New TEE.fail Attack Breaks Trusted Environments to Exfiltrate Secrets from Intel and AMD DDR5 Environments

A groundbreaking security vulnerability has emerged that fundamentally challenges the integrity of modern trusted execution environments across Intel and AMD server platforms.

Researchers from Georgia Tech, Purdue University, and van Schaik LLC have unveiled TEE.fail, a sophisticated attack methodology that exploits weaknesses in DDR5 memory bus interposition to extract sensitive cryptographic keys from supposedly secure environments.

This discovery represents the first successful demonstration of memory bus interposition attacks on DDR5-based systems, affecting Intel SGX, TDX, and AMD SEV-SNP implementations running on the latest server hardware.

The attack leverages a critical shift in trusted execution environment design, where manufacturers moved from client-oriented hardware with robust integrity protections to server-grade implementations using deterministic AES-XTS memory encryption.

Unlike earlier SGX implementations that utilized Merkle tree-based integrity verification and replay protections, current server TEEs prioritize performance and scalability over security guarantees.

This trade-off enables support for terabytes of protected memory while reducing latency, but introduces vulnerabilities that TEE.fail exploits through physical memory bus monitoring.

TEE.fail researchers noted that the attack can be executed for under $1,000 using readily available hobbyist equipment from secondhand markets.

The research team demonstrated successful key extraction from machines maintaining Intel’s fully trusted “UpToDate” attestation status, highlighting that even systems meeting the highest security certifications remain vulnerable to this attack vector.

Probe isolation networks, DDR5 RDIMM interposer and logic analyzer connecting pods (Source – Tee.fail)

The implications extend beyond theoretical vulnerabilities, as the researchers successfully extracted provisioning certification keys (PCK) from production systems and used them to forge arbitrary SGX and TDX attestations.

Memory Bus Interposition Technique

The attack methodology centers on constructing a DDR5 memory interposition probe using components sourced from electronic equipment resellers.

The researchers developed a custom interposer by modifying DDR5 RDIMM riser boards and incorporating probe isolation networks salvaged from decommissioned Keysight test equipment.

The isolation network, consisting of carefully matched resistors, capacitors, and inductors, prevents electrical interference with the target system while enabling memory bus traffic observation.

// Example of deterministic encryption verification
void ecall_experiment() {
    memset(global_memory, 0x00, burst_size);
    uncached_read(global_memory);
    wait_for_logic_analyzer_collection();

    memset(global_memory, 0xFF, burst_size);
    uncached_read(global_memory);
    wait_for_logic_analyzer_collection();

    memset(global_memory, 0x00, burst_size);
    uncached_read(global_memory);
    wait_for_logic_analyzer_collection();
}

The attack exploits Intel’s use of deterministic AES-XTS encryption combined with precise control over enclave execution timing.

By implementing controlled-channel attacks to pause enclave execution at specific points and utilizing cache thrashing techniques to force memory accesses, researchers achieved synchronized data collection with their logic analyzer setup.

The deterministic nature of the encryption enables correlation between observed ciphertexts and known plaintext values, creating a direct pathway to cryptographic key recovery through ECDSA nonce extraction during signing operations performed by Intel’s Provisioning Certification Enclave.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.