$1,000 Attack Breaks Trusted Execution on Intel and AMD Server Hardware

A low-cost physical side-channel attack defeats the memory encryption in modern Trusted Execution Environments (TEEs) from Intel and AMD, enabling full extraction of cryptographic keys and subversion of secure attestation mechanisms.

The attack exploits deterministic encryption and DDR5 bus interposition, threatening cloud-based confidential computing services widely deployed in data centers.

Dubbed TEE.fail, and developed by researchers at Georgia Tech, Purdue University, and Synkhronix, the attack can successfully bypass protections in Intel’s SGX and TDX, as well as AMD’s SEV-SNP, by eavesdropping on memory transactions using a homemade logic analyzer setup built for under $1,000. All materials used in the attack, including secondhand Keysight components and riser boards, are readily available to hobbyists.

The researchers demonstrated that while modern TEEs on server-grade hardware offer scalable confidential computing, their reliance on deterministic AES-XTS encryption without integrity or replay protection exposes them to physical attacks. By snooping DDR5 bus traffic and reversing address mappings, the researchers were able to extract enclave secrets and critical signing keys from machines in fully trusted “UpToDate” attestation states.

How TEE.fail works

The attack consists of multiple stages:

Memory Bus Interposition:
Using a DDR5 riser and probe isolation networks, the team captured DDR5 bus signals from one memory channel. Unlike DDR4, DDR5 modules offer dual channels, reducing probe complexity.

Physical Address Mapping:
Leveraging Intel’s ADXL (Address Translation Layer), researchers reverse-engineered how physical addresses map to DIMM locations to control where data appears in memory.

Forcing Target Execution:
Using OS kernel modifications, they pinned sensitive enclave data to observable addresses and used cache-thrashing to flush it from CPU caches, ensuring it reached the memory bus.

Key Extraction:
The core vulnerability stems from deterministic AES-XTS encryption: the same plaintext written to the same address produces the same ciphertext. This allowed the researchers to observe memory access patterns during elliptic-curve operations, recover ECDSA nonces, and ultimately derive the machine’s provisioning certification key (PCK).

Attestation Forgery:
With the extracted PCK, attackers could generate valid SGX/TDX attestation reports without using a real enclave or TEE-protected virtual machine, undermining the integrity of entire confidential computing stacks.

Impact

The attack was carried out against systems using Intel’s 5th-generation Xeon Scalable CPUs and AMD Zen 5 EPYC processors, both equipped with DDR5 RDIMMs. TEEs affected include:

• Intel SGX (Software Guard Extensions)
• Intel TDX (Trusted Domain Extensions)
• AMD SEV-SNP (Secure Encrypted Virtualization with Secure Nested Paging)

The team constructed a custom probe that connects to a DDR5 memory slot riser, isolating signals with recycled components from obsolete Keysight hardware. With physical access and root privileges, they forced sensitive enclave data to flow through the observable DIMM channel and used cache flushing and controlled-channel techniques to synchronize data acquisition.

Real-world systems relying on TEEs for secure workloads were shown to be vulnerable, including:

1. BUILDERNET, a blockchain infrastructure that uses TDX to ensure fairness and secrecy in Ethereum block building. Researchers extracted Ethereum keys and transaction data, enabling profitable frontrunning while passing all attestation checks.
2. Phala Network’s DSTACK, a confidential computing SDK for containerized applications. The researchers bypassed TDX and NVIDIA Confidential Computing protections to impersonate attested GPUs and leak plaintext user data from tools like Jupyter notebooks and LLM frontends.
3. SECRET Network, a privacy-focused blockchain platform using SGX enclaves to protect smart contract data. The team directly extracted elliptic-curve keys from enclave memory during execution, allowing them to decrypt all private contract communications without forging any attestation.

The researchers followed responsible disclosure practices. Intel, AMD, and NVIDIA were notified between April and August 2025, along with operators of the affected services. All vendors acknowledged the findings and are reportedly evaluating mitigations and threat model updates.

For regular users, the threat isn’t direct, yet it’s still significant. If an attacker gains physical access to the server, such as a rogue insider at a data center, they could potentially extract private information from secure applications, even if the services appear fully trusted and verified. This undermines the assurances behind confidential computing, meaning user data in services like blockchain wallets, AI tools, or secure messaging apps could be exposed without any visible compromise.