Hello hackers, I want to add the feature to erase data so that it cannot be restored because it prevents attackers from stealing data from released data area.
- Background International security policies require that above threat is taken measures. It is "Base Protection Profile for Database Management Systems Version 2.12 (DBMS PP)" [1] based on iso 15408. If the security is improved, it will be more likely to be adopted by security-conscious procurers such as public agencies. - Feature This feature erases data area just before it is returned to the OS (“erase” means that overwrite data area to hide its contents here) because there is a risk that the data will be restored by attackers if it is returned to the OS without being overwritten. The erase timing is when DROP, VACUUM, TRUNCATE, etc. are executed. I want users to be able to customize the erasure method for their security policies. - Implementation My idea is adding a new parameter erase_command to postgresql.conf. The command that users set in this parameter is executed just before unlink(path) or ftruncate(fd, 0) is called. For example, the command is shred on Linux and SDelete on Windows. When erase_command is set, VACUUM does not truncate a file size to non-zero because it's safer for users to return the entire file to the OS than to return part of it. Also, there is no standard tool that overwrites part of a file. With the above specifications, users can easily and safely use this feature using standard tool that overwrites entire file like shred. Hope to hear your feedback and comments. [1] https://www.commoncriteriaportal.org/files/ppfiles/pp0088V2b_pdf.pdf P44 8.1.2 - Threat/Policy A threat agent may use or manage TSF, bypassing the protection mechanisms of the TSF. - TOE Security Objectives Addressing the Threat/Policy The TOE will ensure that any information contained in a protected resource within its Scope of Control is not inappropriately disclosed when the resource is reallocated. - Rationale diminishes this threat by ensuring that TSF data and user data is not persistent when resources are released by one user/process and allocated to another user/process. TOE: Target of Evaluation TSF: TOE Security Functionality Regards -- Takanori Asaba
