

# Side-Channel Security

# Chapter 3: Trusted Execution Environments and Confidential Computing

Sudheendra Neela

March 13, 2025

Graz University of Technology

• Systems run software from various sources





- Systems run software from various sources
- Protect computation against compromised OS



- Systems run software from various sources
- Protect computation against compromised OS
- Protect system against malicious software



- Systems run software from various sources
- Protect computation against compromised OS
- Protect system against malicious software
- Cloud servers: must run any untrusted virtual machines



- Systems run software from various sources
- Protect computation against compromised OS
- Protect system against malicious software
- Cloud servers: must run any untrusted virtual machines
- Cloud VMs: may run in compromised or hostile enviroments



- Systems run software from various sources
- Protect computation against compromised OS
- Protect system against malicious software
- Cloud servers: must run any untrusted virtual machines
- Cloud VMs: may run in compromised or hostile enviroments
- CPU providers: tamper-resistant mechanism



- Systems run software from various sources
- Protect computation against compromised OS
- Protect system against malicious software
- Cloud servers: must run any untrusted virtual machines
- Cloud VMs: may run in compromised or hostile enviroments
- CPU providers: tamper-resistant mechanism
- Key enabler of confidential computing



• Hypervisor: manages virtual machines (VMs)



- Hypervisor: manages virtual machines (VMs)
- Traditional virtualization: Hypervisor has total control



- Hypervisor: manages virtual machines (VMs)
- Traditional virtualization: Hypervisor has total control
- All VMs share components



- Hypervisor: manages virtual machines (VMs)
- Traditional virtualization: Hypervisor has total control
- All VMs share components
- Check out Cloud Operating Systems!



- Hypervisor: manages virtual machines (VMs)
- Traditional virtualization: Hypervisor has total control
- All VMs share components
- Check out Cloud Operating Systems!
- Confidential Computing (CoCo): hardware guarantees for secure VM operation

• VMEXIT: VM hands control back to the hypervisor with a reason

- VMEXIT: VM hands control back to the hypervisor with a reason:
  - RDMSR

- VMEXIT: VM hands control back to the hypervisor with a reason:
  - RDMSR, WRMSR

- VMEXIT: VM hands control back to the hypervisor with a reason:
  - RDMSR, WRMSR, CPUID

- VMEXIT: VM hands control back to the hypervisor with a reason:
  - RDMSR, WRMSR, CPUID, Access Control Registers

- VMEXIT: VM hands control back to the hypervisor with a reason:
  - RDMSR, WRMSR, CPUID, Access Control Registers, Debug Registers

- VMEXIT: VM hands control back to the hypervisor with a reason:
  - RDMSR, WRMSR, CPUID, Access Control Registers, Debug Registers
- Number of VMEXITs and reasons leak information

- VMEXIT: VM hands control back to the hypervisor with a reason:
  - RDMSR, WRMSR, CPUID, Access Control Registers, Debug Registers
- Number of VMEXITs and reasons leak information
- Infer what applications are running (Bootup, SSH, Apache, StartX)

- VMEXIT: VM hands control back to the hypervisor with a reason:
  - RDMSR, WRMSR, CPUID, Access Control Registers, Debug Registers
- Number of VMEXITs and reasons leak information
- Infer what applications are running (Bootup, SSH, Apache, StartX)



• ARM TrustZone — 2009 [2]



- ARM TrustZone 2009 [2]
  - Samsung Knox



- ARM TrustZone 2009 [2]
  - Samsung Knox
- Intel Software Guard Extensions (SGX) 2015 [5]



- ARM TrustZone 2009 [2]
  - Samsung Knox
- Intel Software Guard Extensions (SGX) 2015 [5]
- AMD Secure Encrypted Virtualization (SEV) 2016 [11]



- ARM TrustZone 2009 [2]
  - Samsung Knox
- Intel Software Guard Extensions (SGX) 2015 [5]
- AMD Secure Encrypted Virtualization (SEV) 2016 [11]
- AMD SEV with Encrypted State (SEV-ES) 2017 [10]



