Improved Leakage Abuse Attacks in Searchable Symmetric Encryption with eBPF Monitoring

TL;DR

This paper demonstrates how system-level monitoring with eBPF can reveal new leakage patterns in Searchable Symmetric Encryption, exposing practical vulnerabilities beyond traditional threat models.

Contribution

It introduces a novel approach using eBPF to uncover system-level leakages in SSE, enhancing understanding of real-world attack vectors.

Findings

eBPF can monitor low-level system behavior during searches

New leakage patterns are identified that improve attack effectiveness

System-level leakages pose practical threats to SSE security

Abstract

Searchable Symmetric Encryption (SSE) allows users to search over encrypted data stored on untrusted servers, like cloud providers. While SSE hides the content of queries and documents, it still leaks patterns, such as how often a query is made. These leakages have been shown to enable leakage abuse attacks, but recent defenses have made such attacks harder to carry out. In this work, we explore how system-level monitoring using eBPF (Extended Berkeley Packet Filter) can be used to uncover new forms of leakage that go beyond what is typically captured in SSE threat models. By observing low-level system behavior during search operations, we show that an attacker can gain additional insights into query behavior, document access, and processing flow. We define a new leakage pattern based on these observations and demonstrate how they can strengthen existing attacks. Our findings suggest that system-level leakages present a practical threat to SSE deployments and must be considered when designing defenses. This work serves as a step toward bridging the gap between theoretical SSE security and the realities of system-level exposure.