Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZFPI-00HJ5N-1e for pgsql-hackers@arkaria.postgresql.org; Wed, 31 Jul 2024 19:54:44 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sZFPF-00Cs70-NT for pgsql-hackers@arkaria.postgresql.org; Wed, 31 Jul 2024 19:54:41 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sZFPF-00Cs6q-A2 for pgsql-hackers@lists.postgresql.org; Wed, 31 Jul 2024 19:54:41 +0000 Received: from mail-qk1-x732.google.com ([2607:f8b0:4864:20::732]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sZFP8-002UHW-8e for pgsql-hackers@lists.postgresql.org; Wed, 31 Jul 2024 19:54:40 +0000 Received: by mail-qk1-x732.google.com with SMTP id af79cd13be357-7a1d984ed52so355642385a.0 for ; Wed, 31 Jul 2024 12:54:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dunslane-net.20230601.gappssmtp.com; s=20230601; t=1722455672; x=1723060472; darn=lists.postgresql.org; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :from:references:cc:to:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=eGclnrGXx7MOf3o6HdBjS7szg28DEaTA4RzN+MLYo8E=; b=itnapVlSEIxewIXb9gi0kcmV85xLIoCxCZCULzHnNtrXBK175fBDIo9oMHZLZqwSne G6eJospj1pyDlKfydFc8YhNtOATtBUXkCDqVIzLJ2rBA2iOEvW4/yVYLSF7dqnzeIG8m i7wCm7vyBY62EBbtD3VZ5PXQ4+sSuAAFtxfrvS3+gzIS5vmBN3F+ms396LBI8T6nu8Xr ldfIcgML34wpf4nO/WLPK9YPDN4pYzcmkFVnaZaGEaSX2f849aM1am2lokswUi4QAzA5 K0TbxDXaeKT/9aTzU5AxdyZ94g0drJK5Gfvd8RsFFTFX6ODkOgUiPYU2kM5HM1pmX2S5 mIXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722455672; x=1723060472; h=content-transfer-encoding:in-reply-to:autocrypt:content-language :from:references:cc:to:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eGclnrGXx7MOf3o6HdBjS7szg28DEaTA4RzN+MLYo8E=; b=RxErEq0GUys0JSt6yzpBmNk5qp3YJqpYmmP6aIwJ/B8hhEWpRN9TG0p9S4axyRpAuU +zr/WJ3cxL7rerCcskPYo9Pm6TsHqxubf4qvG19Vv7ukRKMsIGNkSzE21h9R4MmDuYZe HztlviVi0UEGIlAULeBCZjLUN467MmTh8JBZ5XHMfjT8VHpLSVTEmjc7Ib1i4Evj3Zqn wmQ4bsxxGNeZSwI7j30DtSiToGuievG+ZxK2OagCw9iZGOExCnG+EYaJM3XXJ64dgvOL iizDpYxudIVJ8S4dJhfIcLGc6LL3Qs9FkiWaNcgqbXf1l+4mDyrJqbL+Vlr5X4tCJcX9 x0Xw== X-Forwarded-Encrypted: i=1; AJvYcCUxLAcm+n3ROT0jAb13Gl8AUv5NL6m/KLHnjw0u4HFdAFAUrDv3ZH/wFjrmtJkwCsU4/R0JZ2rv5eYI6vDoX/1fALjdqtxWeJxdrsC5pgAM3nHK X-Gm-Message-State: AOJu0Yz63vgb/Pull+L6GKzj+3q6prnj+sB9LmlOxRTF+NjPeXNpGuuS 4ZFKireiuenjnhbmmUcYuiNECAxr93yM7LjqPXwYN0VqkN44zYM36fwzAx3Cn8Y= X-Google-Smtp-Source: AGHT+IHhSj8HX3LvIChqMBjD1xUBtANzhmqKVD/G5YMrhjp4QkeK4F1dB6m00Sp2pf+XLf64gNtraA== X-Received: by 2002:a05:620a:2985:b0:79d:5509:6d52 with SMTP id af79cd13be357-7a30c671a94mr31114185a.36.1722455671797; Wed, 31 Jul 2024 12:54:31 -0700 (PDT) Received: from ?IPV6:2605:a601:9180:9800::2bb? ([2605:a601:9180:9800::2bb]) by smtp.googlemail.com with ESMTPSA id af79cd13be357-7a1d73ed346sm781590985a.68.2024.07.31.12.54.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 31 Jul 2024 12:54:31 -0700 (PDT) Message-ID: Date: Wed, 31 Jul 2024 15:54:29 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: can we mark upper/lower/textlike functions leakproof? To: Joe Conway , Tom Lane , Robert Haas Cc: David Rowley , PostgreSQL Hackers References: <50d3a76e-afaa-44ed-aef5-6fb7f23cccab@dunslane.net> <5bef8bb0-7a50-4bcf-b052-2a12c3cda0f5@joeconway.com> <3416373.1722449026@sss.pgh.pa.us> <70b9e758-1050-4365-9d67-cc826faaf6a9@joeconway.com> From: Andrew Dunstan Content-Language: en-US Autocrypt: addr=andrew@dunslane.net; keydata= xsBNBE7KWFkBCAClridxur2AIc7eW2AR7izbfp3EnNefie2HbLF0izW5Ik5UjX2HBXBx4syI gY6b0ugohXrr274+baoAlvSbq6cAoQuEVrk5IZFzt20b1Xkx65FwGSEj526yiKLocqkJceSq