- ARM TrustZone 2009 [2]
  - Samsung Knox
- Intel Software Guard Extensions (SGX) 2015 [5]
- AMD Secure Encrypted Virtualization (SEV) 2016 [11]
- AMD SEV with Encrypted State (SEV-ES) 2017 [10]
- AMD SEV Secure Nested Paging (SEV-SNP) 2020 [1]



- ARM TrustZone 2009 [2]
  - Samsung Knox
- Intel Software Guard Extensions (SGX) 2015 [5]
- AMD Secure Encrypted Virtualization (SEV) 2016 [11]
- AMD SEV with Encrypted State (SEV-ES) 2017 [10]
- AMD SEV Secure Nested Paging (SEV-SNP) 2020 [1]
- Intel Trusted Domain Extensions (TDX) 2021 [8]



- ARM TrustZone 2009 [2]
  - Samsung Knox
- Intel Software Guard Extensions (SGX) 2015 [5]
- AMD Secure Encrypted Virtualization (SEV) 2016 [11]
- AMD SEV with Encrypted State (SEV-ES) 2017 [10]
- AMD SEV Secure Nested Paging (SEV-SNP) 2020 [1]
- Intel Trusted Domain Extensions (TDX) 2021 [8]
- ARM Confidential Computing Architecture (CCA) 2021 [3]



# Intel Software Guard Extension (SGX)



• x86 instruction-set extension



- x86 instruction-set extension
- Isolate trusted code from untrusted applications



- x86 instruction-set extension
- Isolate trusted code from untrusted applications
- The OS cannot access enclave memory



- x86 instruction-set extension
- Isolate trusted code from untrusted applications
- The OS cannot access enclave memory
- Enclave memory is encrypted and integrity protected



- x86 instruction-set extension
- Isolate trusted code from untrusted applications
- The OS cannot access enclave memory
- Enclave memory is encrypted and integrity protected
- Enclave has full access to virtual memory of host application

#### Application

| Untrusted part |
|----------------|
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |
|                |

**Operating System** 

#### Application



**Operating System** 

#### Application



**Operating System** 

#### Application



**Operating System** 



#### **Operating System**



#### **Operating System**



#### Application

#### **Operating System**



#### **Operating System**



#### Application

#### **Operating System**





• Attacking the enclave: malicious OS



- Attacking the enclave: malicious OS
- Attacking the OS: malicious enclave



- Attacking the enclave: malicious OS
- Attacking the OS: malicious enclave
- Side-Channel Attacks are out of scope



- Attacking the enclave: malicious OS
- Attacking the OS: malicious enclave
- Side-Channel Attacks are out of scope
- Only CPU is trusted









Page Table













**CPU** Ports





CPU Ports

Power

|           | Ħ          |          |         |            | <b>i</b>  |
|-----------|------------|----------|---------|------------|-----------|
| Cache     | Page Table | DRAM     | Network | Predictors | Interrupt |
| CPU Ports | Power      | Counters |         |            |           |







Read "SoK: SGX.Fail: How Stuff Gets eXposed" [20]

# Side-Channel Attacks on Intel SGX



• Target mechanism which translates virtual to physical addresses



- Target mechanism which translates virtual to physical addresses
- Enclave memory is set up by OS



- Target mechanism which translates virtual to physical addresses
- Enclave memory is set up by OS
- Consequence: OS can unmap page, observe page fault



- Target mechanism which translates virtual to physical addresses
- Enclave memory is set up by OS
- Consequence: OS can unmap page, observe page fault
- Granularity: 1 page (4kB)

# Stealthier Controlled-Channel Attacks [19, 21]



# Stealthier Controlled-Channel Attacks [19, 21]



# Stealthier Controlled-Channel Attacks [19, 21]





• Enclaves share same physical range of memory

#### DRAM Attacks [21]

|    | : | : [ | ור       | 1 |
|----|---|-----|----------|---|
| ست | ù |     | <u>.</u> | г |

- Enclaves share same physical range of memory
- DRAM contains row buffers

#### DRAM Attacks [21]

|       | : 0 1 1 |
|-------|---------|
| لسمسا | ٦نىت    |

- Enclaves share same physical range of memory
- DRAM contains row buffers
- Use row conflicts to spy on victim

