A team of academic researchers from Georgia Tech, Purdue University, and Synkhronix has developed TEE.Fail, a practical side-channel method that can extract secrets from processor-based trusted execution environments, including Intel SGX, Intel TDX, AMD SEV-SNP, and Ciphertext Hiding. The technique uses inexpensive, off-the-shelf electronics to inspect DDR5 memory traffic, exposing weaknesses in current CPU TEE protections.
How the attack works
The researchers built a physical interposition device, costing under $1,000, that sits on the server memory bus and records DDR5 traffic. By observing reads and writes between the processor and DRAM, the device creates a side channel that leaks sensitive information. The study shows this is possible despite modern protections, because the AES-XTS encryption mode used by Intel and AMD is deterministic, and therefore insufficient to prevent physical memory interposition attacks.
What the researchers demonstrated
- Extraction of cryptographic keys from Intel TDX and AMD SEV-SNP with Ciphertext Hiding, including some attestation keys from patched, trusted machines.
- Recovery of ECDSA attestation keys from Intel’s Provisioning Certification Enclave, keys that are used to prove code or data is running inside a confidential virtual machine, CVM. If those keys are obtained, an attacker can fake attestation, read confidential data, and return forged outputs while appearing legitimate.
- Compromise of Nvidia GPU confidential computing, by using extracted attestation keys to run AI workloads without TEE protections.
- Extraction of private signing keys from OpenSSL’s ECDSA implementation, even when the code is constant-time and Ciphertext Hiding is enabled, demonstrating those measures do not prevent bus interposition attacks.
Why DDR5 matters, context
TEE.Fail is notable because it targets DDR5 memory, making it the first demonstrated physical bus interposition attack against systems using DDR5. Previous public attacks, such as Battering RAM and WireTap, focused on DDR4. The shift to DDR5 does not eliminate the physical threat, and deterministic encryption modes leave systems vulnerable.
Impact and implications
If exploited, TEE.Fail can undermine the core security guarantees of CPU TEEs, allowing attackers to pretend code and data are inside a CVM when they are not, read protected data, and manipulate outputs while still passing attestation. This affects cloud confidentiality models, AI workloads that rely on GPU confidentiality, and any system relying on attested TEEs for secrecy.
Mitigations and vendor response
Researchers recommend software-level countermeasures to avoid deterministic encryption patterns, however these changes may be costly to implement. Both AMD and Intel reiterated that physical, direct memory bus attacks are out of scope for their threat models, and neither announced immediate hardware mitigations.
