Saved in:
Bibliographic Details
Main Authors: Pham, Hung, Vo, Viet, Dinh, Tien Tuan Anh, Tran, Duc, Zhang, Shuhao
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2510.12172
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914093514883072
author Pham, Hung
Vo, Viet
Dinh, Tien Tuan Anh
Tran, Duc
Zhang, Shuhao
author_facet Pham, Hung
Vo, Viet
Dinh, Tien Tuan Anh
Tran, Duc
Zhang, Shuhao
contents Stream processing systems are important in modern applications in which data arrive continuously and need to be processed in real time. Because of their resource and scalability requirements, many of these systems run on the cloud, which is considered untrusted. Existing works on securing databases on the cloud focus on protecting the data, and most systems leverage trusted hardware for high performance. However, in stream processing systems, queries are as sensitive as the data because they contain the application logics. We demonstrate that it is practical to extract the queries from stream processing systems that use Intel SGX for securing the execution engine. The attack performed by a malicious cloud provider is based on timing side channels, and it works in two phases. In the offline phase, the attacker profiles the execution time of individual stream operators, based on synthetic data. This phase outputs a model that identifies individual stream operators. In the online phase, the attacker isolates the operators that make up the query, monitors its execution, and recovers the operators using the model in the previous phase. We implement the attack based on popular data stream benchmarks using SecureStream and NEXMark, and demonstrate attack success rates of up to 92%. We further discuss approaches that can harden streaming processing systems against our attacks without incurring high overhead.
format Preprint
id arxiv_https___arxiv_org_abs_2510_12172
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Leaking Queries On Secure Stream Processing Systems
Pham, Hung
Vo, Viet
Dinh, Tien Tuan Anh
Tran, Duc
Zhang, Shuhao
Cryptography and Security
Stream processing systems are important in modern applications in which data arrive continuously and need to be processed in real time. Because of their resource and scalability requirements, many of these systems run on the cloud, which is considered untrusted. Existing works on securing databases on the cloud focus on protecting the data, and most systems leverage trusted hardware for high performance. However, in stream processing systems, queries are as sensitive as the data because they contain the application logics. We demonstrate that it is practical to extract the queries from stream processing systems that use Intel SGX for securing the execution engine. The attack performed by a malicious cloud provider is based on timing side channels, and it works in two phases. In the offline phase, the attacker profiles the execution time of individual stream operators, based on synthetic data. This phase outputs a model that identifies individual stream operators. In the online phase, the attacker isolates the operators that make up the query, monitors its execution, and recovers the operators using the model in the previous phase. We implement the attack based on popular data stream benchmarks using SecureStream and NEXMark, and demonstrate attack success rates of up to 92%. We further discuss approaches that can harden streaming processing systems against our attacks without incurring high overhead.
title Leaking Queries On Secure Stream Processing Systems
topic Cryptography and Security
url https://arxiv.org/abs/2510.12172