#### **DRAM Attacks** [21]

|      |    | - | _ |   |
|------|----|---|---|---|
|      | :0 | : | I | ] |
| مىيا | Ē  | i | i | Г |

- Enclaves share same physical range of memory
- DRAM contains row buffers
- Use row conflicts to spy on victim
- Granularity: 512B to 8KB

#### Cache Attacks



• Flush+Reload not possible



• Flush+Reload not possible, Prime+Probe is possible



- Flush+Reload not possible, Prime+Probe is possible
- Physical address determines cache set



- Flush+Reload not possible, Prime+Probe is possible
- Physical address determines cache set
- Easy to prime cache set as OS



- Flush+Reload not possible, Prime+Probe is possible
- Physical address determines cache set
- Easy to prime cache set as OS
- Examples: [15], [21], [4], [14]

• SGX Bomb [9]: Rowhammer within enclave



• SGX Bomb [9]: Rowhammer within enclave, cause bit flips



• SGX Bomb [9]: Rowhammer within enclave, cause bit flips, integrity check fail



• SGX Bomb [9]: Rowhammer within enclave, cause bit flips, integrity check fail, system lock



 SGX Bomb [9]: Rowhammer within enclave, cause bit flips, integrity check fail, system lock ⇒ Denial of Service



- SGX Bomb [9]: Rowhammer within enclave, cause bit flips, integrity check fail, system lock ⇒ Denial of Service
- Another Flip in the Wall of Rowhammer Defenses [7]:



- SGX Bomb [9]: Rowhammer within enclave, cause bit flips, integrity check fail, system lock ⇒ Denial of Service
- Another Flip in the Wall of Rowhammer Defenses [7]:
  - A new hammering technique bypasses all rowhammer defenses



<u>م</u>

- SGX Bomb [9]: Rowhammer within enclave, cause bit flips, integrity check fail, system lock ⇒ Denial of Service
- Another Flip in the Wall of Rowhammer Defenses [7]:
  - A new hammering technique bypasses all rowhammer defenses
  - Leverages SGX to be stealthy

\* \* \* \* \*

- SGX Bomb [9]: Rowhammer within enclave, cause bit flips, integrity check fail, system lock ⇒ Denial of Service
- Another Flip in the Wall of Rowhammer Defenses [7]:
  - A new hammering technique bypasses all rowhammer defenses
  - Leverages SGX to be stealthy
  - SGX prevents inspection of enclave memory

\* \* \* \* \*

- SGX Bomb [9]: Rowhammer within enclave, cause bit flips, integrity check fail, system lock ⇒ Denial of Service
- Another Flip in the Wall of Rowhammer Defenses [7]:
  - A new hammering technique bypasses all rowhammer defenses
  - Leverages SGX to be stealthy
  - SGX prevents inspection of enclave memory
  - SGX makes it hard for host OS to detect enclave's behavior by excluding CPU perfomance counter tracking

\* \* \* \* \*

- SGX Bomb [9]: Rowhammer within enclave, cause bit flips, integrity check fail, system lock ⇒ Denial of Service
- Another Flip in the Wall of Rowhammer Defenses [7]:
  - A new hammering technique bypasses all rowhammer defenses
  - Leverages SGX to be stealthy
  - SGX prevents inspection of enclave memory
  - SGX makes it hard for host OS to detect enclave's behavior by excluding CPU perfomance counter tracking
     ⇒ perfect way to be stealthy
- ...bizarre threat model: Why would an enclave be malicious?

