TL;DR: Two independent teams of university researchers have unveiled separate methods for bypassing the protections that Intel and AMD promote as critical defenses for securing cloud workloads. Disclosed in peer-reviewed papers, the attacks exploit fundamental design decisions in how both companies encrypt data moving between a processor and its working memory.
Intel's Software Guard Extensions and AMD's Secure Encrypted Virtualization with Secure Nested Paging have long been marketed as "trusted execution environments" designed to isolate sensitive operations. These enclaves underpin confidential computing, forming the basis for security assurances in encrypted messaging applications and even blockchain platforms. Over the years, however, repeated academic studies have highlighted weaknesses in their guarantees.
The latest findings deepen those concerns. A team led by KU Leuven doctoral researcher Jesse De Meulemeester presented what they call Battering RAM, while a parallel group including Daniel Genkin, associate professor of computer science at the University of Michigan, detailed an attack named Wiretap. Developed independently, both sets of work expose the same underlying vulnerability: Intel and AMD's choice to adopt deterministic encryption for protecting memory contents.
Deterministic encryption produces the same ciphertext each time an identical piece of data is stored in memory. While this consistency makes large-scale memory encryption feasible, it removes protections against replay and correlation attacks.
"Intel and AMD opted for deterministic encryption without integrity or freshness to keep encryption scalable," De Meulemeester said. "That choice enables low-cost physical attacks like ours." Genkin agreed, describing the trade-off as one that improved performance as Intel expanded SGX from client processors to servers but that "came at the expense of security."
Both research teams demonstrated that adversaries who can place inexpensive hardware interposers between the CPU and memory could exploit deterministic encryption to bypass enclave protections.
Battering RAM relies on an interposer built with an analog switch costing less than $50. By manipulating how memory addresses are mapped, the device creates "aliasing" that allows attackers to capture encrypted data and replay it at will. Since SGX uses a single key for all protected RAM, an attacker can inject data of their choosing, extract secrets such as provisioning keys, and compromise the attestation process designed to prove an enclave's integrity to external parties.
In AMD's SEV-SNP, which employs per-VM keys, Battering RAM cannot directly replay ciphertext. Instead, the researchers showed that outdated attestation reports can be replayed, allowing manipulated virtual machines to be falsely certified as legitimate. In either case, the technique undermines a core assurance of both Intel and AMD designs, enabling data manipulation and integrity subversion.
The Wiretap attack, published by Genkin and his collaborators, is more expensive to execute but carries broader implications. Using an interposer costing between $500 and $1,000, the researchers demonstrated how to passively decrypt data inside SGX enclaves. They built dictionaries mapping common encrypted values used in the Elliptic Curve Digital Signature Algorithm to reconstruct protected keys.
Unlike Battering RAM, Wiretap enables long-term surveillance, allowing attackers to remain undetected while exfiltrating secrets.
Intel and AMD published advisories in response but did not provide substantive technical answers. AMD declined to comment further, while Intel did not respond to requests for additional details beyond its posted security note. Both companies have historically emphasized that their enclaves are not designed to withstand physical hardware attacks using interposers, even though cloud providers often market enclave-based protections as reliable safeguards against a wide range of threats.
De Meulemeester and Genkin acknowledge that physical access requirements and DDR4 memory limitations restrict the scope of these attacks, but they stress the urgency of the broader lesson. Both researchers argue that the only long-term solution is to move away from deterministic encryption and incorporate protections for data integrity and freshness. However, implementing such changes would require significant hardware redesign and present scaling challenges for systems that encrypt terabytes of memory.
Neither Battering RAM nor Wiretap affects newer DDR5 memory, which operates at higher speeds and uses different signaling. This means Intel's newer Trust Domain Extensions, which support only DDR5, remain unaffected. Still, for current deployments based on SGX and SEV-SNP, the research underscores how existing protections can be silently bypassed by a motivated adversary.
As Genkin summarized, "The papers are two sides of the same coin." Both studies demonstrate that the very design choices enabling confidential computing at scale also introduce fundamental weaknesses – weaknesses that service providers and the customers who depend on them must now confront.
Image credit: Ars Technica
Trusted enclaves from Intel and AMD shown vulnerable to physical attacks
