Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. - Mailing list pgsql-general

From Day, David
Subject Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.
Date
Msg-id 401084E5E73F4241A44F3C9E6FD79428011E344A44@exch-01
Whole thread Raw
In response to Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.  (Adrian Klaver <adrian.klaver@aklaver.com>)
Responses Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.
List pgsql-general

-----Original Message-----
From: Adrian Klaver [mailto:adrian.klaver@aklaver.com]
Sent: Wednesday, November 18, 2015 4:05 PM
To: Day, David; pgsql-general@postgresql.org
Subject: Re: [GENERAL] postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.

On 11/18/2015 12:57 PM, Day, David wrote:
>
> -----Original Message-----
> From: Adrian Klaver [mailto:adrian.klaver@aklaver.com]
> Sent: Wednesday, November 18, 2015 3:47 PM
> To: Day, David; pgsql-general@postgresql.org
> Subject: Re: [GENERAL] postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.
>
> On 11/18/2015 11:45 AM, Day, David wrote:
>> Hi,
>>
>> One of my co-workers came out of a NIST cyber-security type meeting
>> today and asked me to delve into postgres and zeroization.
>>
>> I am casually aware of mvcc issues and vacuuming
>>
>> I believe the   concern,  based on my current understanding  of postgres
>> inner workings,  is  that when a dead tuple is reclaimed by vacuuming:
>>    Is that reclaimed space initialized in some fashion that would
>> shred any sensitive data that was formerly there to any  inspection
>> by the subsequent owner of  that disk page ? ( zeroization )
>
> Got to thinking, are you talking about a physical machine or a VM/container on shared hosting? If the latter then it
isa more generic problem of detritus left behind between creations of virtual instances or cross talk on shared
storage.
>
>>
>> Not sure that is the exact question to ask but hopefully you get a
>> feel for the requirement is  not to  leave any sensitive data laying
>> about for
>>
>> recovery by a hacker,  or at least minimize the places it could be
>> obtained without actually being able to log into postgres or having
>> raw disk access privileges.
>>
>> Thanks for any comments/instruction/links on the matter.
>>
>> Regards
>>
>> Dave Day
>>
>
>
> --
> Adrian Klaver
> adrian.klaver@aklaver.com
>
> In some instances this would be a vm instance on a hosted machine in other cases a actual physical machine.
>
> Thank you all for the feedback.
>
>
> All good points.  I am not sure what the manner of attack/hack is until I get some further feedback out of the
meetingparticipants.  I suspect it would be to the blocks pages released by postgres following a vacuum full. 
> How you determine what those pages blocks were I am not sure but suspect there is probably a way.
> When I get some more detail on the standard and exact requirement I will repost with that info.

Yes, a detailed problem description would be helpful.

>
>
> Again thanks
>
>
>
> Dave Day
>
>
>
>


--
Adrian Klaver
adrian.klaver@aklaver.com

Good Day,

The specification that was under discussion was "collaborative Protection Profile for Network Devices"
https://www.niap-ccevs.org/pp/cpp_nd_v1.0.pdf   Section 5.4.1.3 FCS_CKM.4 Crypotographic Key Destruction.


The interpreted concern with respect to postgress includes  its released non-volatile and volatile memory.

In the non-volatile case I believe this would amount to the vacuum -full scenario as commented on by David Johnston and
MelvinDavidson.  I have not looked at Tom Lanes source reference bufpage.c to see if that could be customized in the
shortterm to sanitize the page being returned. 

In the volatile memory case it would seem to include any memory used by postgres that might have included sensitive
dataand is at some point freed and therefore available in the general pool for allocation  and subject to  inspection
bythe next user. 
Perhaps there is a common routine in the source that could perform such a job ?

We are still digesting the specification and may find allowances given other security measures.

Appreciate everyone's feedback.  This is perhaps a matter that can feed into future OS ( FreeBSD ) and/or Postgress
development.


Regards


Dave Day










pgsql-general by date:

Previous
From: Marc Mamin
Date:
Subject: Fetching from psql procedures
Next
From: Adrian Klaver
Date:
Subject: Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.