A group of researchers has presented the TEE.Fail attack, which allows extracting keys and other secret data from the protected regions of Intel (SGX, TDX) and AMD (SEV-SNP) processors. These regions, called Trusted Execution Environments (TEE), are isolated from the OS and are designed for secure code execution and storage of cryptographic keys.
Researchers from the Georgia Institute of Technology and Purdue University have demonstrated that modern TEE implementations are not as reliable as their vendors promise. The root of the problem lies in the shift to server-grade hardware with DDR5 memory, where, for the sake of performance, integrity protection and anti-replay mechanisms were dropped, leaving only AES-XTS encryption.
Carrying out the TEE.Fail attack requires physical access to the target hardware, as well as root-level privileges to modify a kernel driver.
Overall, TEE.fail is similar to the recently disclosed WireTap and Battering RAM attacks, which also involved using an interposer to capture data from memory. However, WireTap and Battering RAM only worked with DDR4 memory, whereas TEE.fail targets DDR5.
In fact, the attack amounts to intercepting traffic on the DDR5 memory bus. For the experiment, the researchers built a special device—an interposer—costing less than a thousand US dollars and placed it between the memory module and the motherboard, and also used their own logic analyzer. By lowering the memory frequency to 3200 MT/s, the specialists were able to read out the encrypted data blocks written to and read by the TEE.
The researchers also modified the SGX driver in the Linux kernel to map virtual to physical addresses and forced the enclave to repeatedly access the same memory cell. This made it possible to determine that AES-XTS encryption is deterministic—the same address always yields the same ciphertext. Leveraging this, they built a lookup table and extracted cryptographic keys.
In the end, the researchers were able to use the recovered nonce and the public signature to reconstruct the private signing keys, allowing them to forge SGX and TDX attestations and impersonate genuine TEEs. They applied the same approach to extract signing keys from OpenSSL running in a virtual machine protected by AMD SEV-SNP. Similar techniques also worked against AMD SEV-SNP, even with Ciphertext Hiding enabled.
In addition, during their tests, the researchers were able to:
- forge TDX attestation in Ethereum BuilderNet and gain access to confidential data and transaction keys;
- fake Intel and Nvidia attestation to run code outside the TEE that still appears legitimate;
- extract ECDH private keys directly from enclaves, recover the network master key, and completely break confidentiality.
They also attacked a Xeon-based server and obtained the Provisioning Certificate Key (PCK) — a key used to attest the device’s authenticity.
Researchers notified Intel of the issues in April, Nvidia in June, and AMD in August. All companies acknowledged the vulnerabilities and stated they are working on mitigation measures. Later, AMD published a separate bulletin, noting that it does not plan to release patches because attacks requiring physical access fall outside the usual threat model for its products.