logo
allArticlesConferencesPresentations

DBREACH: Database Reconnaissance and Exfiltration via Adaptive Compression Heuristics

Conference:  BlackHat USA 2021

2021-08-05

Summary

Debreach is a compression side-channel attack on a real-world database system that allows an attacker to extract encrypted content inserted by another user. The attack exploits the combination of encryption and compression commonly used in databases, which can leak the underlying plaintext information.
  • Compression side-channel attacks can reveal information about encrypted messages by using compression to reveal message length
  • Debreach is the first compression side-channel attack on a real-world database system
  • The attack exploits the combination of encryption and compression commonly used in databases
  • Possible mitigations include turning off compression, monitoring database usage for unusual activity patterns, and compressing only within rows inserted by the same user and user group
In Debreach, the attackers were able to extract encrypted content inserted by another user by utilizing a compression side-channel. They extended on techniques used in the CRIME and BREACH attacks beyond the web security context and into the database context. By compressing data, they were able to reveal message length and learn something about the message contents, which allowed them to extract sensitive information. This highlights the danger of combining encryption and compression in databases and the need for effective mitigations.

Abstract

Databases often store sensitive data such as personally identifiable information. For this reason, databases often provide a data-at-rest encryption feature. Large databases may also attempt to compress data to save storage space. However, combining encryption and compression can be dangerous and potentially leak the underlying plaintext. This class of vulnerabilities is known as a compression side-channel. Compression side-channel attacks were most notably demonstrated during the CRIME (2012) and BREACH (2013) attacks to break SSL. In practice, compression side-channel attacks have so far been limited to a web security context. In this presentation, we demonstrate the first compression side-channel attacks on a real-world database. We show how an attacker is able to extract encrypted content that was inserted by another user.We list the necessary preconditions for such an attack to take place, reveal the inner workings of the attack, and discuss possible mitigations.
Materials:
Slides
Tags:

Post a comment

Related work

Compression Oracle Attacks on VPN Networks

Conference:  BlackHat USA 2018
Authors:
2018-08-08

TLBleed: When Protecting Your CPU Caches is Not Enough

Conference:  BlackHat USA 2018
Authors:
2018-08-09

AEPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Sweet Dreams: Abusing Sleep Mode to Break Wi-Fi Encryption and Disrupt WPA2/3 Networks

Conference:  Black Hat Asia 2023
Authors: Mathy Vanhoef, Domien Schepers
2023-05-12

Unlimited Results: Breaking Firmware Encryption of ESP32-V3

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction

Conference:  BlackHat EU 2019
Authors:
2019-12-05