Re: leaky views, yet again
Kouhei Kaigai <kaigai@ak.jp.nec.com>
From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Greg Stark <gsstark@mit.edu>, Robert Haas <robertmhaas@gmail.com>, KaiGai Kohei <kaigai@kaigai.gr.jp>, Itagaki Takahiro <itagaki.takahiro@gmail.com>, pgsql-hackers@postgresql.org
Date: 2010-10-06T00:53:43Z
Lists: pgsql-hackers
(2010/10/06 4:15), Heikki Linnakangas wrote: > On 05.10.2010 21:48, Tom Lane wrote: >> Heikki Linnakangas<heikki.linnakangas@enterprisedb.com> writes: >>> On 05.10.2010 21:08, Greg Stark wrote: >>>> If the users that have select access on the view don't have DDL access >>>> doesn't that make them leak-proof for those users? >> >>> No. You can use built-in functions for leaking data as well. >> >> There's a difference between "can be used to extract data wholesale" >> and "can be used to probe for the existence of a specific value". > > Define wholesale. I'm also not too worried about probing attacks, where you can ask "does this value exist?", but there are plenty of built-in fúnctions that can regurgitate the argument verbatim in an error message. Using that, you can build a script to > fetch the value for every row in the table, one row at a time. It's orders of magnitude slower than "SELECT * FROM table", but orders of magnitude faster than probing for every possible value for every row. > > > We might need to start using more specific terminology than "leak". > > Yeah. There are many different categories of leakage: > > 1. Wholesale retrieval of all rows. For example, a custom function that > emits the argument with a NOTICE, used in a WHERE clause. It contains a custom function with side-effect; such as INSERT the supplied arguments into private tables. > 2. Retrieval of a given value in an arbitrary attacker-chosen row. Using > a function like text to integer cast that emits the argument in an ERROR > falls into this category. You can access any value in the table, but only > one at a time because ERROR causes a rollback. > > 3. Retrieval of some values, not attacker-chosen. For example, statistics > might leak the top 100 values. > > 4. Probing attacks. Let's you check if a row with given value exists. > > 5. Leakage of statistical information. Lets you know roughly how many rows > there are in a table, for example. > > There's some fuzziness in those too, you might be able to probe for values > in an indexed column but not others, for example. Or you might be able to > retrieve all values in one column, or all values in another column, but not > put them together to form the original rows in the table. > > IMHO we don't need to protect against 5. Probing attacks can be nasty, but > it's next to impossible to protect from them completely. And for many > applications, probing attacks are a non-issue. For example, imagine table > of usernames and passwords, with a view that lets you see your own password. > Probing for other people's passwords would be useless, you might as well > try to log in with the guessed password directly. > > Retrieval of some non-attacker chosen rows, like from statistics, would be > nice to avoid where feasible, but I won't lose my sleep over it. I do think > we need to protect against 1 and 2. > I also agree with this attitude. The case 1 and 2 have differences from others. It allows to expose hidden values, then people may be able to see these values without any inference. So, their through-put is relatively faster than others. It means degree of threat is also higher. If we try to tacker to the matter 1 and 2, suggestions from Itagaki-san are still available, because this patch was designed to prevent people to see hidden data without inferences. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com>