Re: Security Question

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Fri, 06 Feb 2009 09:22:51 +0000
Message-ID: <498C016B.100_at_petefinnigan.com>



Hi Christopher,

Thanks for your email. Yes you are right of course. I actually didnt mean to suggest that block dumps were possible with alter session but added the word block because of brain fade. I started to write the post before I took my son to school, came back wrote a little more, mobile rang, went to a meeting and then finsihed it. Its a mess..:-(. I was really trying to convey two messages that are still valid. 1) that there is always more than one way to the data and 2) trace (instrumentation) can leave data outside the database where it is no longer secured.

Alex also picked up the same issue.

I have edited the post and replied to Alex's comment. The post is http://www.petefinnigan.com/weblog/archives/00001232.htm#comments

Thanks for keeping me honest

kind regards

Pete

Newman, Christopher wrote:
> Pete Finnigan recently (yesterday) wrote a blog entry regarding
> instrumentation and security
> (http://www.petefinnigan.com/weblog/entries/index.html) . In one
> section it states "...Imagine that most users have the ALTER SESSION
> system privilege and therefore they can dump data blocks; imagine that
> we have secure some data in the table using VPD; this same method allows
> bypass of VPD."
>
> It was my understanding that ALTER SYSTEM was needed to dump blocks,
> *not* ALTER SESSION. Can anyone clarify?
>
> Thanks - Chris
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 

Pete Finnigan
Director
PeteFinnigan.com Limited

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7742 114223
email: pete_at_petefinnigan.com
site : http://www.petefinnigan.com

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940 6681 14

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

--
http://www.freelists.org/webpage/oracle-l
Received on Fri Feb 06 2009 - 03:22:51 CST

Original text of this message