ACM Transactions on Database Systems (TODS)
Proceedings of the 7th ACM conference on Computer and communications security
Database System Implementation
Database System Implementation
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
SQL Cookbook (Cookbooks (O'Reilly))
SQL Cookbook (Cookbooks (O'Reilly))
Exposing private information by timing web applications
Proceedings of the 16th international conference on World Wide Web
Remote timing attacks are practical
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
IFDB: decentralized information flow control for databases
Proceedings of the 8th ACM European Conference on Computer Systems
| Hi-index | 0.00 |
In this paper we present a new attack technique that allows extraction of selected database content relying merely on the attacker's ability to perform database transactions (INSERTs or UPDATEs) that are usually available to any anonymous database user. Our attack technique uses a side-channel timing attack in the realm of database indexing algorithms and data structures. We prove that by exploiting the inherent characteristics of the most commonly used indexing data structures and algorithms in today's commercial database management systems it is possible to extract privacy-sensitive data from a database. In particular we prove, both in theory and practice that it is feasible to do so if the B-tree data structure is used and the attacker is able to insert records with chosen data that is used as the search key of one of the table's indexes. We present experimental results of a successful attack implementation against MySQL and provide conclusions and ideas for further research.