• From enclave: host application's memory is accessible, but only if mapped



- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory



- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated



- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated
- Transactional Synchronization Extensions (TSX): hardware support for transactional memory

- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated
- Transactional Synchronization Extensions (TSX): hardware support for transactional memory
- Enclave wraps memory access inside a TSX transaction

- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated
- Transactional Synchronization Extensions (TSX): hardware support for transactional memory
- Enclave wraps memory access inside a TSX transaction
- If accessible: transaction completes successfully

- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated
- Transactional Synchronization Extensions (TSX): hardware support for transactional memory
- Enclave wraps memory access inside a TSX transaction
- If accessible: transaction completes successfully
- If inaccessible: TSX aborts the transaction and supresses enclave termination

- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated
- Transactional Synchronization Extensions (TSX): hardware support for transactional memory
- Enclave wraps memory access inside a TSX transaction
- If accessible: transaction completes successfully
- If inaccessible: TSX aborts the transaction and supresses enclave termination
- Search for ROP Gadgets

- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated
- Transactional Synchronization Extensions (TSX): hardware support for transactional memory
- Enclave wraps memory access inside a TSX transaction
- If accessible: transaction completes successfully
- If inaccessible: TSX aborts the transaction and supresses enclave termination
- Search for ROP Gadgets, manipulate the stack

- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated
- Transactional Synchronization Extensions (TSX): hardware support for transactional memory
- Enclave wraps memory access inside a TSX transaction
- If accessible: transaction completes successfully
- If inaccessible: TSX aborts the transaction and supresses enclave termination
- Search for ROP Gadgets, manipulate the stack, execute the attack

- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated
- Transactional Synchronization Extensions (TSX): hardware support for transactional memory
- Enclave wraps memory access inside a TSX transaction
- If accessible: transaction completes successfully
- If inaccessible: TSX aborts the transaction and supresses enclave termination
- Search for ROP Gadgets, manipulate the stack, execute the attack, come back to the enclave!

- From enclave: host application's memory is accessible, but only if mapped
- If enclave reads unmapped host memory  $\Rightarrow$  terminated
- Transactional Synchronization Extensions (TSX): hardware support for transactional memory
- Enclave wraps memory access inside a TSX transaction
- If accessible: transaction completes successfully
- If inaccessible: TSX aborts the transaction and supresses enclave termination
- Search for ROP Gadgets, manipulate the stack, execute the attack, come back to the enclave! Read the paper!

# Confidential Computing (CoCo)



• x86 instruction-set extension



- x86 instruction-set extension
- Little reliance on the hypervisor: emulation, timekeeping, interrupts, faults, privileged operations



- x86 instruction-set extension
- Little reliance on the hypervisor: emulation, timekeeping, interrupts, faults, privileged operations
- Confidential VMs (CVMs) and hypervisor are isolated



- x86 instruction-set extension
- Little reliance on the hypervisor: emulation, timekeeping, interrupts, faults, privileged operations
- Confidential VMs (CVMs) and hypervisor are isolated
- CVM memory is encrypted, possibly integrity protected

### Confidential Computing (CoCo) Overview



- x86 instruction-set extension
- Little reliance on the hypervisor: emulation, timekeeping, interrupts, faults, privileged operations
- Confidential VMs (CVMs) and hypervisor are isolated
- CVM memory is encrypted, possibly integrity protected
- CVMs cannot access hypervisor memory (unlike SGX)

## Confidential Computing (CoCo) Overview



- x86 instruction-set extension
- Little reliance on the hypervisor: emulation, timekeeping, interrupts, faults, privileged operations
- Confidential VMs (CVMs) and hypervisor are isolated
- CVM memory is encrypted, possibly integrity protected
- CVMs cannot access hypervisor memory (unlike SGX)
- Available in server CPUs (Intel Xeon, AMD EPYC)

Once again, what are some components of a system?

Once again, what are some components of a system?





