Re: Black Hat: New database attack revealed
| От | Magnus Hagander |
|---|---|
| Тема | Re: Black Hat: New database attack revealed |
| Дата | |
| Msg-id | 20070802123907.GB18260@svr2.hagander.net обсуждение исходный текст |
| Ответ на | Re: Black Hat: New database attack revealed (Dave Page <dpage@postgresql.org>) |
| Ответы |
Re: Black Hat: New database attack revealed
|
| Список | pgsql-advocacy |
On Thu, Aug 02, 2007 at 01:27:22PM +0100, Dave Page wrote: > Peter Eisentraut wrote: > > Am Donnerstag, 2. August 2007 13:31 schrieb Robert Bernier: > >> New timing attack doesn't need application bugs to work > >> > >> http://www.computerworlduk.com/management/security/cybercrime/news/index.cf > >> m?RSS&newsid=4344 > > > > This is complete BS, as evidenced by this statement: > > > > """ > > their attack involves performing record insertion operations, typically > > available to all database users - including anonymous users of front-end web > > applications - and analysing the time it takes to perform different kinds of > > insertions. > > """ > > > > In principle, attacks of this kind would be possible, but it's not quite as > > simple as they make it appear. > > > > That was roughly my thought as well. > > In our case, would it even be possible given WAL? From how I read it they rely on the time to insert into BTREE indexes (or to lookup for unique keys etc). I don't see how WAL would change that (well the values changes, but you would still see timing differences in cases with lots-of-equal-keys-in-the-index or such things) But I'd say that the simple act of fsyncing after every commit would in most cases destroy any difference between these key lookups - that random element coming in from different platter locations would be much higher than the btree difference in my guess... //Magnus
В списке pgsql-advocacy по дате отправления: