Databases are the key component of most computer systems today. Because of the valuable and sensitive data they store and process, these database systems have become the primary target of digital attacks. For example, confidential information (e.g., social security number, home address) of over 140 million people is leaked in 2017 from Equifax, one of US’s largest credit reporting companies.
This prevalence of database breaches spurs more interests towards building secure databases in both academia and industry. There have been a set of proposed works that can protect data using advanced encryption schemes or hide query access patterns, albeit at some performance cost. However, recent work has also shown that volume leakage is a significant vulnerability that can be exploited to reconstruct the entire database even when using state-of-the-art designs with strongest security guarantees.
In this work, we present new attacks for recovering the content of individual user queries, assuming no leakage from the system except the number of results. Unlike previous volume-based attacks that rely on assumptions either too stringent or unrealistic for many real-world systems, our attacks directly leverage real application semantics running on top of these database systems. The key insight is that, by exploiting the behavior of specific applications, one can immediately have an attack without making further assumptions like prior work does about the underlying system.
Title
Practical Volume-Based Attacks on Encrypted Databases
Published
2019-05-16
Full Collection Name
Electrical Engineering & Computer Sciences Technical Reports
Other Identifiers
EECS-2019-50
Type
Text
Extent
27 p
Archive
The Engineering Library
Usage Statement
Researchers may make free and open use of the UC Berkeley Library’s digitized public domain materials. However, some materials in our online collections may be protected by U.S. copyright law (Title 17, U.S.C.). Use or reproduction of materials protected by copyright beyond that allowed by fair use (Title 17, U.S.C. § 107) requires permission from the copyright owners. The use or reproduction of some materials may also be restricted by terms of University of California gift or purchase agreements, privacy and publicity rights, or trademark law. Responsibility for determining rights status and permissibility of any use or reproduction rests exclusively with the researcher. To learn more or make inquiries, please see our permissions policies (https://www.lib.berkeley.edu/about/permissions-policies).
