Skip to content

Protect measureConversion algorithm from timing-based side channels #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Protect measureConversion algorithm from timing-based side channels #188

wants to merge 1 commit into from

Conversation

apasel422
Copy link
Collaborator

@apasel422 apasel422 commented May 29, 2025
edited by pr-preview bot
Loading

@apasel422 apasel422 marked this pull request as ready for review May 29, 2025 15:00
@apasel422 apasel422 force-pushed the side branch 3 times, most recently from 177eaae to 7238fac Compare May 30, 2025 11:57
@apasel422
Copy link
Collaborator Author

Thinking about this further, I'm not sure that the current PR is correct with respect to atomicity: Presumably we want to avoid committing any changes to persistent storage if the timeout is reached, which will involve restructuring the algorithms to avoid iterative writes.

Thoughts, @csharrison and @martinthomson?

@csharrison
Copy link
Collaborator

Good point. Even if we structure the storage to only do a single write, we need to be careful since that write could leak information, and e.g. we need a way method of canceling it / rolling back if the timeout occurs during the write. Alternatively, we could try to ensure the write time is always fast regardless of existing db contents by having some staging buffer table that has no indices, etc, which we process async. Then maybe we'd be OK hoisting the write out of the timeout-scoped block.

@martinthomson
Copy link
Member

Hmm, if we're going to do that, we could split the attribution logic into two parts. The first will select candidate impressions and write to persistent storage (which I assume is just the various privacy budget store buckets that are touched). I think that the privacy budget store update always happens; it can't be cancelled. Then there will be a process of generating an answer, which could be cancelled.

It's possible that we only need to identify candidate epochs in that first pass, which would be fast and maybe even constant time. Not perfectly, but close. An impression store can't be split by epoch, because that's a conversion-site thing. It could have a bitmap for where impressions are by time, which would be a constant-time scan. That would result in some imprecision if you wanted true constant time: say you had a resolution of 10 minutes and aligned epochs on that boundary, you would have 1k bits per epoch per impression site of overhead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinthomson martinthomson Awaiting requested review from martinthomson

@csharrison csharrison Awaiting requested review from csharrison

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Side channels for measureConversion operation
3 participants
@apasel422 @csharrison @martinthomson