Searchable Symmetric Encryption (SSE) allows users to search over encrypted data stored on untrusted servers, like cloud providers. While SSE hides the content of queries and documents, it still leaks patterns, such as how often a query is made. These leakages have been shown to enable leakage abuse attacks, but recent defenses have made such attacks harder to carry out. In this work, we explore how system-level monitoring using eBPF (Extended Berkeley Packet Filter) can be used to uncover new forms of leakage that go beyond what is typically captured in SSE threat models. By observing low-level system behavior during search operations, we show that an attacker can gain additional insights into query behavior, document access, and processing flow. We define a new leakage pattern based on these observations and demonstrate how they can strengthen existing attacks. Our findings suggest that system-level leakages present a practical threat to SSE deployments and must be considered when designing defenses. This work serves as a step toward bridging the gap between theoretical SSE security and the realities of system-level exposure.

翻译：可搜索对称加密允许用户在不可信服务器（如云服务提供商）上存储的加密数据中进行搜索。虽然SSE隐藏了查询和文档的内容，但仍会泄露某些模式，例如查询频率。已有研究表明这些泄漏可能引发泄漏滥用攻击，但近期的防御机制使得此类攻击难以实施。本研究探讨如何利用eBPF（扩展型伯克利数据包过滤器）进行系统级监控，以发现超出SSE威胁模型常规范畴的新型泄漏形式。通过观察搜索操作期间的低层系统行为，我们证明攻击者能够获取关于查询行为、文档访问和处理流程的额外信息。基于这些观察，我们定义了一种新的泄漏模式，并论证其如何强化现有攻击。我们的研究结果表明，系统级泄漏对SSE实际部署构成现实威胁，在设计防御机制时必须予以考虑。本工作为弥合SSE理论安全性与系统级暴露现实之间的差距迈出了重要一步。