Key-value stores typically leave access control to the systems for which they act as storage engines. Unfortunately, attackers may circumvent such read access controls via timing attacks on the key-value store, which use differences in query response times to glean information about stored data. To date, key-value store timing attacks have aimed to disclose stored values and have exploited external mechanisms that can be disabled for protection. In this paper, we point out that key disclosure is also a security threat -- and demonstrate key disclosure timing attacks that exploit mechanisms of the key-value store itself. We target LSM-tree based key-value stores utilizing range filters, which have been recently proposed to optimize LSM-tree range queries. We analyze the impact of the range filters SuRF and prefix Bloom filter on LSM-trees through a security lens, and show that they enable a key disclosure timing attack, which we call prefix siphoning. Prefix siphoning successfully leverages benign queries for non-present keys to identify prefixes of actual keys -- and in some cases, full keys -- in scenarios where brute force searching for keys (via exhaustive enumeration or random guesses) is infeasible.

翻译：键值存储通常将访问控制委托给其作为存储引擎的系统。不幸的是，攻击者可能通过针对键值存储的时序攻击绕过此类读访问控制——利用查询响应时间的差异来获取存储数据的相关信息。迄今为止，键值存储时序攻击旨在泄露存储的值，并利用可通过禁用进行保护的外部机制。本文指出，键泄露同样构成安全威胁——并展示了利用键值存储自身机制进行键泄露的时序攻击。我们以基于LSM-tree并采用范围过滤器的键值存储为靶标，此类范围过滤器近期被提出用于优化LSM-tree范围查询。我们通过安全视角分析范围过滤器SuRF和前缀布隆过滤器对LSM-tree的影响，并证明它们启用了一种称为前缀虹吸的键泄露时序攻击。在穷举枚举或随机猜测等暴力搜索键不可行的场景中，前缀虹吸成功利用针对不存在键的良性查询来识别真实键的前缀——在某些情况下可获取完整键。