Improved Leakage Abuse Attacks in Searchable Symmetric Encryption with eBPF Monitoring
This work identifies a practical threat for users and developers of SSE by demonstrating that system-level leakages, not typically covered in SSE threat models, can be exploited to enhance existing attacks.
This paper explores how eBPF monitoring can expose new system-level leakages in Searchable Symmetric Encryption (SSE) deployments. By observing low-level system behavior, attackers can gain additional insights into query behavior, document access, and processing flow, which can strengthen existing leakage abuse attacks.
Searchable Symmetric Encryption (SSE) allows users to search over encrypted data stored on untrusted servers, like cloud providers. While SSE hides the content of queries and documents, it still leaks patterns, such as how often a query is made. These leakages have been shown to enable leakage abuse attacks, but recent defenses have made such attacks harder to carry out. In this work, we explore how system-level monitoring using eBPF (Extended Berkeley Packet Filter) can be used to uncover new forms of leakage that go beyond what is typically captured in SSE threat models. By observing low-level system behavior during search operations, we show that an attacker can gain additional insights into query behavior, document access, and processing flow. We define a new leakage pattern based on these observations and demonstrate how they can strengthen existing attacks. Our findings suggest that system-level leakages present a practical threat to SSE deployments and must be considered when designing defenses. This work serves as a step toward bridging the gap between theoretical SSE security and the realities of system-level exposure.