Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)

From: Casey Allen Shobe <cshobe(at)bepress(dot)com>
To: Christophe <xof(at)thebuild(dot)com>
Cc: Postgres General List <pgsql-general(at)postgresql(dot)org>
Subject: Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)
Date: 2008-09-25 23:38:18
Message-ID: 537BF1D1-FA98-4F7A-A9D6-182F76D60030@bepress.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-www

On Sep 25, 2008, at 1:16 PM, Christophe wrote:
> Without getting into the argument as to the level of security
> provided, it strikes me that a reasonable approach would be a non-
> core pluggable language which accepts encrypted strings as
> functions, decrypts them (using a key compiled into the language
> module), and passes them on to PL/pgSQL for execution.

The only way this could work is if the key is set at compile time.
Using a single key is impossible in an open source product as Greg
pointed out, and very stupid in any other. Now I'll ignore the fact
that you can reverse engineer the key out of compiled code, as you
already acknowledged that - this is still problematic for another
reason.

Let's consider the original goal of "I want to keep customers, with
full control of the server machine, from being able to see clearly
what a function does". In cases where you just want to keep database
users from seeing a function code, the implementation should be easy,
and that's the only form I see any value in adding, really.

You could add encryption properly by storing the key in an external
file with very restrictive permissions, and that would solve the goal
of "I don't want people to be able to read function code in pg_dump
output", etc., so it takes things a step farther. But of course on
customer-controlled boxes, they can read any file they want, defeating
the encryption.

So you think "ah I'll just compile it in by requiring ./configure --
key=whatever to compile the thing. Well, now you suddenly have to
build every release of PostgreSQL for every single one of those
customers - they cannot upgrade or rebuild themselves, without losing
all the encrypted functions. Maybe that's something you can accept,
but I would say that most people who want to hide code from customers
want nothing to do with setting up the database for the customer. In
cases where you fully dictate the PostgreSQL build and upgrade policy
and mandate it for your clients, this could work, but I'm guessing
that's a pretty esoteric corner case.

Cheers,
--
Casey Allen Shobe
Database Architect, The Berkeley Electronic Press

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2008-09-26 00:15:33 Re: Out of memory on SELECT (from sort?) in 8.3
Previous Message Jeff Amiel 2008-09-25 22:18:42 Re: The planner hates me.

Browse pgsql-www by date

  From Date Subject
Next Message Bruce Momjian 2008-09-26 00:30:51 Please remove user
Previous Message Greg Smith 2008-09-25 22:08:37 Re: Obfuscated stored procedures (was Re: Oracle and Postgresql)