Re: can we mark upper/lower/textlike functions leakproof?

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Joe Conway <mail(at)joeconway(dot)com>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, David Rowley <dgrowleyml(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: can we mark upper/lower/textlike functions leakproof?
Date: 2024-08-02 16:22:41
Message-ID: CA+TgmoZR7ynSpLMyKeN5PQtL93RvvkNzFsKPE7WpH4Cnfes7tw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Fri, Aug 2, 2024 at 11:07 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Joe Conway <mail(at)joeconway(dot)com> writes:
> > <dons flameproof suit>
> > Hmmm, and then have "leakproof_mode" = strict/lax/off where 'strict' is
> > current behavior, 'lax' allows the 'maybe's to get pushed down, and
> > 'off' ignores the leakproof attribute entirely and pushes down anything
> > that merits being pushed?
> > </dons flameproof suit>
>
> So in other words, we might as well just remove RLS.

<stage-whisper>Hey, everybody, I don't think Tom likes the
proposal.</stage-whisper>

I'll be honest: I don't like it, either. I don't even like
proleakproof=true/false/maybe; I asked about that to understand if
that was what Jacob was proposing, not because I actually think we
should do it. The problem is that there's likely to be a fairly wide
range contained inside of "maybe", with cases like "upper" at the
safer end of the spectrum. That's too fuzzy to use as a basis for any
sort of real security, IMHO; we won't be able to find two hackers who
agree on how anything should be marked.

I think part of our problem here is that we have very few examples of
how to actually analyze a function for leakproof-ness, or how to
exploit one that is erroneously so marked. The conversations then tend
to degenerate into some people saying things are scary and some people
saying the scariness is overrated and then the whole thing just
becomes untethered from reality. Maybe we need to create some really
robust documentation in this area so that we can move toward a common
conceptual framework, instead of everybody just having a lot of
opinions.

I can't shake the feeling that if PostgreSQL got the same level of
attention from security researchers that Linux or OpenSSL do, this
would be a very different conversation. The fact that we have more
people complaining about RLS causing poor query performance than we do
about RLS leaking information is probably a sign that it's being used
to provide more security theatre than actual security. Even the leaks
we intended to have are pretty significant, and I'm sure that we have
some we didn't intend.

--
Robert Haas
EDB: http://www.enterprisedb.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jacob Champion 2024-08-02 16:33:31 Re: can we mark upper/lower/textlike functions leakproof?
Previous Message Jacob Champion 2024-08-02 16:22:36 Re: can we mark upper/lower/textlike functions leakproof?