A team of researchers from prestigious institutions, including Georgia Tech, Purdue University, and Synkhronix, has devised a novel side-channel attack, known as TEE.Failure, which enables the extraction of sensitive information from the Trusted Execution Environment (TEE) within a computer’s central processing unit. This attack targets the latest security features from prominent manufacturers, such as Intel’s Software Guard Extensions (SGX) and Trust Domain Extensions (TDX), as well as AMD’s Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) and Ciphertext Hiding.
The core concept of this attack involves utilizing an interposition device, constructed from readily available electronic components at a cost of less than $1,000. This device facilitates the physical inspection of all memory traffic within a DDR5 server, thereby allowing for the interception of sensitive data.
The researchers highlighted that their approach enables the extraction of cryptographic keys from Intel TDX and AMD SEV-SNP with Ciphertext Hiding, including secret attestation keys from fully updated machines in a trusted state. This is achieved through the use of an interposition device that can monitor memory traffic, allowing attackers to compromise the security of the TEE.
Furthermore, the researchers demonstrated that the extracted attestation keys can be used to compromise Nvidia’s GPU Confidential Computing, allowing attackers to execute AI workloads without the protection of the TEE. This has significant implications for the security of sensitive data and applications.
These findings come on the heels of two other recent attacks targeting TEEs, namely Battering RAM and WireTap. In contrast to these attacks, which focus on systems using DDR4 memory, TEE.Failure is the first to be successfully demonstrated against DDR5, rendering it a more significant threat to the latest hardware security protections from Intel and AMD.
The study revealed that the AES-XTS encryption mode employed by Intel and AMD is deterministic, making it vulnerable to physical memory interposition attacks. In a hypothetical attack scenario, an adversary could leverage custom equipment to record memory traffic between the computer and DRAM, allowing them to observe memory contents during read and write operations and ultimately facilitating a side-channel attack.
This vulnerability can be exploited to extract data from confidential virtual machines (CVMs), including ECDSA attestation keys from Intel’s Provisioning Certification Enclave (PCE), which are necessary to break SGX and TDX attestation. The researchers noted that this could allow attackers to pretend that data and code are being executed within a CVM when, in reality, they are not, enabling them to read sensitive data and provide incorrect output while faking a successful attestation process.
The study also emphasized that SEV-SNP with Ciphertext Hiding does not address the issues associated with deterministic encryption and does not prevent physical bus interposition. Consequently, the attack facilitates the extraction of private signing keys from OpenSSL’s ECDSA implementation, highlighting the inadequacy of current security measures.
Source Link
