Welcome to the resource topic for 2015/082
Title:
On the Difficulty of Securing Web Applications using CryptDB
Authors: İhsan Haluk AKIN, Berk Sunar
Abstract:CryptDB has been proposed as a practical and secure middleware to protect databases deployed on semi-honest cloud servers. While CryptDB provides sufficient protection under Threat-1, here we demonstrate that when CryptDB is deployed to secure the cloud hosted database of a realistic web application, an attacker to database or a Malicious Database Administrator (mDBA) can easily steal information, and even escalate his privilege to become the administrator of the web application. Our attacks, fall under a restricted form of Threat-2 where we only assume that the attackers or the mDBA tampers with the CryptDB protected database and is opens an ordinary user account through the web application. Our attacks, are carried out assuming perfectly secure proxy and application servers. Therefore, the attacks work without recovering the master key residing on the proxy server. At the root of the attack lies the lack of any integrity checks for the data in the CryptDB database. We propose a number of practical countermeasures to mitigate attacks targeting the integrity of the CryptDB database. We also demonstrate that the data integrity is not sufficient to protect the databases, when query integrity and frequency attacks are considered.
ePrint: https://eprint.iacr.org/2015/082
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .