| From: | "Day, David" <dday(at)redcom(dot)com> |
|---|---|
| To: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |
| Date: | 2015-11-18 20:57:58 |
| Message-ID: | 401084E5E73F4241A44F3C9E6FD79428011E3448F9@exch-01 |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
-----Original Message-----
From: Adrian Klaver [mailto:adrian(dot)klaver(at)aklaver(dot)com]
Sent: Wednesday, November 18, 2015 3:47 PM
To: Day, David; pgsql-general(at)postgresql(dot)org
Subject: Re: [GENERAL] postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data.
On 11/18/2015 11:45 AM, Day, David wrote:
> Hi,
>
> One of my co-workers came out of a NIST cyber-security type meeting
> today and asked me to delve into postgres and zeroization.
>
> I am casually aware of mvcc issues and vacuuming
>
> I believe the concern, based on my current understanding of postgres
> inner workings, is that when a dead tuple is reclaimed by vacuuming:
> Is that reclaimed space initialized in some fashion that would
> shred any sensitive data that was formerly there to any inspection by
> the subsequent owner of that disk page ? ( zeroization )
Got to thinking, are you talking about a physical machine or a VM/container on shared hosting? If the latter then it is a more generic problem of detritus left behind between creations of virtual instances or cross talk on shared storage.
>
> Not sure that is the exact question to ask but hopefully you get a
> feel for the requirement is not to leave any sensitive data laying
> about for
>
> recovery by a hacker, or at least minimize the places it could be
> obtained without actually being able to log into postgres or having
> raw disk access privileges.
>
> Thanks for any comments/instruction/links on the matter.
>
> Regards
>
> Dave Day
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
In some instances this would be a vm instance on a hosted machine in other cases a actual physical machine.
Thank you all for the feedback.
All good points. I am not sure what the manner of attack/hack is until I get some further feedback out of the meeting participants. I suspect it would be to the blocks pages released by postgres following a vacuum full.
How you determine what those pages blocks were I am not sure but suspect there is probably a way.
When I get some more detail on the standard and exact requirement I will repost with that info.
Again thanks
Dave Day
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2015-11-18 21:04:51 | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |
| Previous Message | Adrian Klaver | 2015-11-18 20:47:03 | Re: postgres zeroization of dead tuples ? i.e scrubbing dead tuples with sensitive data. |