2013/8/29 Josh Berkus <j...@agliodbs.com>: > Kaigai, > >> Although I didn't touch this task by myself, my senior colleague said that we >> calculated some possible bandwidth of leakage as an evident when we ship >> supercomputer system with MAC feature for customer who worry about security. >> I'm not sure how to measure it. However, if we assume a human can run up to >> 5 query per seconds, he needs 2-3 seconds to identify a particular integer >> value >> less than 10000, it means bandwidth of this covert channel is less than 5bps. >> I'm not sure whether enterprise-grade dbms has to care about these amount >> of covert channel. > > Why are you assuming a human needs to do it? Given the explain vector, > I could write a rather simple python or perl script which would find > values by EXPLAIN leakage, at 1000 explain plans per minute. > > It's one thing to day "we can't solve this covert channel issue right > now in this patch", but saying "we don't plan to solve it at all" is > likely to doom the patch. > > I'm not sure what the solution would be, exactly. Deny permission for > EXPLAIN on certain tables? > > Surely someone in the security community has discussed this? > Security community considers covert channel is a hard to solve problem; nearly impossible to eliminate. Let's see the summary in wikipedia: http://en.wikipedia.org/wiki/Covert_channel
It does not require countermeasure of covert channels in middle or entry class security evaluation; that is usually required for enterprise grade, even though it is required for the product being designed for military grade. The reason why its priority is relatively lower, is that degree of threats with information leakage via covert channel has limited bandwidth in comparison to main channel. I also follow this standpoint; that is enough reasonable between functionality and its strictness under limited resources. Even if we could close a certain channel, we never can all other channels, like a signal by namespace contention on table creation as covert channel. Also, I don't know major commercial dbms handles these scenario well. Of course, it should be described in the document for users not to apply these security features onto the region that overs our capability. Thanks, -- KaiGai Kohei <kai...@kaigai.gr.jp> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
