views:

184

answers:

6

I have an application server which connects to a database server. I would like to be able to supply users with installers and, with a moderate degree of comfort, trust that the database schema is secure.

I understand that there are some risks that I will just have to accept with not controlling the computer on which it installed - a determined person with the right tools and knowledge could look directly at memory and pull out information.

Initially I thought my area of focus would simply be on adding the credentials to the installer without them being trivially viewed in a hex editor.

However, as I began to research, I learned that for PostGreSQL, even if I install the database silently and don't provide the credentials to the user -- they can simply change a text-based configuration file (pg_hba.conf), and restart the server, enabling full access to the database without credentials.

Is this scenario secured in other DBMS? How do most commercial products protect their schemas in this scenario? Would most products use embedded databases?


Edit: I assume (perhaps wrongly so) that some products rely on databases that the user never actually touches directly. And I of course never see them because they have designed it in such a way that the user does not need to - probably using an embedded database.

+6  A: 

As far as I remember, there are no commercial products that "protect" their schemas. What do you want the schema to be protected against?

Consider the following points:

  • After all, the only person who can protect anything in a RDBMS is the database server administrator. And you want the schema to be protected against this person?

  • If I was a costumer and I had my data inside your schema, I would not only like, but expect, to be able to see and consume it directly.

  • Do you really need to protect your relational design? Is it really that interesting? Have you invented something worth hiding? I really don't think so. And I apologize in advance if you have.


EDIT: Additional comment:

I don't care about most database internals for the products I use. That's another reason I think most of them don't take any action to protect them. Most of them are not that interesting.

On one side, I strongly believe that users should not need to know or to care about the internals of the database. But at the same level, as a developer, I don't think it is worth trying to protect them. Hiding them from the user, yes. Protect them against direct access, in most cases, no. And not because I think it is wrong to protect your schema. It is because I think it is a very hard thing to do, and it is not worth your time as a developer.

But at the end, as with any security related topic, the only right answer is about what are the risks involved vs the costs of implementing the security measure.

Current database engines, embedded or server-style, are not designed to easily hide the schema of the database, and therefore, the development cost of doing it is much greater than the risk involved, for most people.

But your case might be different.

Sergio Acosta
I appreciate hearing from you that you don't recall any products that protect their schemas. But yes, I believe that there it is possible to have innovation in data structure and that would be an additional measure of protection. Are there no products whose underlying databases you never touch?
pc1oad1etter
Yes, there are. In fact, I don't care about most database internals for the products I use. That another reason I think most of them don't take any action to protect them. Most of them are not that interesting.
Sergio Acosta
I wouldn't go so far as to say that there's no such thing as an innovative schema, but I don't think it's an exaggeration to say that maybe 99+% of schemas are uninteresting. Well-designed... sure, but real innovation doesn't show up at the level of the database schema.
Bob Aman
A: 

How do most commercial products protect their schemas in this scenario?

I don't believe most commercial products do anything to protect their schemas.

recursive
+1  A: 

Most commerical products do not protect their schemas. They fall into one of two camps:

Either they are making use of an enterprise class database for a key component of the product (such as a payroll system), in which case there is no attempt made to hide the schema/data. In most of these cases the customer needs control over the database anyway - to configure how the database is backed up, to be able to make a clustered environment, etc.

The other case is if your "database" is nothing but a small settings or storage file for a desktop application (ex. the history and bookmark databases in FireFox). In that case you should just use an embedded database (like SQLite, same as FireFox) and add a streaming encryption layer (there is an official version of this called SEE), or just use the embedded database and forget about the encryption layer, since the user will need to have to install their own database tools to read the file in the first place.

David
Thanks for the observations. My needs fall in the first category and I do see that there are some common needs for database control from the user. With that said, I am still interested in a strategy for securing the schema from a user.
pc1oad1etter
+1  A: 

What problem are you trying to solve? Nothing can stop the DBA* from doing whatever he wants to standard databases, and as others have pointed out it's actively hostile to interfere with site-specific needs like backups and database upgrades. At most you can encrypt the contents of your database, but even then you have to provide a decryption key for your application to actually run and a motivated and hostile DBA can probably subvert it.

The military and intelligence communities undoubtably have databases where even the schema is highly classified, but I don't know if they're protected by technical means or just large men with guns.

(*) DBA or system administrator able to modify files like pg_hba.conf.

bgiles
Learning that pg_hba.conf can override any permissions in the database is what prompted me to ask the question here - to see if any other DBMS offers at least some level of security to protect the schema from a DBA. I want to protect the schema.
pc1oad1etter
A: 

How an embedded DBMS can stop someone to tinker with its storage (files in this non-embedded hardware context) when such person has physical access to the machine where this DBMS is running? Security through obscurity is a risky proposition.

MaD70
A: 

This idea will suffer from the same problems as DRM. You can't prevent access by the determined, and you will only cause general pain and suffering for your customers. Just don't do it.

SQLite wraps its entire database format into a single file, and you could conceivably encrypt and decrypt it in-place. The flaw, of course, is that users need the key to use the database now, and the only way that can happen is if you give it to them, perhaps by hard-coding it in at compile-time (security by obscurity) or a phone-home scheme (whole host of reasons why this one's a bad idea). Plus now they'll hate you because you've thwarted any attempt at a useful backup system and they get terrible performance to boot.

Besides, nobody actually cares about schemas. Hate to break it to you, but schema design isn't a hard problem, and certainly never a legitimate competitive advantage (outside of maybe a few specific areas like knowledge representation and data warehousing). Schemas are generally not worth protecting in the first place.

If it's really that important to you, do a hosted application instead.

Bob Aman