Hi Carlos, On 5/10/2013 6:43 AM, Carlos Henrique Reimer wrote:
We are developing a solution which will run in thousands of small cash till machines running Linux and we would like to use PostgreSQL but there is a insecurity feeling regarding the solution basically because these boxes would be exposed to an insecure environment and insecure procedures like: non controlled power outages, untrusted hardware, no appropriate environment for hardware (dusty, hot) etc...
Welcome to my world! :> To clarify your requirements: - the devices contain hard currency which they either *accept* from the user, dispense *to* the user, or both. - the contents of the DB are critical to the proper operation of the device (e.g., perhaps they maintain "account balances" that, if corruptible, represent an exploit) - presumably, the environment is secure enough that an adversary can't just remove the entire device to abscound with the monies therein (i.e., while it may not be "as secure as a bank lobby", neither is it sitting in the middle of an open field! Perhaps sitting *in* a storefront establishment?) - the device has some physical safeguards to prevent an adversary vandalizing it GIVEN THE LEVEL OF SUPERVISION IN ITS ENVIRONMENT (e.g., the coinbox of a US "pay phone" is pretty hard to break into) - yet, a subtle, clever hacker could "tease" the device into a state that is more "generous" to his wishes (e.g., a high voltage discharge at a key point along the case/wiring to crash the processor at a critical point in it's transaction processing) - a single device may not be a significant "value" target -- but, an exploit that can be reapplied to *each* target (possibly repeatedly, over time) makes this a sufficiently large honey pot - you're very confident in the robustness of the underlying OS, application and PostgreSQL itself that you don't fear problems from any of those in "normal operation" (e.g., the kernel isn't likely to panic due to some unforseen out-of-memory condition -- nor the processor hiccup from operating in an overtemperature condition)
Our major concern is related to the write-back issues we can face in this environment. Is there a way to prevent it or a way PG can be configured to detect write-back configurations? Don't think so, but...
I'm not sure what specific threat you are anticipating, here. Could you posit a potential attack scenario against which you would like to defend?
Basically, the question is: is there a way to guaranty a reliable PG database in an untrusted and insecure environment? Maybe some kind of file system could give this guaranty, not sure..
Absent *physical* security, you can't do *anything*! (especially given your reliance on FOSS components!). E.g., an adversary can disembowel the device and massage the contents of the raw media, etc.) Having designed (regulated) gaming and "grey area" devices (each handling hard currency), I can tell you that you have to have already performed a pretty exhaustive threat analysis (e.g., red team, blue\ team) *before* you start the product's design. If you can't imagine *all* of the ways you can be targeted, then you can't determine how/if you will be "secure" in each of those scenarios (e.g., I've incorporated features into the hardware designs to counter certain types of physical attacks). Always consider how you can design the system to *screw* the attacker instead of *reward* him, given the option. E.g., given the (fictitious) example of allowing the user to "withdraw" funds from his "account" (possibly), then opt for: decrease_balance(amount) dispense_currency(amount) instead of: dispense_currency(amount) decrease_balance(amount) as the latter case could allow an attacker to interrupt the atomic operation *after* receiving his "hard currency" yet before a record of this has been made. In the former case, an attack results in his account *losing* money without ever receiving the hard currency! Attackers are shy about complaining that "the machine cheated me as that brings attention to their activities! ("Oh? Let's review the video surveillance to see what happened..." :>) Of course, the above *should* be atomic but you can't roll-back a *physical* transaction (i.e., reach out and grab the currency *from* him if the transaction is aborted). Perhaps if you can highlight specific actions that you imagine as being vulnerabilities, a compromise solution might be available? [BTW, I find these the most delightful projects as you *really* have to think outside the box -- unlike a desktop/server environment where all you have to worry about is a disk crash, DoS attack, etc.] G'luck! --don -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general