Side-Channel Attacks on Query-Based Data Anonymization
Abstract (englisch):
A longstanding problem in computer privacy is that of data anonymization. One common approach is to present a query interface to analysts, and anonymize on a query-by-query basis. In practice, this approach often uses a standard database back end, and presents the query semantics of the database to the analyst.
This paper presents a class of novel side-channel attacks that work against any query-based anonymization system that uses a standard database back end. The attacks exploit the implicit conditional logic of database runtime optimizations. They manipulate this logic to trigger timing and exception-throwing side-channels based on the contents of the data.
We demonstrate the attacks on the implementation of the CHORUS Differential Privacy system released by Uber as an open source project. We obtain perfect reconstruction of millions of data values even with a Differential Privacy budget smaller than epsilon = 1.0 and no prior knowledge.
The paper also presents the design of a general defense to the runtime-optimization attacks, and a concrete implementation of the defense in the latest version of Diffix. The defense works without modifications to the back end database, and operates by modifying SQL to eliminate the runtime optimization or disable the side-channels.
... mehr
This paper presents a class of novel side-channel attacks that work against any query-based anonymization system that uses a standard database back end. The attacks exploit the implicit conditional logic of database runtime optimizations. They manipulate this logic to trigger timing and exception-throwing side-channels based on the contents of the data.
We demonstrate the attacks on the implementation of the CHORUS Differential Privacy system released by Uber as an open source project. We obtain perfect reconstruction of millions of data values even with a Differential Privacy budget smaller than epsilon = 1.0 and no prior knowledge.
The paper also presents the design of a general defense to the runtime-optimization attacks, and a concrete implementation of the defense in the latest version of Diffix. The defense works without modifications to the back end database, and operates by modifying SQL to eliminate the runtime optimization or disable the side-channels.
... mehr
| Zugehörige Institution(en) am KIT | Institut für Telematik (TM) Kompetenzzentrum für angewandte Sicherheitstechnologie (KASTEL) |
| Publikationstyp | Proceedingsbeitrag |
| Publikationsdatum | 12.11.2021 |
| Sprache | Englisch |
| Identifikator | ISBN: 978-1-4503-8454-4 KITopen-ID: 1000140317 |
| HGF-Programm | 46.23.01 (POF IV, LK 01) Methods for Engineering Secure Systems |
| Erschienen in | CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, November 2021 |
| Veranstaltung | ACM SIGSAC Conference on Computer and Communications Security (CCS 2021), Online, 15.11.2021 – 19.11.2021 |
| Verlag | Association for Computing Machinery (ACM) |
| Seiten | 1254–1265 |
| Schlagwörter | data management systems, query optimization, privacy-preserving protocols, untraceability, pseudonymity |
| Nachgewiesen in | Scopus Dimensions OpenAlex |
| Globale Ziele für nachhaltige Entwicklung |