• Attacking the CVM: malicious hypervisor



- Attacking the CVM: malicious hypervisor
- Attacking the hypervisor: malicious CVM



- Attacking the CVM: malicious hypervisor
- Attacking the hypervisor: malicious CVM
- Malicious CVM attacks another CVM



- Attacking the CVM: malicious hypervisor
- Attacking the hypervisor: malicious CVM
- Malicious CVM attacks another CVM
- Side-Channel Attacks are out of scope



- Attacking the CVM: malicious hypervisor
- Attacking the hypervisor: malicious CVM
- Malicious CVM attacks another CVM
- Side-Channel Attacks are out of scope
- Only CPU is trusted

# Side-Channel Attacks on CoCo

• Recall: VMEXIT is an event where VM hands control back to the hypervisor



- Recall: VMEXIT is an event where VM hands control back to the hypervisor
- AMD SEV left CVM's registers exposed after switching to hypervisor



- Recall: VMEXIT is an event where VM hands control back to the hypervisor
- AMD SEV left CVM's registers exposed after switching to hypervisor
- Hypervisor can infer the CVM's computation just by inspecting the registers



- Recall: VMEXIT is an event where VM hands control back to the hypervisor
- AMD SEV left CVM's registers exposed after switching to hypervisor
- Hypervisor can infer the CVM's computation just by inspecting the registers
- With AMD SEV-ES: registers are encrypted and integrity protected



- Recall: VMEXIT is an event where VM hands control back to the hypervisor
- AMD SEV left CVM's registers exposed after switching to hypervisor
- Hypervisor can infer the CVM's computation just by inspecting the registers
- With AMD SEV-ES: registers are encrypted and integrity protected
- :)



VM Save Area

• With AMD SEV-ES: registers are encrypted and integrity protected

| Offset | Size     | Content      |  |
|--------|----------|--------------|--|
| 0×150  | 16 bytes | CR3 & CR0    |  |
| 0×170  | 16 bytes | RFLAGS & RIP |  |
| 0×1D8  | 8 bytes  | RSP          |  |
| 0×1F8  | 8 bytes  | RAX          |  |
| 0×240  | 8 bytes  | CR2          |  |
| 0×308  | 8 bytes  | RCX          |  |
| 0×310  | 16 bytes | RDX & RBX    |  |

VM Save Area

| Offset | Size     | Content      |  |
|--------|----------|--------------|--|
| 0×150  | 16 bytes | CR3 & CR0    |  |
| 0×170  | 16 bytes | RFLAGS & RIP |  |
| 0×1D8  | 8 bytes  | RSP          |  |
| 0×1F8  | 8 bytes  | RAX          |  |
| 0×240  | 8 bytes  | CR2          |  |
| 0×308  | 8 bytes  | RCX          |  |
| 0×310  | 16 bytes | RDX & RBX    |  |

. . .

- With AMD SEV-ES: registers are encrypted and integrity protected
- 16-byte blocks are encrypted independently using AES XEX (XOR-Encrypt-XOR)

VM Save Area

| Offset | Size     | Content      |  |
|--------|----------|--------------|--|
| 0×150  | 16 bytes | CR3 & CR0    |  |
| 0×170  | 16 bytes | RFLAGS & RIP |  |
| 0×1D8  | 8 bytes  | RSP          |  |
| 0×1F8  | 8 bytes  | RAX          |  |
| 0×240  | 8 bytes  | CR2          |  |
| 0×308  | 8 bytes  | RCX          |  |
| 0×310  | 16 bytes | RDX & RBX    |  |

. . .

- With AMD SEV-ES: registers are encrypted and integrity protected
- 16-byte blocks are encrypted independently using AES XEX (XOR-Encrypt-XOR)
- The same plaintext always has the same ciphertext

#### VM Save Area

| Offset | Size     | Content      |  |
|--------|----------|--------------|--|
| 0×150  | 16 bytes | CR3 & CR0    |  |
| 0×170  | 16 bytes | RFLAGS & RIP |  |
| 0×1D8  | 8 bytes  | RSP          |  |
| 0×1F8  | 8 bytes  | RAX          |  |
| 0×240  | 8 bytes  | CR2          |  |
| 0×308  | 8 bytes  | RCX          |  |
| 0×310  | 16 bytes | RDX & RBX    |  |

. . .

