Penetration Testing mailing list archives
new paper on accessing Oracle SGA directly in C
From: Pete Finnigan <plsql () petefinnigan com>
Date: Tue, 15 Jun 2004 12:32:18 +0100
Hi, I thought you guys might be interested in this paper. A technique used by some expensive Oracle tuning products is to access the low level dictionary tables (called x$ tables) directly using C by attaching the shared memory segments and finding the structures in memory where certain statistics are held. These are then sampled hundreds of times per second to build up a profile of the Oracle kernels behaviour. This has an advantage of not affecting the measurement (well not as much as using SQL inside the database) and also the sampling rates can be much higher as SQL has its own overhead. There is very little public information on this technique as the companies that have used it guard it closely. A presentation some time ago by an Oracle Tuning and internals expert Kyle Hailey started the ball rolling. Now Miladin Modrakovic has written a paper extending Kyles work and presenting a C program that reads the session waits and then stores them in an Oracle table for later analysis. What has this got to do with security? - well this technique is primarily used for tuning but could also be used for snooping. For instance the Oracle SGA also contains security information on users as well as all the current SQL statements. It could be used for monitoring users actions, IDS techniques etc. The database blocks that are read into memory could be accessed in the same way. Access to the database in this way is restricted to what is held in shared memory but it could be accessed without leaving any sort of database audit trail. For a hacker to use this technique he would need an OS account that probably has the ability to log in as SYS so its probably a more useful technique for monitoring silently or for security tool development. Anyway I thought people here might be interested. The paper is in my undocumented Oracle and internals page http://www.petefinnigan.com/other.htm - there is also a link to Kyles earlier presentation on the same subjects there. kind regards Pete -- Pete Finnigan email:pete () petefinnigan com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
Current thread:
- new paper on accessing Oracle SGA directly in C Pete Finnigan (Jun 15)