A group of researchers has detailed a new type of attack against databases at the Black Hat US 2021 hybrid event. This attack—Database Reconnaissance and Exfiltration via Adaptive Compression Heuristics (DBREACH)—could result in information disclosure and loss.

About the attack

DBREACH is considered to be the first compression side-channel attack on a database system. Using the DBREACH attack technique, an attacker can recover users’ encrypted data.
  • DBREACH uses techniques similar to the Compression Ratio Info-leak Made Easy (CRIME) attack. This attack, revealed in 2013, targets Transport Layer Security (TLS).
  • Researchers claimed that several modern databases have data compression and encryption methods paired together to reduce costs. But this may expose the data for a new class of vulnerabilities known as side-channel attacks.
  • During their research, the experts analyzed and applied their theory on the MariaDB open-source databases running with the InnoDB storage engine. According to them, the same techniques work on other databases as well.

Attack methodology

For a DBREACH attack to be successful, an attacker requires the ability to insert/update a database table and estimate the size of a compressed table.
  • The database table can be either updated or inserted using a web interface. In addition, the attacker can obtain the required permissions with only a partial-select ability.
  • Even without update permissions, the attacker can still force an update by rolling back the table file and performing an insert operation.
  • Moreover, the size of the compressed table can be achieved by obtaining read access to the filesystem. With this, the attacker could read the size of the table.

Cautionary note

Researchers claim that this threat model can result in real-world attacks. In order to mitigate the potential risks of the DBREACH attack, it is advisable for database administrators to avoid using column-level permission. Moreover, they can monitor the database usage patterns, such as DoS detection, and look for a single user with a sudden high number of updates.

Cyware Publisher