Complete data erasure

From: "asaba(dot)takanori(at)fujitsu(dot)com" <asaba(dot)takanori(at)fujitsu(dot)com>
To: "'pgsql-hackers(at)postgresql(dot)org'" <pgsql-hackers(at)postgresql(dot)org>
Subject: Complete data erasure
Date: 2020-01-15 01:31:44
Message-ID: OSAPR01MB4724059BBE4F0FF3F9DD05BB8C370@OSAPR01MB4724.jpnprd01.prod.outlook.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hello hackers,

I want to add the feature to erase data so that it cannot be restored
because it prevents attackers from stealing data from released data area.

- Background
International security policies require that above threat is taken measures.
It is "Base Protection Profile for Database Management Systems Version 2.12 (DBMS PP)" [1] based on iso 15408.
If the security is improved, it will be more likely to be adopted by security-conscious procurers such as public agencies.

- Feature
This feature erases data area just before it is returned to the OS (“erase” means that overwrite data area to hide its contents here)
because there is a risk that the data will be restored by attackers if it is returned to the OS without being overwritten.
The erase timing is when DROP, VACUUM, TRUNCATE, etc. are executed.
I want users to be able to customize the erasure method for their security policies.

- Implementation
My idea is adding a new parameter erase_command to postgresql.conf.
The command that users set in this parameter is executed just before unlink(path) or ftruncate(fd, 0) is called.
For example, the command is shred on Linux and SDelete on Windows.

When erase_command is set, VACUUM does not truncate a file size to non-zero
because it's safer for users to return the entire file to the OS than to return part of it.
Also, there is no standard tool that overwrites part of a file.
With the above specifications, users can easily and safely use this feature using standard tool that overwrites entire file like shred.

Hope to hear your feedback and comments.

[1] https://www.commoncriteriaportal.org/files/ppfiles/pp0088V2b_pdf.pdf
P44 8.1.2

- Threat/Policy
A threat agent may use or manage TSF, bypassing the protection mechanisms of the TSF.

- TOE Security Objectives Addressing the Threat/Policy
The TOE will ensure that any information contained in a protected resource within its Scope of Control
is not inappropriately disclosed when the resource is reallocated.

- Rationale
diminishes this threat by ensuring that TSF data and user data is not persistent
when resources are released by one user/process and allocated to another user/process.

TOE: Target of Evaluation
TSF: TOE Security Functionality

Regards

--
Takanori Asaba

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Kapila 2020-01-15 01:40:28 Re: logical decoding : exceeded maxAllocatedDescs for .spill files
Previous Message Masahiko Sawada 2020-01-15 00:40:38 Re: base backup client as auxiliary backend process