Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep)

KaiGai Kohei wrote:
> Tom Lane wrote:
> > Josh Berkus <josh(at)agliodbs(dot)com> writes:
> >> Multilevel frameworks have concepts of data hiding and data substitution
> >> based on labels. That is, if a user doesn't have permissions on data,
> >> he's not merely supposed to be denied access to it, he's not even supposed
> >> to know that the data exists. In extreme cases (think military / CIA use)
> >> data at a lower security level should be substitited for the higher
> >> security level data which the user isn't allowed. Silently.
> >
> > Yeah, that's what I keep hearing that the spooks think they want.
> > I can't imagine how it would play nice with SQL-standard integrity
> > constraints. Data that apparently violates a foreign-key constraint,
> > for example, would give someone a pretty good clue that there's
> > something there he's not being allowed to see.
>
> Please note that SE-PostgreSQL does not adopt following technology
> because of its complexity. When user tries to update a PK refered by
> invisible FK, it generate an error. Thus, it is theoretically possible
> to estimate the invisible PKs by attacks with repeating.

I assume if you use only non-natural keys (use sequence numbers, not
codes like PHL or USA), there is no problem in finding the missing keys
by repeated testing.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +