Re: [v9.4] row level security

On Thu, Aug 29, 2013 at 10:05:14AM -0400, Tom Lane wrote:
> Alexander Korotkov <aekorotkov(at)gmail(dot)com> writes:
> > On Wed, Aug 28, 2013 at 4:17 PM, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
> >> It is out of scope for this feature. We usually calls this type
> >> of information leakage "covert channel"; that is not avoidable in
> >> principle.
>
> > I think there is another "covert channel" much more serious than
> > constrains. You can gather information about hidden data by
> > reading query plans.
>
> I'm not convinced by this argument that covert channels are "out of
> scope". That would be a fine justification for, say, a thesis
> topic. However, what we're talking about here is a real-world
> feature that will be of no real-world use if it can't stand up
> against rather obvious attack techniques. I'm not interested in
> carrying the maintenance and runtime overhead of a feature that's
> only of academic value.

Looking at the real-world perspective, what covert channels do our
competitors in the space currently claim to do anything about?

This would represent the bar we need to clear at least as far as
documenting what we do (do the access constraint before anything else,
e.g.) or why we don't do things (disabling EXPLAIN, e.g.).

Cheers,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate