From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Dave Page <dpage(at)postgresql(dot)org> |
Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-advocacy(at)postgresql(dot)org |
Subject: | Re: Black Hat: New database attack revealed |
Date: | 2007-08-02 12:39:07 |
Message-ID: | 20070802123907.GB18260@svr2.hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-advocacy |
On Thu, Aug 02, 2007 at 01:27:22PM +0100, Dave Page wrote:
> Peter Eisentraut wrote:
> > Am Donnerstag, 2. August 2007 13:31 schrieb Robert Bernier:
> >> New timing attack doesn't need application bugs to work
> >>
> >> http://www.computerworlduk.com/management/security/cybercrime/news/index.cf
> >> m?RSS&newsid=4344
> >
> > This is complete BS, as evidenced by this statement:
> >
> > """
> > their attack involves performing record insertion operations, typically
> > available to all database users - including anonymous users of front-end web
> > applications - and analysing the time it takes to perform different kinds of
> > insertions.
> > """
> >
> > In principle, attacks of this kind would be possible, but it's not quite as
> > simple as they make it appear.
> >
>
> That was roughly my thought as well.
>
> In our case, would it even be possible given WAL?
From how I read it they rely on the time to insert into BTREE indexes (or
to lookup for unique keys etc). I don't see how WAL would change that (well
the values changes, but you would still see timing differences in cases
with lots-of-equal-keys-in-the-index or such things)
But I'd say that the simple act of fsyncing after every commit would in
most cases destroy any difference between these key lookups - that random
element coming in from different platter locations would be much higher
than the btree difference in my guess...
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Page | 2007-08-02 13:01:32 | Re: Black Hat: New database attack revealed |
Previous Message | Dave Page | 2007-08-02 12:27:22 | Re: Black Hat: New database attack revealed |