Re: Security Question
Date: Fri, 06 Feb 2009 09:22:51 +0000
Message-ID: <498C016B.100_at_petefinnigan.com>
Hi Christopher,
Thanks for your email. Yes you are right of course. I actually didnt mean to suggest that block dumps were possible with alter session but added the word block because of brain fade. I started to write the post before I took my son to school, came back wrote a little more, mobile rang, went to a meeting and then finsihed it. Its a mess..:-(. I was really trying to convey two messages that are still valid. 1) that there is always more than one way to the data and 2) trace (instrumentation) can leave data outside the database where it is no longer secured.
Alex also picked up the same issue.
I have edited the post and replied to Alex's comment. The post is http://www.petefinnigan.com/weblog/archives/00001232.htm#comments
Thanks for keeping me honest
kind regards
Pete
Newman, Christopher wrote:
> Pete Finnigan recently (yesterday) wrote a blog entry regarding
> instrumentation and security
> (http://www.petefinnigan.com/weblog/entries/index.html) . In one
> section it states "...Imagine that most users have the ALTER SESSION
> system privilege and therefore they can dump data blocks; imagine that
> we have secure some data in the table using VPD; this same method allows
> bypass of VPD."
>
> It was my understanding that ALTER SYSTEM was needed to dump blocks,
> *not* ALTER SESSION. Can anyone clarify?
>
> Thanks - Chris
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
-- Pete Finnigan Director PeteFinnigan.com Limited Specialists in database security. If you need help to audit or secure an Oracle database, please ask for details of our courses and consulting services Phone: +44 (0)1904 791188 Fax : +44 (0)1904 791188 Mob : +44 (0)7742 114223 email: pete_at_petefinnigan.com site : http://www.petefinnigan.com Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom Company No : 4664901 VAT No. : 940 6681 14 Please note that this email communication is intended only for the addressee and may contain confidential or privileged information. The contents of this email may be circulated internally within your organisation only and may not be communicated to third parties without the prior written permission of PeteFinnigan.com Limited. This email is not intended nor should it be taken to create any legal relations, contractual or otherwise. -- http://www.freelists.org/webpage/oracle-lReceived on Fri Feb 06 2009 - 03:22:51 CST