Skip site navigation (1) Skip section navigation (2)

Re: function body actors (was: viewing source code)

From: "Pavel Stehule" <pavel(dot)stehule(at)gmail(dot)com>
To: "Merlin Moncure" <mmoncure(at)gmail(dot)com>
Cc: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Alvaro Herrera" <alvherre(at)commandprompt(dot)com>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, "Trevor Talbot" <quension(at)gmail(dot)com>, "Roberts, Jon" <Jon(dot)Roberts(at)asurion(dot)com>, "Kris Jurka" <books(at)ejurka(dot)com>, "Jonah H(dot) Harris" <jonah(dot)harris(at)gmail(dot)com>, "Bill Moran" <wmoran(at)collaborativefusion(dot)com>, "pgsql performance" <pgsql-performance(at)postgresql(dot)org>, "Pgsql Hackers" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: function body actors (was: viewing source code)
Date: 2007-12-21 14:39:53
Message-ID: 162867790712210639v44a5e4f6y4640f20fbc02126d@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-performance
On 21/12/2007, Merlin Moncure <mmoncure(at)gmail(dot)com> wrote:
> On Dec 21, 2007 3:18 AM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:
> > I have similar patch and it works. There is two isues:
> >
> > * we missing column in pg_proc about state (not all procedures are
> > obfuscated), I solved it for plpgsl with using probin.
>
> I was hoping to avoid making any catalog or other changes to support
> encryption specifically.  Maybe your patch stands on its own
> merits...I missed the original discussion.  Do you think the code you
> wrote can be adapted to do other things besides encryption?
>

I don't know. It was fast hack that just works. It hat to do
obfuscation, and it do it well.

> > * decrypt is expensive on language handler level. Every session have
> > to do it again and again, better decrypt in system cache or somewhere
> > there.
>
> Doesn't bother me in the least...and caching unencrypted data is
> scary.  Also, aes256 is pretty fast for what it gives you and function
> bodies are normally short.  The real issue as I see it is where to
> keep the key.  How did you handle that?
>
> merlin
>

Simply. I use for password some random plpgsql message text and
compile it. I though  about GUC, and about storing password in
postgresql.conf. It's equal to protection level. We cannot protect
code on 100%. If you have admin or superuser account and if you know
some internal, you can simply get code.

http://blog.pgsql.cz/index.php?/archives/10-Obfuscator-PLpgSQL-procedur.html#extended

sorry for czech desc

Pavel

In response to

Responses

pgsql-performance by date

Next:From: Merlin MoncureDate: 2007-12-21 14:45:59
Subject: Re: viewing source code
Previous:From: Bruce MomjianDate: 2007-12-21 14:34:53
Subject: Re: viewing source code

pgsql-hackers by date

Next:From: Brian HurtDate: 2007-12-21 14:50:05
Subject: Re: Sorting Improvements for 8.4
Previous:From: Bruce MomjianDate: 2007-12-21 14:29:04
Subject: Re: pgindent issue with EXEC_BACKEND-only typedefs

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group