Re: leaky views, yet again

(2010/10/06 4:15), Heikki Linnakangas wrote:
> On 05.10.2010 21:48, Tom Lane wrote:
>> Heikki Linnakangas<heikki(dot)linnakangas(at)enterprisedb(dot)com> writes:
>>> On 05.10.2010 21:08, Greg Stark wrote:
>>>> If the users that have select access on the view don't have DDL access
>>>> doesn't that make them leak-proof for those users?
>>
>>> No. You can use built-in functions for leaking data as well.
>>
>> There's a difference between "can be used to extract data wholesale"
>> and "can be used to probe for the existence of a specific value".
>
> Define wholesale. I'm also not too worried about probing attacks, where you can ask "does this value exist?", but there are plenty of built-in fúnctions that can regurgitate the argument verbatim in an error message. Using that, you can build a script to
> fetch the value for every row in the table, one row at a time. It's orders of magnitude slower than "SELECT * FROM table", but orders of magnitude faster than probing for every possible value for every row.
>
> > We might need to start using more specific terminology than "leak".
>
> Yeah. There are many different categories of leakage:
>
> 1. Wholesale retrieval of all rows. For example, a custom function that
> emits the argument with a NOTICE, used in a WHERE clause.

It contains a custom function with side-effect; such as INSERT the supplied
arguments into private tables.

> 2. Retrieval of a given value in an arbitrary attacker-chosen row. Using
> a function like text to integer cast that emits the argument in an ERROR
> falls into this category. You can access any value in the table, but only
> one at a time because ERROR causes a rollback.
>
> 3. Retrieval of some values, not attacker-chosen. For example, statistics
> might leak the top 100 values.
>
> 4. Probing attacks. Let's you check if a row with given value exists.
>
> 5. Leakage of statistical information. Lets you know roughly how many rows
> there are in a table, for example.
>
> There's some fuzziness in those too, you might be able to probe for values
> in an indexed column but not others, for example. Or you might be able to
> retrieve all values in one column, or all values in another column, but not
> put them together to form the original rows in the table.
>
> IMHO we don't need to protect against 5. Probing attacks can be nasty, but
> it's next to impossible to protect from them completely. And for many
> applications, probing attacks are a non-issue. For example, imagine table
> of usernames and passwords, with a view that lets you see your own password.
> Probing for other people's passwords would be useless, you might as well
> try to log in with the guessed password directly.
>
> Retrieval of some non-attacker chosen rows, like from statistics, would be
> nice to avoid where feasible, but I won't lose my sleep over it. I do think
> we need to protect against 1 and 2.
>
I also agree with this attitude.
The case 1 and 2 have differences from others. It allows to expose hidden
values, then people may be able to see these values without any inference.
So, their through-put is relatively faster than others. It means degree of
threat is also higher.

If we try to tacker to the matter 1 and 2, suggestions from Itagaki-san
are still available, because this patch was designed to prevent people
to see hidden data without inferences.

Thanks,
--
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>