TEE.fail: Researchers Break Intel SGX/TDX and AMD SEV-SNP with Sub-$1,000 DDR5 Memory Bus Attack

In a study titled “TEE.fail: Breaking Trusted Execution Environments via DDR5 Memory Bus Interposition,” researchers from Georgia Tech and Purdue University have demonstrated that even the latest Intel and AMD server-grade Trusted Execution Environments (TEEs)—including Intel’s SGX, TDX, and AMD’s SEV-SNP—can be compromised using low-cost hardware tools.

The researchers write, “We show that, contrary to popular belief, bus interposition attacks on DDR5 server memory can be constructed cheaply by hobbyists, using parts easily obtained on e-commerce websites.”

Their experiments revealed that confidential virtual machines running on 5th-generation Intel Xeon and AMD Zen 5 processors are vulnerable to physical side-channel attacks that can exfiltrate cryptographic material, including attestation keys, from fully trusted systems.

Unlike earlier generations of Intel SGX, which included Merkle-tree-based integrity and replay protection, server-grade TEEs now rely on deterministic AES-XTS memory encryption—a trade-off made to support large confidential VMs and reduce latency.

This design change, the authors argue, weakens the overall protection model. “Unlike client-based SGX, server TEEs use deterministic AES-XTS for memory encryption, and do not offer Merkle tree-based integrity or replay protections… This degraded protection in turn comes with usability and performance benefits.”

By exploiting this determinism, the team managed to observe and manipulate DDR5 memory transactions using a custom-built interposer that cost less than $1,000 to assemble from secondhand components.

“We build a low budget DDR5 interposition setup capable of observing DRAM bus transactions,” the paper states. “Our attack can be done in under $1000 by computer hobbyists using equipment readily available on the secondhand market.”

Using their custom DDR5 snooping device, the researchers were able to extract Intel’s Provisioning Certification Key (PCK)—the root of trust used to authenticate Intel SGX and TDX systems. Once extracted, the PCK allowed them to forge fully valid attestation reports, effectively impersonating trusted hardware to remote services.

The paper notes: “We breach TDX’s and SGX’s security guarantees by extracting a Provisioning Certification Key (PCK) from a Xeon server in a fully trusted status… Using our PCK we breach BUILDERNET’s use of TDX, violating its confidentiality and integrity.”

This means a malicious operator could create fake attested environments that appear cryptographically genuine to cloud providers and partners.

The researchers also demonstrated successful attacks against AMD’s SEV-SNP technology—despite its Ciphertext Hiding feature—and against NVIDIA Confidential Computing environments tied to Intel’s TDX ecosystem.

Their attack on AMD systems enabled the extraction of signing keys from OpenSSL’s ECDSA implementation inside supposedly protected virtual machines. The authors emphasize that “our results impact nearly all server-based TEE implementations with commercially-available hardware at the time of writing.”

The study further illustrates how forged attestation chains could compromise real-world applications such as BuilderNet, Phala Network’s DSTACK SDK, and SECRET Network—all of which rely on TEEs to secure blockchain or AI operations.

By bypassing attestation, attackers could intercept confidential transactions, extract private cryptographic keys, or even host unprotected LLM workloads while falsely claiming NVIDIA Confidential GPU certification.

Following responsible disclosure guidelines, the authors notified Intel (April 2025), NVIDIA (June 2025), and AMD (August 2025) before publishing the paper. The vendors have acknowledged the findings and are “considering releasing statements simultaneously with the public release of this paper.”

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply