Oracle database 'redaction feature' easily un-redacted, claims researcher

No fancy exploit code required, just a good working knowledge of SQL, claims David Litchfield at Defcon 22

Software and systems giant Oracle has been left red-faced by a demo at the Defcon 22 conference in Las Vegas, Nevada that subverted the company's "redaction feature" in its Database 12c without even requiring any exploit code.

Indeed, the presenter, David Litchfield, claimed that it only required a few lines of SQL code to un-redact database material that had been obscured for security reasons. The aim of the feature is to obscure sensitive data, such as full credit card numbers, from staff that do not need to see the full 16-digit number, for example.

"The Oracle data redaction service is a new feature introduced with Oracle 12c. It allows sensitive data, such as personally identifiable information, to be redacted or masked to prevent it being exposed to attackers. On paper this sounds like a great idea but in practice, Oracle's implementation is vulnerable to multiple attacks that allow an attacker to trivially bypass the masking and launch privilege escalation attacks," claimed Litchfield.

He had earlier demonstrated how Oracle data redaction features were "broken" in a short research paper that demonstrated the SQL required to crack Oracle's redaction feature. He recommended a number of changes to improve its security:

"Oracle data redaction could be strengthened firstly by fixing the DML RETURNING INTO and XMLQUERY() bypasses and also by allowing a policy to determine whether a redacted column can be referenced in a WHERE clause.

"This would prevent the iterative inference attack. A further improvement by Oracle would be to not allow a user to create policies on tables in another schema unless that user is SYS or SYSTEM or has the appropriate ANY privilege. In the interim, only grant the execute privilege to DBMS_REDACT to those users that require it, and once the redaction policies have been put in place revoke their execute privileges. As it stands, Oracle data redaction is a pretty cool feature but cannot be relied on to protect data."

Litchfield normally files the findings of his research with the vendors to enable them to fix problems before he goes public with them. However, he published the Oracle redaction flaws first out of frustration at the speed with which Oracle dealt with it, as well as the company's whole approach to security, which he believes is flawed.