Re: Ghost Data
From: Tanel Poder <tanel_at_poderc.com>
Date: Wed, 1 Jul 2009 23:52:44 +0300
Message-ID: <4602f23c0907011352t5ea9ea0t894e19c3e4e8e9b2_at_mail.gmail.com>
When Oracle "new"-s a datablock in buffer cache it just updates the block header in the buffer and loads the inserted data in there, it does not fill the rest of the buffer with zeroes like OS'es do when faulting in new pages of memory into process address space. Thus if you get "lucky" you will see some ghost data in a hexdump of the block (but not in any query as the data logically does not exist anymore).
Date: Wed, 1 Jul 2009 23:52:44 +0300
Message-ID: <4602f23c0907011352t5ea9ea0t894e19c3e4e8e9b2_at_mail.gmail.com>
When Oracle "new"-s a datablock in buffer cache it just updates the block header in the buffer and loads the inserted data in there, it does not fill the rest of the buffer with zeroes like OS'es do when faulting in new pages of memory into process address space. Thus if you get "lucky" you will see some ghost data in a hexdump of the block (but not in any query as the data logically does not exist anymore).
From security perspective it may cause some issues if this issue is ignored. I'm not sure if the transparent tablespace encryption (which decrypts the data when reading a block in from disk) does anything to prevent a block with "ghost data" ending up used by some other segment.
But in any case - if you can dump a cached buffer of a "ghost" block then you could dump the data from an encrypted tablespace's buffer as well, so there's no difference here. But if a buffer with some "ghost data" ends up being written into a non-encrypted "non-sensitive" tablespace, then this could be a problem.
-- Tanel Poder http://blog.tanelpoder.com On Wed, Jul 1, 2009 at 8:16 PM, Allen, Brandon <Brandon.Allen_at_oneneck.com>wrote:Received on Wed Jul 01 2009 - 15:52:44 CDT
> Hi Martin,
>
>
>
> No, I don’t know which tables they were from since I’m not that familiar
> with the application data. I could probably track it down if I needed too,
> although it might be impossible to tell for sure since some of the data,
> e.g. order numbers, probably exists in multiple tables. I don’t see the
> point in checking the rowid and source datafile though – I know that the
> data is from somewhere else and is now showing up in my brand new datafile
> that I just created.
>
>
>
> I’m not very familiar with block dumps and not sure if Oracle will dump
> blocks that it considers to be empty/unused since they aren’t part of any
> segment yet – do you know if it will and if so, how do I do it? I’m still
> not sure what this would tell me either. There is no doubt that Oracle is
> putting data into this datafile where it doesn’t belong so I don’t need to
> verify that anymore – all I want to know is if this is normal behavior and
> *why* it does this. It’s not really causing me any problems since I don’t
> have any encryption requirements and my server is secured so nobody can go
> grepping through my datafiles anyway – I’m just curious.
>
>
>
> Thanks,
>
> Brandon
>
> ------------------------------
> Privileged/Confidential Information may be contained in this message or
> attachments hereto. Please advise immediately if you or your employer do not
> consent to Internet email for messages of this kind. Opinions, conclusions
> and other information in this message that do not relate to the official
> business of this company shall be understood as neither given nor endorsed
> by it.
>
-- Tanel Poder http://blog.tanelpoder.com -- http://www.freelists.org/webpage/oracle-l