A group of academic researchers from Georgia Tech, Purdue University, and Synkhronix have developed a side-channel attack called TEE.Fail that allows for the extraction of secrets from the trusted execution environment (TEE) in a computer's main processor, including Intel's Software Guard eXtensions (SGX) and Trust Domain Extensions (TDX) and AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) and Ciphertext Hiding.
The attack, at its core, involves the use of an interposition device built using off-the-shelf electronic equipment that costs under $1,000 and makes it possible to physically inspect all memory traffic inside a DDR5 server.
"This allows us for the first time to extract cryptographic keys from Intel TDX and AMD SEV-SNP with Ciphertext Hiding, including in some cases secret attestation keys from fully updated machines in trusted status," the researchers noted on an informational site.
"Beyond breaking CPU-based TEEs, we also show how extracted attestation keys can be used to compromise Nvidia's GPU Confidential Computing, allowing attackers to run AI workloads without any TEE protections."
The findings come weeks after the release of two other attacks aimed at TEEs, such as Battering RAM and WireTap. Unlike these techniques that target systems using DDR4 memory, TEE.Fail is the first attack to be demonstrated against DDR5, meaning they can be used to undermine the latest hardware security protections from Intel and AMD.
The latest study has found that the AES-XTS encryption mode used by Intel and AMD is deterministic and, therefore, not sufficient to prevent physical memory interposition attacks. In a hypothetical attack scenario, a bad actor could leverage the custom equipment to record the memory traffic flowing between the computer and DRAM, and observe the memory contents during read and write operations, thereby opening the door to a side-channel attack.
This could be ultimately exploited to extract data from confidential virtual machines (CVMs), including ECDSA attestation keys from Intel's Provisioning Certification Enclave (PCE), necessary in order to break SGX and TDX attestation.
"As attestation is the mechanism used to prove that data and code are actually executed in a CVM, this means that we can pretend that your data and code is running inside a CVM when in reality it is not," the researchers said. "We can read your data and even provide you with incorrect output, while still faking a successfully completed attestation process."
The study also pointed out that SEV-SNP with Ciphertext Hiding neither addresses issues with deterministic encryption nor prevents physical bus interposition. As a result, the attack facilitates the extraction of private signing keys from OpenSSL's ECDSA implementation.
"Importantly, OpenSSL's cryptographic code is fully constant-time and our machine had Ciphertext Hiding enabled, thus showing these features are not sufficient to mitigate bus interposition attacks," they added.
While there is no evidence that the attack has been put to use in the wild, the researchers recommend using software countermeasures to mitigate the risks arising as a result of deterministic encryption. However, they are likely to be expensive.
In response to the disclosure, AMD said it has no plans to provide mitigations since physical vector attacks are out of scope for AMD SEV-SNP. Intel, in a similar alert, noted that TEE.fail does not change the company's previous out-of-scope statement for these types of physical attacks.
