Complete data erasure

Поиск
Список
Период
Сортировка
От asaba.takanori@fujitsu.com
Тема Complete data erasure
Дата
Msg-id OSAPR01MB4724059BBE4F0FF3F9DD05BB8C370@OSAPR01MB4724.jpnprd01.prod.outlook.com
обсуждение исходный текст
Ответы Re: Complete data erasure
Re: Complete data erasure
Re: Complete data erasure
Список pgsql-hackers
Hello hackers,

I want to add the feature to erase data so that it cannot be restored
because it prevents attackers from stealing data from released data area.

- Background
International security policies require that above threat is taken measures.
It is "Base Protection Profile for Database Management Systems Version 2.12 (DBMS PP)" [1] based on iso 15408.
If the security is improved, it will be more likely to be adopted by security-conscious procurers such as public
agencies.

- Feature
This feature erases data area just before it is returned to the OS (“erase” means that overwrite data area to hide its
contentshere)  
because there is a risk that the data will be restored by attackers if it is returned to the OS without being
overwritten.
The erase timing is when DROP, VACUUM, TRUNCATE, etc. are executed.
I want users to be able to customize the erasure method for their security policies.

- Implementation
My idea is adding a new parameter erase_command to postgresql.conf.
The command that users set in this parameter is executed just before unlink(path) or ftruncate(fd, 0) is called.
For example, the command is shred on Linux and SDelete on Windows.

When erase_command is set, VACUUM does not truncate a file size to non-zero
because it's safer for users to return the entire file to the OS than to return part of it.
Also, there is no standard tool that overwrites part of a file.
With the above specifications, users can easily and safely use this feature using standard tool that overwrites entire
filelike shred. 

Hope to hear your feedback and comments.

[1] https://www.commoncriteriaportal.org/files/ppfiles/pp0088V2b_pdf.pdf
P44 8.1.2

- Threat/Policy
A threat agent may use or manage TSF, bypassing the protection mechanisms of the TSF.

- TOE Security Objectives Addressing the Threat/Policy
The TOE will ensure that any information contained in a protected resource within its Scope of Control
is not inappropriately disclosed when the resource is reallocated.

- Rationale
diminishes this threat by ensuring that TSF data and user data is not persistent
when resources are released by one user/process and allocated to another user/process.

TOE: Target of Evaluation
TSF: TOE Security Functionality


Regards

--
Takanori Asaba




В списке pgsql-hackers по дате отправления:

Предыдущее
От: Masahiko Sawada
Дата:
Сообщение: Re: base backup client as auxiliary backend process
Следующее
От: Amit Kapila
Дата:
Сообщение: Re: logical decoding : exceeded maxAllocatedDescs for .spill files