Re: Ghost Data

  • From: Tanel Poder <tanel@xxxxxxxxxx>
  • To: Brandon.Allen@xxxxxxxxxxx
  • Date: Wed, 1 Jul 2009 23:52:44 +0300

When Oracle "new"-s a datablock in buffer cache it just updates the block
header in the buffer and loads the inserted data in there, it does not fill
the rest of the buffer with zeroes like OS'es do when faulting in new pages
of memory into process address space. Thus if you get "lucky" you will see
some ghost data in a hexdump of the block (but not in any query as the data
logically does not exist anymore).

From security perspective it may cause some issues if this issue is ignored.
I'm not sure if the transparent tablespace encryption (which decrypts the
data when reading a block in from disk) does anything to prevent a block
with "ghost data" ending up used by some other segment.

But in any case - if you can dump a cached buffer of a "ghost" block then
you could dump the data from an encrypted tablespace's buffer as well, so
there's no difference here. But if a buffer with some "ghost data" ends up
being written into a non-encrypted "non-sensitive" tablespace, then this
could be a problem.

Tanel Poder

On Wed, Jul 1, 2009 at 8:16 PM, Allen, Brandon <Brandon.Allen@xxxxxxxxxxx>wrote:

>  Hi Martin,
> No, I don’t know which tables they were from since I’m not that familiar
> with the application data.  I could probably track it down if I needed too,
> although it might be impossible to tell for sure since some of the data,
> e.g. order numbers, probably exists in multiple tables.  I don’t see the
> point in checking the rowid and source datafile though – I know that the
> data is from somewhere else and is now showing up in my brand new datafile
> that I just created.
> I’m not very familiar with block dumps and not sure if Oracle will dump
> blocks that it considers to be empty/unused since they aren’t part of any
> segment yet – do you know if it will and if so, how do I do it?  I’m still
> not sure what this would tell me either.  There is no doubt that Oracle is
> putting data into this datafile where it doesn’t belong so I don’t need to
> verify that anymore – all I want to know is if this is normal behavior and
> *why* it does this.  It’s not really causing me any problems since I don’t
> have any encryption requirements and my server is secured so nobody can go
> grepping through my datafiles anyway – I’m just curious.
> Thanks,
> Brandon
> ------------------------------
> Privileged/Confidential Information may be contained in this message or
> attachments hereto. Please advise immediately if you or your employer do not
> consent to Internet email for messages of this kind. Opinions, conclusions
> and other information in this message that do not relate to the official
> business of this company shall be understood as neither given nor endorsed
> by it.

Tanel Poder

Other related posts: