This document discusses SE-PostgreSQL, which enables controlling access to database objects using SELinux security policies. It aims to provide system-wide consistent access control across filesystems and databases. The architecture hooks into PostgreSQL to allow SELinux plugins to make access control decisions. It introduces a pg_seclabel catalog and SECURITY LABEL statement. A demonstration shows how SE-PostgreSQL works with SELinux policies to enforce access controls on database queries and objects. Future work includes improving security hook coverage and supporting additional PostgreSQL features.
LAPP/SELinux - A secure web application platform powered by SELinuxKohei KaiGai
This document discusses using SELinux to provide security for web applications and databases. It describes issues with not having separate domains for web applications and multi-threaded applications. It proposes using SELinux security contexts and labeled networking to assign the correct context to web application processes based on the authenticating user in order to provide per-user virtual private databases through a system like LAPP/SELinux.
LAPP/SELinux - A secure web application stack using SE-PostgreSQLKohei KaiGai
The document discusses a secure web application stack using SELinux and SE-PostgreSQL. It describes how SELinux can act as a conductor to provide system-wide access control consistency. SE-PostgreSQL allows PostgreSQL to make access control decisions based on the centralized SELinux security policy. This ensures least privilege and consistency across application layers compared to traditional stacks that rely on each layer having separate security mechanisms.
This document discusses GPU accelerated computing and programming with GPUs. It provides characteristics of GPUs from Nvidia, AMD, and Intel including number of cores, memory size and bandwidth, and power consumption. It also outlines the 7 steps for programming with GPUs which include building and loading a GPU kernel, allocating device memory, transferring data between host and device memory, setting kernel arguments, enqueueing kernel execution, transferring results back, and synchronizing the command queue. The goal is to achieve super parallel execution with GPUs.
LAPP/SELinux - A secure web application stack powered by SELinuxKohei KaiGai
This document discusses using SELinux to improve security in a typical LAMP (Linux, Apache, PostgreSQL, PHP/Perl) web application stack, called LAPP. It describes how SELinux has been applied to PostgreSQL (SE-PostgreSQL) and Apache (Apache/SELinux Plus) to provide advanced access controls and assign privileges to web applications based on the authenticating user. The goal is to utilize SELinux at each layer of the LAPP stack to provide consistency in access controls and comprehensive security for the entire stack.
Writable Foreign Data Wrapper (JPUG Unconference 16-Feb-2013)Kohei KaiGai
The document summarizes the writable foreign data wrapper (FDW) feature in PostgreSQL. It explains that FDWs allow writing to external data sources like they are regular tables. It describes how FDWs work by hooking into the query planning and execution phases. It also discusses challenges for writable FDWs, like identifying rows to update, and proposes solutions like using a "rowid" pseudo-column. Finally, it outlines new APIs needed to support writable FDWs and provides an example of updating a foreign table.
Security Enhanced PostgreSQL - System-wide consistency in access controlKohei KaiGai
This document discusses Security-Enhanced PostgreSQL (SE-PostgreSQL), which provides system-wide consistency in access controls for PostgreSQL. The key developer, KaiGai Kohei, has experience with Linux kernel development and PostgreSQL. SE-PostgreSQL applies a single, unified security policy to information assets regardless of how they are stored, using fine-grained mandatory access controls at the tuple and column level. It aims to prevent data leaks and manipulation through consistent, mandatory access controls.
Label based Mandatory Access Control on PostgreSQLKohei KaiGai
The document discusses label based mandatory access control (MAC) implemented in PostgreSQL through the contrib/sepgsql module, highlighting features added in version 9.1 such as the SECURITY LABEL statement and an overview of how MAC works to enforce centralized security policies and control data flow based on security labels rather than discretionary access control. It also provides an agenda for topics to be covered including an overview of MAC, new features in 9.1, and challenges for the 9.2 development cycle.
This document discusses row level security in databases. It begins by showing an example of how row level security (RLS) should work to filter query results based on security policies. It then discusses issues like views leaking data if conditions are pushed down, and proposes solutions like using a "security barrier" attribute for views. It also discusses allowing certain "leakproof" functions to be pushed down inside security barriers. Finally it outlines potential future features for RLS like setting different policies for different SQL commands and adding checks during table updates.
1. Memcached currently lacks security features like access controls.
2. Centralized security servers like SELinux are preferable to apply access controls over individual applications.
3. A Memcached plugin called selinux_engine was created to apply SELinux mandatory access controls. It performs access checks using the libselinux API to interface with SELinux and enforce the security policy. This provides centralized access controls for Memcached in a way that is transparent to applications.
mod_auth_ticket - Bringing Single-Sign-On to lighttpdTaisuke Yamada
Explains mod_auth_ticket, a newly developed module for lighttpd to make any website SSO-enabled. Also discusses development experience for lighttpd and some strength evaluation of crypto used by this module.
This document discusses using HyperLogLog (HLL) to estimate cardinality for count(distinct) queries in PostgreSQL.
HLL is an algorithm that uses constant memory to estimate the number of unique elements in a large set. It works by mapping elements to registers in a bitmap and tracking the number of leading zeros in each hash value. The harmonic mean of these counts is used to estimate cardinality.
PG-Strom implements HLL in PostgreSQL to enable fast count(distinct) queries on GPUs. On a table with 60 million rows and 87GB in size, HLL estimated the distinct count within 0.3% accuracy in just 9 seconds, over 40x faster than the regular count(distinct).
PG-Strom is an extension of PostgreSQL that utilizes GPUs and NVMe SSDs to enable terabyte-scale data processing and in-database analytics. It features SSD-to-GPU Direct SQL, which loads data directly from NVMe SSDs to GPUs using RDMA, bypassing CPU and RAM. This improves query performance by reducing I/O traffic over the PCIe bus. PG-Strom also uses Apache Arrow columnar storage format to further boost performance by transferring only referenced columns and enabling vector processing on GPUs. Benchmark results show PG-Strom can process over a billion rows per second on a simple 1U server configuration with an NVIDIA GPU and multiple NVMe SSDs.
This document provides an introduction to HeteroDB, Inc. and its chief architect, KaiGai Kohei. It discusses PG-Strom, an open source PostgreSQL extension developed by HeteroDB for high performance data processing using heterogeneous architectures like GPUs. PG-Strom uses techniques like SSD-to-GPU direct data transfer and a columnar data store to accelerate analytics and reporting workloads on terabyte-scale log data using GPUs and NVMe SSDs. Benchmark results show PG-Strom can process terabyte workloads at throughput nearing the hardware limit of the storage and network infrastructure.
13. 参考資料
PHP Manual - A Hacker's Guide to the Zend Engine
http://usphp.com/manual/en/internals2.php
PHP Extension Development
http://www.somabo.de/talks/200510_zend_conf_php_e
xtension_development.pdf