Researchers Unveil TEE.Fail: A New Side-Channel Attack on Trusted Execution Environments
Introduction to TEE.Fail
A collaboration between academic researchers from Georgia Tech, Purdue University, and Synkhronix has led to a significant breakthrough in cybersecurity with the development of a side-channel attack known as TEE.Fail. This attack exposes vulnerabilities within the trusted execution environment (TEE) of main processors. Specifically, it targets Intel’s Software Guard eXtensions (SGX) and Trust Domain Extensions (TDX), along with AMD’s Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) and its Ciphertext Hiding feature.
How TEE.Fail Works
At the heart of TEE.Fail is an innovative interposition device assembled with readily available electronic components that cost under $1,000. This device allows attackers to physically monitor all memory traffic within a DDR5 server. The researchers reported that this capability enables the extraction of cryptographic keys from Intel’s TDX and AMD’s SEV-SNP, which can include secret attestation keys from fully updated systems recognized as “trusted.”
Implications for Hardware Security
The researchers behind TEE.Fail emphasized that the attack not only compromises CPU-based TEEs but also poses risks to Nvidia’s GPU Confidential Computing. This vulnerability allows attackers to execute AI workloads without the protections typically provided by TEEs. The study highlights this newfound capability as particularly concerning, given the increasing reliance on secure environments for sensitive workloads.
Comparison with Previous Attacks
TEE.Fail is a timely addition to the ongoing conversation about the security of TEEs, emerging shortly after the introduction of other attacks like Battering RAM and WireTap. Unlike these previous methods, which primarily targeted systems utilizing DDR4 memory, TEE.Fail stands out as the first method to successfully breach DDR5 security measures. Its ability to undermine the latest hardware protections from both Intel and AMD marks a critical evolution in the landscape of cybersecurity threats.
Deterministic Encryption and Vulnerabilities
One of the critical findings of the study is the deterministic nature of the AES-XTS encryption mode employed by both Intel and AMD, which falls short in preventing physical memory interposition attacks. In a hypothetical attack scenario, adversaries can use custom equipment to log memory traffic flowing between the central processing unit (CPU) and dynamic random-access memory (DRAM). This process involves observing memory contents during read and write operations, setting the stage for a successful side-channel attack.
Potential Data Extraction
Through TEE.Fail, attackers could potentially extract sensitive data from confidential virtual machines (CVMs), including ECDSA attestation keys from Intel’s Provisioning Certification Enclave (PCE). This access is crucial for undermining SGX and TDX attestation processes. The research team indicated that employing attestation is vital for confirming that data and code are executing within a CVM. If compromised, attackers can simulate the existence of CVMs, leading to unauthorized data access and misleading outputs, all while falsifying successful attestation.
Limitations of Current Security Features
The study critically assesses the efficacy of SEV-SNP with Ciphertext Hiding, noting that it does not resolve issues related to deterministic encryption or prevent physical bus interposition attacks. Consequently, this vulnerability can lead to unauthorized extraction of private signing keys from OpenSSL’s ECDSA implementation, further diminishing confidence in current security measures.
Despite the use of OpenSSL’s cryptographic code, which is designed to operate in constant time and with Ciphertext Hiding enabled on the system, the researchers found that these features are insufficient to counteract bus interposition attacks effectively.
Mitigation Recommendations and Industry Response
While there are no confirmed instances of TEE.Fail being used in real-world attacks, the researchers advise employing software countermeasures to address the risks associated with deterministic encryption. However, implementing these measures could incur significant costs. In light of these findings, AMD has stated it will not provide mitigations since physical vector attacks are not considered within the scope of AMD SEV-SNP. Intel similarly noted that TEE.Fail aligns with previously outlined limitations concerning physical attacks, reaffirming their stance on the issue.
Final Thoughts
The emergence of TEE.Fail marks an important chapter in cybersecurity, highlighting the continual evolution of threats against trusted execution environments. As researchers and organizations alike grapple with these vulnerabilities, it remains clear that the cybersecurity landscape is as dynamic as ever, calling for ongoing vigilance and adaptive security measures.