Xr9xcA5SGY+FZv441chh5SU92v4q6z+6LPpoHOh97ptAVXZYNTtU0LevyvD5lja0TzbvJm6C eFXitJfnm1pLEr0DGJCR/iUOl/N62Kh4855zZC7NHIjQHPOvV5Stz/l5ilDhvGVk+xkXFPys SjZoUr1rXhYLpiyi5sR0X9FHXT0KnGuz1F5ERO7ZTLSSQ6fJwPj6gOk9K+vvoKvoeql5ABEB AAHNJEFuZHJldyBEdW5zdGFuIDxhbmRyZXdAZHVuc2xhbmUubmV0PsLAmwQTAQgARQIbAwIX gAIZAQULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcWIQTkPlhGHfx8v0RpFaWZ+n/LWfw7gQUC ZFlxxwUJGVGAbgAKCRCZ+n/LWfw7gXikB/9ZdcUy6CTBFIIuL/bVsc1eLEW/gJBjJBF6HxNY xgEkAgXAp4Lg4A5U+QB9GouFr7+GYxF0BU4hzoGhNPUWltxnHdMWP8nC/38LAqgMi8L/bbsm HW5YPBdWYaAZAPJQVfOAgjTbRUb26KSprpyrrJKW0ZmrZfjhNPcQ72jpWzoPLQqx2X6B0fru 1jq+cBh8lb6r1mJTim1T3JIn+F/v5VpdQS+EL8xqsHkfzKjIPsW3CIXpkypSk6saA55Rkkbl 26AW8ftPVB0Q6Lnn6FLt9CP0MGNixBQ55yq8r1K+nCBvCCjvQjM8RDm0UUum0WNl+ifQgTLO E8TWEnwVtkBf+3QWzsBNBE7KWFkBCADRnOM0FCzsYW6jtncg+dWIagjUZpvaClmqn/sJluLa Q3v1VXMQJzYs3eC1gh386W+XBwLRpDj3jzH81lX+p73Re3d3oJW7X+ffsxuzu5ZVdMUkqBYo nkAbKxr6gyJ12F/+JkUVzLcoTN+d/7YsQvUVi7NaKH8mJgjz112O4fUe3p9wfAaFa0RXHc5S GPzRTYRRlv/XZBIho4J2tkZOnteZJZ+GbxQVlINt6fd8P6al3MWOvpP/ExJPguEfjOsO6Njy xjo3WfpD4lHMOR/Oc3/8mScEF84rF2jXbsFgelWnbPWAvXY+pD0dXOFRkagGmC/viwBDqq5b 5tk76kKmUbZxABEBAAHCwHwEGAEIACYCGwwWIQTkPlhGHfx8v0RpFaWZ+n/LWfw7gQUCZFlx 5wUJGVGAjgAKCRCZ+n/LWfw7gf+iB/4g8CPY5jihf5r/8EsoIGe2H+dpVmpPF8YGBzTIvCz/ fQoOq8AX/pE76QEuFnFZWfjw+wgBXgCVmkox2Eflkk6z4ND3pcwGZ6CfCxTQCDk/dij+2DQ4 6bmDCy/sBgcbz9mTpoLC11HLoPae6YN9nBNQRZDcEFEu54OaVOqlIdbA6m+POIBCXZdHOFc0 WoDTgxHRzC1jgQNidyd6tKqcsVJs0dzF0oKTmFFmUAqTdJO12LBuNA1rlqrR3EtpYk8B/wtS 5dIMD7Q8hwQpL+4C6GNpb6ZKnPkLi47pDOLhz2qBrqN+rqUEsT3YnExYpzj5yOBi+FlmV1Hw 49QYe1sn2ZPs In-Reply-To: <70b9e758-1050-4365-9d67-cc826faaf6a9@joeconway.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2024-07-31 We 2:43 PM, Joe Conway wrote: > On 7/31/24 14:03, Tom Lane wrote: >> Robert Haas writes: >>> If there are some inputs that cause upper() and lower() to fail and >>> others that do not, the functions aren't leakproof, because an >>> attacker can extract information about values that they can't see by >>> feeding those values into these functions and seeing whether they get >>> a failure or not. >> >>> [ rather exhaustive analysis redacted ] First, thanks you very much, Robert for the analysis. >> >>> So in summary, I think upper() is ... pretty close to leakproof. But >>> if ICU sometimes fails on certain strings, then it isn't. And if the >>> multi-byte libc path can be made to fail reliably either with really >>> long strings or with certain choices of the LC_CTYPE locale, then it >>> isn't. >> >> The problem here is that marking these functions leakproof is a >> promise about a *whole bunch* of code, much of it not under our >> control; worse, there's no reason to think all that code is stable. >> A large fraction of it didn't even exist a few versions ago. >> >> Even if we could convince ourselves that the possible issues Robert >> mentions aren't real at the moment, I think marking these leakproof >> is mighty risky.  It's unlikely we'd remember to revisit the marking >> the next time someone drops a bunch of new code in here. > > > I still maintain that there is a whole host of users that would accept > the risk of side channel attacks via existence of an error or not, if > they could only be sure nothing sensitive leaks directly into the logs > or to the clients. We should give them that choice. > As I meant to say in my previous empty reply, I think your suggestions make lots of sense. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com