- With AMD SEV-ES: registers are encrypted and integrity protected
- 16-byte blocks are encrypted independently using AES XEX (XOR-Encrypt-XOR)
- The same plaintext always has the same ciphertext
- Change in the CVM's ciphertext: malicious hypervisor can infer the changes of the corresponding plaintext

#### VM Save Area

| Offset | Size     | Content      |  |
|--------|----------|--------------|--|
| 0×150  | 16 bytes | CR3 & CR0    |  |
| 0×170  | 16 bytes | RFLAGS & RIP |  |
| 0x1D8  | 8 bytes  | RSP          |  |
| 0×1F8  | 8 bytes  | RAX          |  |
| 0×240  | 8 bytes  | CR2          |  |
| 0×308  | 8 bytes  | RCX          |  |
| 0×310  | 16 bytes | RDX & RBX    |  |
|        |          |              |  |

. . .

- With AMD SEV-ES: registers are encrypted and integrity protected
- 16-byte blocks are encrypted independently using AES XEX (XOR-Encrypt-XOR)
- The same plaintext always has the same ciphertext
- Change in the CVM's ciphertext: malicious hypervisor can infer the changes of the corresponding plaintext
- Build a dictionary of plaintext-ciphertext pairs for targeted registers



• INVD



- INVD: Invalidates all levels of cache
- INVD



- INVD: Invalidates all levels of cache
- INVD: No data is written back to main memory



- INVD: Invalidates all levels of cache
- INVD: No data is written back to main memory
- WBINVD



- INVD: Invalidates all levels of cache
- INVD: No data is written back to main memory
- WBINVD: data is written back to main memory and invalidates cache



- INVD: Invalidates all levels of cache
- INVD: No data is written back to main memory
- WBINVD: data is written back to main memory and invalidates cache
- Intel SGX & TDX: disable INVD



- INVD: Invalidates all levels of cache
- INVD: No data is written back to main memory
- WBINVD: data is written back to main memory and invalidates cache
- Intel SGX & TDX: disable INVD
- AMD SEV, SEV-ES, SEV-SNP: INVD works



- INVD: Invalidates all levels of cache
- INVD: No data is written back to main memory
- WBINVD: data is written back to main memory and invalidates cache
- Intel SGX & TDX: disable INVD
- AMD SEV, SEV-ES, SEV-SNP: INVD works
- How can a malicious hypervisor exploit this?

```
1 int ret1() {
    return 1;
2
3 }
4 int ret0() {
    return 0;
5
6 }
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
       }
11
       ret0();
12
13
14
  Sudheendra Neela
```

```
int ret1() {
    return 1;
2
3 }
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

#### 1 main:

9

- 2 push %rbp
- 3 mov %rsp,%rbp
- 4 mov \$0x0,%eax
- 5 call <ret1>
- 6 test %eax,%eax
- 7 jne 118c <main+0x25>
- 8 lea 0xe80(%rip),%rax
  - mov %rax,%rdi
- 10 call <printf@plt>
- 11 mov \$0x0,%eax
- 12 **call** 1158 <ret0>
- 13 jmp 116f <main+0x8>

```
int ret1() {
    return 1;
2
3 }
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
       if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

#### 1 main:

4

6

7

8

9

- 2 push %rbp
- 3 mov %rsp,%rbp
  - mov \$0x0,%eax
- 5 <u>call <ret1></u>
  - test %eax,%eax
  - jne 118c <main+0x25>
  - lea 0xe80(%rip),%rax
  - mov %rax,%rdi
- 10 call <printf@plt>
- 11 mov \$0x0,%eax
- 12 **call** 1158 <ret0>
- 13 jmp 116f <main+0x8>

#### Cache: main:6

```
int ret1() {
    return 1;
2
3 }
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
       if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

#### 1 main:

4

5

6

7

8

9

- 2 push %rbp
- 3 mov %rsp,%rbp
  - mov \$0x0,%eax
  - <u>call <ret1></u>
  - test %eax,%eax
  - jne 118c <main+0x25>
  - lea 0xe80(%rip),%rax
  - mov %rax,%rdi
- 10 call <printf@plt>
- 11 mov \$0x0,%eax
- 12 **call** 1158 <ret0>
- 13 jmp 116f <main+0x8>

#### WBINVD

Cache: main:6

```
int ret1() {
    return 1;
2
3 }
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
       if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

