Key-value stores typically leave access control to the systems for which they act as storage engines. Unfortunately, attackers may circumvent such read access controls via timing attacks on the key-value store, which use differences in query response times to glean information about stored data. To date, key-value store timing attacks have aimed to disclose stored values and have exploited external mechanisms that can be disabled for protection. In this paper, we point out that key disclosure is also a security threat -- and demonstrate key disclosure timing attacks that exploit mechanisms of the key-value store itself. We target LSM-tree based key-value stores utilizing range filters, which have been recently proposed to optimize LSM-tree range queries. We analyze the impact of the range filters SuRF and prefix Bloom filter on LSM-trees through a security lens, and show that they enable a key disclosure timing attack, which we call prefix siphoning. Prefix siphoning successfully leverages benign queries for non-present keys to identify prefixes of actual keys -- and in some cases, full keys -- in scenarios where brute force searching for keys (via exhaustive enumeration or random guesses) is infeasible.

翻译：键值存储通常将访问控制委托给作为其存储引擎的系统。遗憾的是，攻击者可能通过对键值存储的时序攻击绕过此类读取访问控制，利用查询响应时间的差异获取存储数据的信息。迄今为止，键值存储时序攻击旨在泄露存储的值，并利用可通过禁用加以保护的外部机制。本文指出键的泄露同样构成安全威胁，并展示了利用键值存储本身机制的键泄露时序攻击。我们聚焦于采用范围过滤器的基于LSM树的键值存储——此类过滤器近期被提议用于优化LSM树范围查询。我们从安全视角分析SuRF（后缀范围过滤器）和前缀布隆过滤器这两类范围过滤器对LSM树的影响，证明它们能够实现一种名为“前缀虹吸”的键泄露时序攻击。在通过暴力搜索键（穷举枚举或随机猜测）不可行的场景中，前缀虹吸成功利用对不存在键的良性查询来识别实际键的前缀——某些情况下甚至能识别完整键。