New TEE.Fail Side-Channel Attack Compromises Intel and AMD's Most Advanced Security Enclaves

Researchers have developed a new side-channel attack called TEE.Fail that successfully extracts sensitive data from trusted execution environments in the latest Intel and AMD processors using DDR5 memory, threatening the foundation of hardware-based security in modern computing systems.

The attack, created by researchers from Georgia Tech, Purdue University, and Synkhronix, bypasses security protections in Intel's Software Guard eXtensions (SGX) and Trust Domain Extensions (TDX) as well as AMD's Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). This breakthrough represents the first successful exploitation of DDR5-based secure enclaves, which were previously considered more robust than their DDR4 predecessors.

How the attack works

TEE.Fail uses a custom interposition device built from off-the-shelf electronic components costing under $1,000. This device physically intercepts memory traffic between the CPU and DRAM modules, allowing attackers to monitor all data being read from or written to memory.

The researchers discovered that both Intel and AMD rely on AES-XTS encryption, which is deterministic by nature. This predictability creates a vulnerability that allows attackers to extract cryptographic keys—including critical attestation keys that verify the integrity and security of the execution environment.

"As attestation is the mechanism used to prove that data and code are actually executed in a CVM (Confidential Virtual Machine), this means that we can pretend that your data and code is running inside a CVM when in reality it is not," the researchers explained. "We can read your data and even provide you with incorrect output, while still faking a successfully completed attestation process."

The attack has proven successful against fully patched and trusted systems, even extracting Intel's Provisioning Certification Enclave (PCE) attestation keys. These keys are absolutely essential for the attestation process that validates the security of SGX and TDX environments.

Even more concerning, TEE.Fail can compromise Nvidia's GPU Confidential Computing technology, allowing attackers to run AI workloads without any TEE protections—a potentially significant vulnerability as AI workloads increasingly require confidential computing environments. This attack represents a serious escalation in the ongoing battle between malware developers and security researchers working to protect sensitive computing environments.

Technical Aspects of the Exploit

The TEE.Fail attack specifically targets the memory bus interface between the processor and RAM modules. By intercepting this data flow, attackers can observe patterns in the encrypted memory access, which ultimately reveals the cryptographic keys. The attack is particularly sophisticated because it operates at the hardware level, beneath traditional software security controls.

The memory interception technique works by analyzing timing and power consumption patterns during cryptographic operations. This side-channel information leakage occurs despite the implementation of sophisticated security measures within the processors themselves. Organizations implementing cloud computing security measures need to consider these hardware-level vulnerabilities as part of their comprehensive protection strategy.

Broader implications for secure computing

This development comes shortly after two other TEE attacks were disclosed—Battering RAM and WireTap—which targeted DDR4-based systems. TEE.Fail extends this threat to the latest hardware security implementations, suggesting that current approaches to hardware-based security need fundamental reassessment.

The researchers demonstrated that even with constant-time cryptographic implementations in OpenSSL and AMD's Ciphertext Hiding feature enabled, the systems remained vulnerable to bus interposition attacks. This indicates that current protections are insufficient against physical access scenarios.

"Importantly, OpenSSL's cryptographic code is fully constant-time and our machine had Ciphertext Hiding enabled, thus showing these features are not sufficient to mitigate bus interposition attacks," the researchers noted.

The implications extend beyond desktop and server environments. Mobile devices, IoT systems, and embedded computers that rely on similar security architectures might also be vulnerable to adapted versions of this attack. The security community will need to develop new architectural approaches to protect against these physical access vectors.

Impact on Confidential Computing

The confidential computing market has been growing rapidly, with major cloud providers offering services built on these trusted execution technologies. The TEE.Fail attack raises serious questions about the security guarantees these services can realistically provide.

For organizations using cloud security solutions for sensitive data, this research highlights the importance of layered security approaches that don't rely exclusively on hardware-based protections. Confidential computing environments should be supplemented with additional security controls, including rigorous access management, network segmentation, and continuous monitoring for unusual activities.

Industry response

Both AMD and Intel have acknowledged the research but indicated they have no immediate plans to address these vulnerabilities. The companies maintain that physical vector attacks fall outside their security models' scope.

In their responses, both chipmakers reiterated that their trusted execution environments were not designed to withstand attacks requiring physical access to the hardware. This position raises questions about the security guarantees provided by these technologies, especially in environments where physical security cannot be absolutely guaranteed, such as cloud computing facilities.

Security experts from the SANS Institute have begun recommending organizations reassess their threat models if they rely heavily on TEE technologies for protecting highly sensitive operations, especially in scenarios where physical access cannot be completely restricted.

Practical applications for readers

For users and organizations relying on TEEs for sensitive operations, this research suggests several important actions:

• Reassess physical security measures for systems processing highly sensitive information, as physical access now presents a more significant threat
• Consider implementing additional software-based security layers to complement hardware protection, especially for cryptographic operations
• Evaluate cloud computing providers' physical security protocols if using confidential computing services
• Stay informed about potential firmware updates that might address some aspects of these vulnerabilities

Organizations should conduct a thorough risk assessment of their confidential computing deployments, focusing particularly on the physical security controls surrounding systems processing highly sensitive information.

Future of hardware security

The TEE.Fail research highlights a fundamental challenge in computing security: the tension between performance and protection. While software countermeasures could potentially mitigate these issues, the researchers note they would likely come with significant performance penalties.

This discovery might trigger a shift in how the industry approaches trusted execution environments, potentially pushing toward more sophisticated encryption schemes or even fundamentally different architectural approaches to securing sensitive computations.

As we increasingly rely on hardware-based security for everything from financial transactions to healthcare data protection—in a world reminiscent of the digital security arms race portrayed in "Mr. Robot"—these findings serve as a sobering reminder that hardware security guarantees may be more fragile than previously understood.

Potential Future Mitigations

Processor manufacturers might respond to these findings by implementing several technical countermeasures:

1. Non-deterministic memory encryption that varies with each execution
2. Physical tamper-detection mechanisms that could detect interposition devices
3. Memory access obfuscation techniques that mask patterns in data access
4. Enhanced integrity verification systems that can detect manipulation attempts

Until such improvements are implemented, organizations should maintain a defense-in-depth approach that doesn't rely exclusively on hardware security features for their most sensitive operations.