Paper 2024/1312

Probabilistic Data Structures in the Wild: A Security Analysis of Redis

Mia Filić, ETH Zurich
Jonas Hofmann, ETH Zurich
Sam A. Markelon, University of Florida
Kenneth G. Paterson, ETH Zurich
Anupama Unnikrishnan, ETH Zurich
Abstract

Redis (Remote Dictionary Server) is a general purpose, in-memory database that supports a rich array of functionality, including various Probabilistic Data Structures (PDS), such as Bloom filters, Cuckoo filters, as well as cardinality and frequency estimators. These PDS typically perform well in the average case. However, given that Redis is intended to be used across a diverse array of applications, it is crucial to evaluate how these PDS perform under worst-case scenarios, i.e., when faced with adversarial inputs. We offer a comprehensive analysis to address this question. We begin by carefully documenting the different PDS implementations in Redis, explaining how they deviate from those PDS as described in the literature. Then we show that these deviations enable a total of 10 novel attacks that are more severe than the corresponding attacks for generic versions of the PDS. We highlight the critical role of Redis' decision to use non-cryptographic hash functions in the severity of these attacks. We conclude by discussing countermeasures to the attacks, or explaining why, in some cases, countermeasures are not possible.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
probabilistic data structuresCuckoo filtersBloom filtersCMSTopKRedisattacks
Contact author(s)
mia filic @ inf ethz ch
hofmannj @ student ethz ch
smarkelon @ ufl edu
kenny paterson @ inf ethz ch
aunnikris @ phys ethz ch
History
2024-08-23: approved
2024-08-22: received
See all versions
Short URL
https://ia.cr/2024/1312
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1312,
      author = {Mia Filić and Jonas Hofmann and Sam A. Markelon and Kenneth G. Paterson and Anupama Unnikrishnan},
      title = {Probabilistic Data Structures in the Wild: A Security Analysis of Redis},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1312},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1312}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.