- A $50 interposer can replay encrypted traffic and undermine enclave memory, experts claim
- Intel SGX and AMD SEV-SNP both fall to replay manipulation
- Hardware-level trade-offs favored scalability, leaving freshness and integrity unprotected
Academics from KU Leuven and the University of Birmingham have shown how a simple interposer can undermine the hardware protections of both Intel and AMD processors.
The teams built and tested a cheap interposer for under $50 that sits physically between a CPU and DDR4 memory modules.
They showed that with these inexpensive components, an attacker can observe, alias, and replay encrypted memory traffic to undermine trusted enclaves designed to protect sensitive data in the cloud.
Breaking deterministic encryption
The interposer is a small circuit placed on the memory signal path which contains analog switches controlled by a microcontroller.
By flipping those switches, the device can selectively reroute or ground address and command lines so two distinct physical addresses point to the same DRAM cells.
Because both SGX and SEV-SNP use deterministic memory encryption that depends on plaintext and address inputs, the same plaintext at the same address always produces the same ciphertext.
The attacker therefore captures the ciphertext at one observed address, and later forces the processor to read from an aliased address.
This causes the deterministic encryption to yield a valid decrypted plaintext that is stale or attacker-chosen.
This replay method enables arbitrary reads and writes into otherwise protected enclave memory on systems where the encryption key and address semantics permit such operations.
The researchers revealed two separate techniques, Battering RAM and Wiretap, which both exploit deterministic encryption used in trusted execution environments.
In the case of Battering RAM, the method works against both Intel and AMD processor protections.
The researchers say it, “exposes the fundamental limits of the scalable memory encryption designs currently used by Intel and AMD.”
“Battering RAM […] is capable of introducing memory aliases dynamically at runtime. As a result, Battering RAM can circumvent Intel’s and AMD’s boot-time alias checks.”
The related Wiretap technique takes a mapping approach that pairs observed ciphertext blocks to likely plaintext values, allowing for partial reconstruction of secrets used during cryptographic operations and eventual recovery of attestation keys.
Wiretap relies on building a ciphertext-to-known-plaintext dictionary for commonly occurring values inside algorithms such as ECDSA.
It then matches encrypted sequences against that dictionary until enough values are recovered to reconstruct keys.
While Wiretap is more equipment-intensive than the Battering RAM prototype, it demonstrates passive decryption threats that do not require active tampering.
Because both attacks target DDR4 signaling and rely on deterministic encryption, systems using DDR5 or TDX that avoid deterministic schemes are less vulnerable to these exact methods.
The researchers stressed the vulnerability stems from a deliberate engineering choice where determinism and scalability were prioritized over freshness and integrity.
Both Intel and AMD maintain their trusted enclaves are not designed to resist physical attacks, emphasizing their protections focus on software-level compromises, not on scenarios where attackers install hardware between the CPU and the memory.
However, the fact such attacks require only a cheap processor interposer raises questions about the practicality of excluding them from the threat model.
Fixing the issue likely requires hardware changes, such as adopting probabilistic encryption or adding integrity and freshness checks to memory encryption.
These approaches are harder to scale across large memory spaces, which explains why deterministic designs were chosen.
Until more resilient designs arrive, organizations using enclaves for sensitive tasks must recognize that their strongest defenses may fail against attackers with modest resources and physical access.
Via ArsTechnica
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You may also like
- Take a look at our guide to the best VPN with antivirus
- These are the best zero-trust network access solutions
- We’ve rounded up the best password managers
