Skip site navigation (1) Skip section navigation (2)

Re: Updates of SE-PostgreSQL 8.4devel patches

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Updates of SE-PostgreSQL 8.4devel patches
Date: 2008-09-27 03:05:49
Message-ID: 200809270305.m8R35nZ21469@momjian.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > I am confused how knowing that a sequence number used for a primary key
> > exists or doesn't exist is leaking _meaningful_ information.  People
> > might know the sequence number exists, but how is that information
> > useful.  Now, if natural keys are used, that is a different story.
> 
> Right.  It might be that securing a database requires not just some
> security mechanisms but also some database design rules (like "don't
> allow foreign keys except on synthetic IDs").  But it seems to me that
> we are just flailing around in the dark because we don't have that
> bigger picture of how the features would actually get used.
> 
> The literature pointers that Andrew just gave us seem promising to me.
> Who's going to go searching for some useful info?

I found this paper from 1996:

	http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.5950

Full PDF at link in right column.  The interesting chapters are chapter
3, that talks about "ENTITY AND REFERENTIAL INTEGRITY IN MLS DATABASES"
and chapter 4, "COVERT CHANNELS".  It mentions "polyinstantiation":

	These security considerations have led to the notion of
	polyinstantiation [Denning 87]. Polyinstantiation forces a relation to
	contain multiple tuples with the same primary key but distinguishable by
	their classification levels or by the non-primary key attributes of the
	relation [Lunt 91].

which I think we want to avoid.  It also talks about cases where the
primary and foreign key rows have identical or different security
settings.  It talks about "COVERT CHANNELS", which is information
leaking.

And it mentions TCSEC (Trusted Computer System Evaluation Criteria):

	http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria

which I think is the proper term for the security target we are trying
to address, or at least one of the targets.

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

In response to

Responses

pgsql-hackers by date

Next:From: KaiGai KoheiDate: 2008-09-27 03:18:45
Subject: Re: Updates of SE-PostgreSQL 8.4devel patches
Previous:From: Andrew SullivanDate: 2008-09-27 02:50:22
Subject: Re: Updates of SE-PostgreSQL 8.4devel patches

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group