ABSTRACT
In the past few years, we have seen multiple attacks on one-dimensional databases that support range queries. These attacks achieve full database reconstruction by exploiting access pattern leakage along with known query distribution or search pattern leakage. We are the first to go beyond one dimension, exploring this threat in two dimensions. We unveil an intrinsic limitation of reconstruction attacks by showing that there can be an exponential number of distinct databases that produce equivalent leakage. Next, we present a full database reconstruction attack. Our algorithm runs in polynomial time and returns a poly-size encoding of all databases consistent with the given leakage profile. We implement our algorithm and observe real-world databases that admit a large number of equivalent databases, which aligns with our theoretical results.
Supplemental Material
- Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. 2004. Order Preserving Encryption for Numeric Data. In Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data (SIGMOD 2004).Google ScholarDigital Library
- Akshima, David Cash, Francesca Falzon, Adam Rivkin, and Jesse Stern. 2020. Multidimensional Database Reconstruction from Range Query Access Patterns. Cryptology ePrint Archive, Report 2020/296. (2020). https://eprint.iacr.org/2020/296.Google Scholar
- Vincent Bindschaedler, Paul Grubbs, David Cash, Thomas Ristenpart, and Vitaly Shmatikov. 2018. The Tao of Inference in Privacy-Protected Databases. Proc. VLDB Endow. , Vol. 11, 11 (July 2018), 1715--1728.Google ScholarDigital Library
- Alexandra Boldyreva, Nathan Chenette, Younho Lee, and Adam O'Neill. 2009. Order-Preserving Symmetric Encryption. In Advances in Cryptology - EUROCRYPT 2009 .Google Scholar
- Alexandra Boldyreva, Nathan Chenette, and Adam O'Neill. 2011. Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions. In Advances in Cryptology -- CRYPTO 2011 .Google Scholar
- David Cash, Joseph Jaeger, Stanislaw Jarecki, Charanjit S Jutla, Hugo Krawczyk, Marcel-Catalin Rosu, and Michael Steiner. 2014. Dynamic searchable encryption in very-large databases: data structures and implementation. In 21st Annual Network and Distributed System Security Symposium 2014 (NDSS 2014).Google ScholarCross Ref
- Javad Ghareh Chamani, Dimitrios Papadopoulos, Charalampos Papamanthou, and Rasool Jalili. 2018. New Constructions for Forward and Backward Private Symmetric Searchable Encryption. In Proc. of ACM Conf. on Computer and Communications Security 2018 (CCS 2018).Google Scholar
- Melissa Chase and Seny Kamara. 2010. Structured Encryption and Controlled Disclosure. Advances in Cryptology -- ASIACRYPT 2010 .Google Scholar
- Ciphercloud. 2020. CipherCloud: Cloud Data Security Company. (2020). http://www.ciphercloud.com Accessed on May 3, 2020.Google Scholar
- Reza Curtmola, Juan Garay, Seny Kamara, and Rafail Ostrovsky. 2011. Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions. Journal of Computer Security , Vol. 19, 5 (2011), 895--934.Google ScholarDigital Library
- Ioannis Demertzis, Javad Ghareh Chamani, Dimitrios Papadopoulos, and Charalampos Papamanthou. 2020 a. Dynamic Searchable Encryption with Small Client Storage. In 27th Annual Network and Distributed System Security Symposium 2020 (NDSS 2020).Google Scholar
- Ioannis Demertzis, Dimitrios Papadopoulos, Charalampos Papamanthou, and Saurabh Shintre. 2020 b. SEAL: Attack Mitigation for Encrypted Databases via Adjustable Leakage. In 29th USENIX Security Symposium (USENIX Security 20) .Google Scholar
- F. Betül Durak, Thomas M. DuBuisson, and David Cash. 2016. What Else is Revealed by Order-Revealing Encryption?. In Proc. ACM Conf. on Computer and Communications Security 2016 (CCS 2016).Google ScholarDigital Library
- Sky Faber, Stanislaw Jarecki, Hugo Krawczyk, Quan Nguyen, Marcel-Catalin Rosu, and Michael Steiner. 2015. Rich Queries on Encrypted Data: Beyond Exact Matches. In 20th European Symposium on Research in Computer Security 2015 (ESORICS 2015).Google Scholar
- B. Fuller, M. Varia , A. Yerukhimovich, E. Shen , A. Hamlin, V. Gadepally , R. Shay, J. D. Mitchell, and R. K. Cunningham. 2017. SoK: Cryptographically Protected Database Search. In Proc. IEEE Symposium on Security and Privacy 2017 (S&P 2017).Google ScholarCross Ref
- Sanjam Garg, Payman Mohassel, and Charalampos Papamanthou. 2016. TWORAM: Efficient Oblivious RAM in Two Rounds with Applications to Searchable Encryption. In Advances in Cryptology - CRYPTO 2016 .Google Scholar
- Paul Grubbs, Anurag Khandelwal, Marie-Sarah Lacharité , Lloyd Brown, Lucy Li, Rachit Agarwal, and Thomas Ristenpart. 2020. Pancake: Frequency Smoothing for Encrypted Data Stores. In 29th USENIX Security Symposium (USENIX Security 20) .Google Scholar
- P. Grubbs, M. Lacharité, B. Minaud, and K. G. Paterson. 2019. Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks. In Proc. IEEE Symp. on Security and Privacy 2019 (S&P 2019).Google ScholarCross Ref
- Paul Grubbs, Marie-Sarah Lacharité, Brice Minaud, and Kenneth G. Paterson. 2018. Pump Up the Volume: Practical Database Reconstruction from Volume Leakage on Range Queries. In Proc. ACM Conf. on Computer and Communications Security 2018 (CCS 2018).Google Scholar
