| From: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Greg Stark <gsstark(at)mit(dot)edu>, Robert Haas <robertmhaas(at)gmail(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: leaky views, yet again |
| Date: | 2010-10-05 19:15:39 |
| Message-ID: | 4CAB795B.2010307@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 05.10.2010 21:48, Tom Lane wrote:
> Heikki Linnakangas<heikki(dot)linnakangas(at)enterprisedb(dot)com> writes:
>> On 05.10.2010 21:08, Greg Stark wrote:
>>> If the users that have select access on the view don't have DDL access
>>> doesn't that make them leak-proof for those users?
>
>> No. You can use built-in functions for leaking data as well.
>
> There's a difference between "can be used to extract data wholesale"
> and "can be used to probe for the existence of a specific value".
Define wholesale. I'm also not too worried about probing attacks, where
you can ask "does this value exist?", but there are plenty of built-in
fúnctions that can regurgitate the argument verbatim in an error
message. Using that, you can build a script to fetch the value for every
row in the table, one row at a time. It's orders of magnitude slower
than "SELECT * FROM table", but orders of magnitude faster than probing
for every possible value for every row.
> We might need to start using more specific terminology than "leak".
Yeah. There are many different categories of leakage:
1. Wholesale retrieval of all rows. For example, a custom function that
emits the argument with a NOTICE, used in a WHERE clause.
2. Retrieval of a given value in an arbitrary attacker-chosen row. Using
a function like text to integer cast that emits the argument in an ERROR
falls into this category. You can access any value in the table, but
only one at a time because ERROR causes a rollback.
3. Retrieval of some values, not attacker-chosen. For example,
statistics might leak the top 100 values.
4. Probing attacks. Let's you check if a row with given value exists.
5. Leakage of statistical information. Lets you know roughly how many
rows there are in a table, for example.
There's some fuzziness in those too, you might be able to probe for
values in an indexed column but not others, for example. Or you might be
able to retrieve all values in one column, or all values in another
column, but not put them together to form the original rows in the table.
IMHO we don't need to protect against 5. Probing attacks can be nasty,
but it's next to impossible to protect from them completely. And for
many applications, probing attacks are a non-issue. For example, imagine
table of usernames and passwords, with a view that lets you see your own
password. Probing for other people's passwords would be useless, you
might as well try to log in with the guessed password directly.
Retrieval of some non-attacker chosen rows, like from statistics, would
be nice to avoid where feasible, but I won't lose my sleep over it. I do
think we need to protect against 1 and 2.
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2010-10-05 19:24:45 | Re: leaky views, yet again |
| Previous Message | Josh Berkus | 2010-10-05 19:11:20 | Issues with Quorum Commit |