Re: leaky views, yet again
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: KaiGai Kohei <kaigai@kaigai.gr.jp>, KaiGai Kohei <kaigai@ak.jp.nec.com>, Itagaki Takahiro <itagaki.takahiro@gmail.com>, Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>, pgsql-hackers@postgresql.org
Date: 2010-10-05T18:46:02Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes: > ... I agree it's hopeless to > prevent all side-channel leaks, but I'd describe the goal like this: > Prevent access to the actual tuple contents of the hidden rows. > Failing to solve this problem at the database level doesn't remove the > business requirement. I've solved this problem in the past by > ensuring that only trusted users have access to the database, and > forcing everyone else to go through an application that restricts the > set of queries they can issue. That doesn't eliminate the > side-channel leak, though: they can still pull out a stopwatch and > attempt to infer the size of the table from the query execution time. I think you were missing the point of my comment about performance. If the goal is "prevent users from inferring whether value X is present in the table", I believe this patch cannot fix it because it's possible (in some cases) to infer that from performance measurements, ie how long does it take to execute a query that mentions X versus one that mentions Y. I agree that it's unlikely to be practical to extract values that you don't already have a clue about, but broad claims like "prevent all access" are untenable. I believe that we might be able to solve your case of ensuring that a user can't trivially extract the entire table contents, but I don't believe we can solve Kevin's version of the problem, which is whether a stalker can verify the address of a victim that he's not supposed to be able to see. So we need a pretty clear description of exactly what it is we're going to be able to prevent and why such a facility is worth the mess (and future security bugs) it's going to result in. BTW, I thought Kevin's example view was mighty interesting, because it applies the security check in a totally different way than what we've all been implicitly assuming. Ie, instead of select * from underlying_table where security_check(); he did select security_wrapper(underlying_col) from underlying_table; Offhand these approaches seem to have quite different properties. regards, tom lane