- P. Grubbs, K. Sekniqi, V. Bindschaedler, M. Naveed, and T. Ristenpart. 2017. Leakage-Abuse Attacks against Order-Revealing Encryption. In Proc. IEEE Symp. on Security and Privacy 2017 (S&P 2017).Google ScholarCross Ref
- Seny Kamara and Tarik Moataz. 2018. SQL on Structurally-Encrypted Databases. In Advances in Cryptology -- ASIACRYPT 2018 .Google Scholar
- Seny Kamara, Tarik Moataz, Stan Zdonik, and Zheguang Zhao. 2020. An Optimal Relational Database Encryption Scheme. Cryptology ePrint Archive, Report 2020/274. (2020). https://eprint.iacr.org/2020/274.Google Scholar
- Georgios Kellaris, George Kollios, Kobbi Nissim, and Adam O'Neill. 2016. Generic Attacks on Secure Outsourced Databases. In Proc. ACM Conf. on Computer and Communications Security 2016 (CCS 2016).Google ScholarDigital Library
- Evgenios M. Kornaropoulos, Charalampos Papamanthou, and Roberto Tamassia. 2019. Data Recovery on Encrypted Databases With k-Nearest Neighbor Query Leakage. In Proc. IEEE Symp. on Security and Privacy 2019 (S&P 2019).Google ScholarCross Ref
- Evgenios M. Kornaropoulos, Charalampos Papamanthou, and Roberto Tamassia. 2020. The State of the Uniform: Attacks on Encrypted Databases Beyond the Uniform Query Distribution. In Proc. IEEE Symp.on Security and Privacy 2020 (S&P 2020).Google ScholarCross Ref
- Marie-Sarah Lacharité , Brice Minaud, and Kenneth G Paterson. 2018. Improved reconstruction attacks on encrypted data using range query leakage. In Proc. IEEE Symp. on Security and Privacy 2018 (S&P 2018).Google ScholarCross Ref
- Evangelia Anna Markatou and Roberto Tamassia. 2019 a. Full Database Reconstruction with Access and Search Pattern Leakage. In Proc. Int. Conf on Information Security 2019 (ISC 2019).Google ScholarCross Ref
- Evangelia Anna Markatou and Roberto Tamassia. 2019 b. Mitigation Techniques for Attacks on 1-Dimensional Databases that Support Range Queries. In Proc. Int. Conf on Information Security 2019 (ISC 2019).Google ScholarCross Ref
- Evangelia Anna Markatou and Roberto Tamassia. 2020. Database Reconstruction Attacks in Two Dimensions. Cryptology ePrint Archive, Report 2020/284. (2020). https://eprint.iacr.org/2020/284.Google Scholar
- Charalampos Mavroforakis, Nathan Chenette, Adam O'Neill, George Kollios, and Ran Canetti. 2015. Modular Order-Preserving Encryption, Revisited. In Proceedings of the 2015 ACM SIGMOD International Conference on Management of Data (SIGMOD 2015).Google ScholarDigital Library
- Muhammad Naveed, Seny Kamara, and Charles V. Wright. 2015. Inference Attacks on Property-Preserving Encrypted Databases. In Proc. ACM Conf. on Computer and Communications Security 2015 (CCS 2015).Google Scholar
- Skyhigh Networks. 2020. Skyhigh Networks. (2020). https://www.skyhighnetworks.com accessed on May 3, 2020.Google Scholar
- Antonis Papadimitriou, Ranjita Bhagwan, Nishanth Chandran, Ramachandran Ramjee, Andreas Haeberlen, Harmeet Singh, Abhishek Modi, and Saikrishna Badrinarayanan. 2016. Big Data Analytics over Encrypted Datasets with Seabed. In 12th USENIX Symposium on Operating Systems Design and Implementation 2016 (OSDI 2016).Google Scholar
- Rishabh Poddar, Tobias Boelter, and Raluca Ada Popa. 2019. Arx: An Encrypted Database using Semantically Secure Encryption. Proc. VLDB Endow. , Vol. 12, 11 (August 2019), 1664--1678.Google ScholarDigital Library
- Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan. CryptDB: Protecting Confidentiality with Encrypted Query Processing. In Proc. of the Twenty-Third ACM Symposium on Operating Systems Principles 2011 (SOSP '11).Google Scholar
- Malte Spitz. 2011. CRAWDAD dataset spitz/cellular (v. 2011-05-04). Downloaded from https://crawdad.org/spitz/cellular/20110504. (May 2011).Google Scholar
- Boyang Wang, Yantian Hou, Ming Li, Haitao Wang, and Hui Li. 2014. Maple: Scalable Multi-Dimensional Range Search over Encrypted Cloud Data with Tree-Based Index. In Proc. of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS '14).Google ScholarDigital Library
Index Terms
- Full Database Reconstruction in Two Dimensions
Recommendations
Reconstructing with Less: Leakage Abuse Attacks in Two Dimensions
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityAccess and search pattern leakage from range queries are detrimental to the security of encrypted databases, as evidenced by a large body of work on attacks that reconstruct one-dimensional databases. Recently, the first attack from 2D range queries ...
Prevention of SQL Injection Attacks to Login Page of a Website Application using Prepared Statement Technique
ICISS '19: Proceedings of the 2nd International Conference on Information Science and SystemsThe rise of digital transaction of different business and internet users for web service, mobile or desktop web application is increasing every day. Backend database is use to retrieved data for all web application and should be readily available for ...
A survey of detection methods for XSS attacks
AbstractCross-site scripting attack (abbreviated as XSS) is an unremitting problem for the Web applications since the early 2000s. It is a code injection attack on the client-side where an attacker injects malicious payload into a vulnerable ...
Comments