A group of academic researchers from Georgia Tech, Purdue University, and Synchronics developed a side-channel attack called . TEE. Failure This allows secrets to be extracted from the trusted execution environment (TEE) of the computer’s main processor, such as Intel’s Software Guard eXtensions (SGX) and Trust Domain Extensions (TDX), AMD’s Secure Nested Paging (SEV-SNP) and Secure Encrypted Virtualization with Ciphertext Hiding.
The core of this attack involves the use of an intervention device built using off-the-shelf electronics that costs less than $1,000 and allows for physical inspection of all memory traffic within a DDR5 server.
“This makes it possible for the first time to extract cryptographic keys from Intel TDX and AMD SEV-SNPs with ciphertext hiding capabilities, including in some cases secret authentication keys from fully updated machines in a trusted state,” the researchers wrote on the information site.
“In addition to subverting CPU-based TEEs, we also show how extracted authentication keys can be used to compromise Nvidia’s GPU Confidential Computing, allowing attackers to run AI workloads without TEE protection.”
This finding comes weeks after the release of two other TEE attacks, including Battering RAM and WireTap. Unlike these techniques that target systems using DDR4 memory, TEE.Fail is the first proven attack against DDR5, meaning it can be used to undermine the latest hardware security protections from Intel and AMD.
A recent study found that the AES-XTS encryption mode used by Intel and AMD is not sufficient to prevent physical memory intervention attacks because it is deterministic. In a hypothetical attack scenario, an attacker could leverage custom equipment to record memory traffic flowing between the computer and DRAM, opening the door to side-channel attacks by observing the memory contents during read and write operations.
This could ultimately be exploited to extract data from sensitive virtual machines (CVMs), including ECDSA authentication keys from Intel’s Provisioning Certification Enclave (PCE), which are needed to break SGX and TDX certifications.
“Attestation is a mechanism used to prove that data and code are actually running inside a CVM, and therefore means that data and code can pretend to be running inside a CVM when in fact they are not,” the researchers said. “They can even read data and provide false output while faking a successfully completed authentication process.”
The study also pointed out that SEV-SNP with ciphertext hiding does not address the problem of deterministic encryption, nor does it prevent the intervention of a physical bus. As a result, this attack facilitates the extraction of private signing keys from OpenSSL’s ECDSA implementation.
“Importantly, OpenSSL’s encryption code is fully punctual and ciphertext hiding was enabled on our machine, indicating that these features are not sufficient to mitigate bus intervention attacks,” they added.
Although there is no evidence that this attack has been used in the wild, researchers recommend using software countermeasures to reduce the risks posed as a result of deterministic encryption. However, it can be expensive.
Following this disclosure, AMD stated that it has no plans to provide any mitigations as physical vector attacks are not covered by AMD SEV-SNP. Intel noted in a similar warning that TEE.fail does not change the company’s previous out-of-bounds statements against this type of physical attack.
