Unveiling TEE.Fail: A New Side-Channel Attack Compromising Intel and AMD Secure Enclaves
Article Text:
In a significant development in cybersecurity, researchers from Georgia Tech, Purdue University, and Synkhronix have unveiled a novel side-channel attack named TEE.Fail. This attack targets the Trusted Execution Environments (TEEs) of modern processors, specifically Intel’s Software Guard Extensions (SGX) and Trust Domain Extensions (TDX), as well as AMD’s Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) and Ciphertext Hiding.
Understanding the TEE.Fail Attack
TEE.Fail leverages an interposition device constructed from readily available electronic components costing under $1,000. This device enables attackers to physically monitor all memory traffic within a DDR5 server. By doing so, it becomes possible to extract cryptographic keys from Intel’s TDX and AMD’s SEV-SNP with Ciphertext Hiding. In certain scenarios, even secret attestation keys from fully updated machines in a trusted state can be compromised.
The implications of this attack are profound. Beyond breaching CPU-based TEEs, the extracted attestation keys can be utilized to undermine Nvidia’s GPU Confidential Computing. This vulnerability allows malicious actors to execute AI workloads devoid of any TEE protections, thereby exposing sensitive data and processes to potential exploitation.
Technical Insights into the Vulnerability
TEE.Fail distinguishes itself from previous attacks like Battering RAM and WireTap, which targeted DDR4 memory systems. This new attack is the first to be demonstrated against DDR5 memory, effectively compromising the latest hardware security measures implemented by Intel and AMD.
A critical aspect of the vulnerability lies in the AES-XTS encryption mode employed by both Intel and AMD. This mode is deterministic, rendering it insufficient to thwart physical memory interposition attacks. In a potential attack scenario, an adversary could use custom equipment to record memory traffic between the computer and DRAM. By observing memory contents during read and write operations, the attacker can execute a side-channel attack to extract data from confidential virtual machines (CVMs).
One particularly alarming consequence is the extraction of ECDSA attestation keys from Intel’s Provisioning Certification Enclave (PCE). These keys are essential for breaking SGX and TDX attestation processes. Attestation serves as the mechanism to verify that data and code are executed within a CVM. Compromising this process means an attacker can deceive users into believing their data and code are securely running inside a CVM, while in reality, they are exposed. This deception allows attackers to read data and provide incorrect outputs, all while falsifying a successful attestation process.
Furthermore, the study highlights that SEV-SNP with Ciphertext Hiding does not address issues related to deterministic encryption nor prevent physical bus interposition. Consequently, the attack facilitates the extraction of private signing keys from OpenSSL’s ECDSA implementation. Notably, this extraction occurs despite OpenSSL’s cryptographic code being fully constant-time and the machine having Ciphertext Hiding enabled, demonstrating that these features alone are insufficient to mitigate bus interposition attacks.
Industry Response and Mitigation Strategies
As of now, there is no evidence to suggest that TEE.Fail has been exploited in real-world scenarios. However, the potential risks it poses are significant. The researchers recommend implementing software countermeasures to mitigate the threats arising from deterministic encryption. It’s important to note that these countermeasures may be resource-intensive and could impact system performance.
In response to the disclosure, AMD has stated that it has no plans to provide mitigations, as physical vector attacks are considered out of scope for AMD SEV-SNP. Similarly, Intel has indicated that TEE.Fail does not alter the company’s previous stance regarding these types of physical attacks.
Conclusion
The revelation of TEE.Fail underscores the evolving landscape of cybersecurity threats, particularly those targeting hardware vulnerabilities. As attackers develop more sophisticated methods to exploit trusted execution environments, it becomes imperative for the industry to reassess and fortify existing security measures. While TEE.Fail has not been observed in the wild, its potential impact serves as a stark reminder of the need for continuous vigilance and proactive defense strategies in the realm of hardware security.
