| From: | Andrew Sullivan <ajs(at)crankycanuck(dot)ca> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |
| Date: | 2015-11-18 21:34:01 |
| Message-ID: | 20151118213401.GZ30327@crankycanuck.ca |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Nov 18, 2015 at 03:22:44PM -0500, Tom Lane wrote:
> It's quite unclear to me what threat model such a behavior would add
> useful protection against.
If you had some sort of high-security database and deleted some data
from it, it's important for the threat modeller to know whether the
data is gone-as-in-overwritten or gone-as-in-marked-free. This is the
same reason they want to know whether a deleted file is actually just
unlinked on the disk.
This doesn't mean one thing is better than another; just that, if
you're trying to understand what data could possibly be exfiltrated,
you need to know the state of all of it.
For realistic cases, I expect that deleted data is usually more
important than updated data. But a threat modeller needs to
understand all these variables anyway.
A
--
Andrew Sullivan
ajs(at)crankycanuck(dot)ca
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2015-11-18 21:38:47 | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |
| Previous Message | Adrian Klaver | 2015-11-18 21:04:51 | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |