New TEE. Fail Side-Channel Attack Extracts Secrets from Intel and AMD DDR5 Secure Enclaves

A new side-channel attack named TEE.Fail has been developed by researchers from Georgia Tech, Purdue University, and Synkhronix. This attack targets trusted execution environments (TEEs) in modern processors, specifically cracking Intel's SGX and TDX, and AMD's SEV-SNP with Ciphertext Hiding. The core innovation lies in using a custom-built interposition device, made from off-the-shelf electronics costing less than $1,000, that physically taps into DDR5 memory traffic on servers. This unprecedented access allows attackers to inspect all data flowing through the DDR5 bus, undermining the security assumptions of these advanced TEEs. Unlike previous attacks focusing on DDR4 memory, such as Battering RAM and WireTap, TEE.Fail is the first demonstrated practical attack on DDR5-based systems. This is a big deal because DDR5 includes newer hardware protections designed to fend off physical memory snooping. The researchers discovered that both Intel and AMD use AES-XTS encryption in a deterministic manner on memory traffic, which unfortunately doesn’t stop this kind of physical interposition attack. By recording and analyzing the memory reads and writes, attackers can extract sensitive keys, including ECDSA attestation keys, from confidential virtual machines running on updated hardware. These attestation keys are critical because they verify that data and code are properly executing within a trusted environment. With these keys leaked, it becomes possible to fake the attestation process, tricking systems into believing malicious code runs securely inside a TEE while actually reading or tampering with data undetected. The implications are broad, as this attack not only breaks CPU TEEs but also compromises Nvidia’s GPU Confidential Computing, allowing attackers to run AI workloads without TEE protections. The researchers also highlighted that even AMD’s SEV-SNP with Ciphertext Hiding can’t fully protect against this threat. Despite OpenSSL’s cryptographic implementations being constant-time and the presence of ciphertext hiding, private signing keys were still extracted through the attack. This shows that current hardware and software countermeasures aren’t enough against this physical side-channel threat. While no evidence suggests that this attack is actively used in the wild, the academic team recommends implementing software-based mitigations against deterministic encryption, though these could be costly and complex. In response, AMD stated that physical vector attacks like TEE.Fail are out of scope for their SEV-SNP security guarantees and they do not plan to offer mitigations. Intel echoed a similar stance, reaffirming that these types of physical attacks remain outside the scope of their threat model. This leaves a concerning gap where critical secure enclave technologies remain vulnerable to relatively low-cost physical attacks, exposing enterprises and cloud providers relying on hardware-based security assurances to potential data leaks and system compromises.