an example of deleted [5], [8]) are helpful for independent audit purposes records for several DBMSes. In all three pages, because (at best) they only recover “active” data Row2-(Customer2, Jane) is deleted while Row1- from current tables. A database forensic tool (just (Customer1, Joe) and Row2-(Customer3, Jim) are like a forensic file system tool) should also recon- active. Page#1 shows a case when the row delimiter struct unallocated pieces of data including deleted is marked, such as in MySQL or Oracle.