#### 1 main: push %rbp 2 WBINVD mov %rsp,%rbp 3 mov \$0x0,%eax 4 Cache: call <ret1> 5 main:6 test %eax,%eax 6 ine 118c <main+0x25> 7 Memory: lea 0xe80(%rip),%rax 8 main:6 mov %rax,%rdi 9 call <printf@plt> 10 mov \$0x0,%eax 11 call 1158 <ret0> 12 imp 116f <main+0x8> 13

#### 22 / 40

#### Sudheendra Neela

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| 1  | main:                                     |         |
|----|-------------------------------------------|---------|
| 2  | push %rbp                                 |         |
| 3  | mov %rsp,%rbp                             |         |
| 4  | mov \$0x0,%eax                            | Cache:  |
| 5  | call <ret1></ret1>                        | main:6  |
| 6  | test %eax,%eax                            | Inain.0 |
| 7  | jne 118c <main+0x25></main+0x25>          | Memory: |
| 8  | <pre>lea 0xe80(%rip),%rax</pre>           |         |
| 9  | mov %rax,%rdi                             | main:6  |
| 10 | <pre>call <printf@plt></printf@plt></pre> |         |
| 11 | mov \$0x0,%eax                            |         |
| 12 | call 1158 <ret0></ret0>                   |         |
| 13 | jmp 116f <main+0x8></main+0x8>            |         |

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| 1  | main:                                     |               |
|----|-------------------------------------------|---------------|
| 2  | push %rbp                                 |               |
| 3  | mov %rsp,%rbp                             |               |
| 4  | mov \$0x0,%eax                            | Cache:        |
| 5  | <pre>call <ret1></ret1></pre>             |               |
| 6  | test %eax,%eax                            | main:6        |
| -  |                                           |               |
| 7  | jne 118c <main+0x25></main+0x25>          | Memory:       |
| 8  | <pre>lea 0xe80(%rip),%rax</pre>           |               |
| 9  | mov %rax,%rdi                             | main:6        |
| 10 | <pre>call <printf@plt></printf@plt></pre> |               |
| 11 | mov \$0x0,%eax                            | Registers:    |
| 12 | call 1158 <ret0></ret0>                   | EAX: <b>1</b> |
| 13 | jmp 116f <main+0x8></main+0x8>            |               |

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| 1  | main:                                     |     |
|----|-------------------------------------------|-----|
| 2  | push %rbp                                 |     |
| 3  | mov %rsp,%rbp                             |     |
| 4  | mov \$0x0,%eax                            | C   |
| 5  | <pre>call <ret1></ret1></pre>             | C   |
| 6  | test %eax,%eax                            |     |
| 7  | <u>jne 118c <main+0x25></main+0x25></u>   | Me  |
| 8  | <pre>lea 0xe80(%rip),%rax</pre>           |     |
| 9  | mov %rax,%rdi                             | m   |
| 10 | <pre>call <printf@plt></printf@plt></pre> |     |
| 11 | mov \$0x0,%eax                            | Reg |
| 12 | call 1158 <ret0></ret0>                   | EA  |
| 13 | jmp 116f <main+0x8></main+0x8>            |     |
|    |                                           |     |

Cache:

Memory: main:6

Registers: EAX: 1

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| 1  | main:                                     |            |
|----|-------------------------------------------|------------|
| 2  | push %rbp                                 |            |
| 3  | mov %rsp,%rbp                             |            |
| 4  | mov \$0x0,%eax                            | Cache:     |
| 5  | call <ret1></ret1>                        | Cacile.    |
| 6  | test %eax,%eax                            |            |
| 7  | jne 118c <main+0x25></main+0x25>          | Memory:    |
| 8  | <pre>lea 0xe80(%rip),%rax</pre>           |            |
| 9  | mov %rax,%rdi                             | main:6     |
| 10 | <pre>call <printf@plt></printf@plt></pre> |            |
| 11 | mov \$0x0,%eax                            | Registers: |
| 12 | <u>call 1158 <ret0></ret0></u>            | EAX: 1     |
| 13 | jmp 116f <main+0x8></main+0x8>            |            |

22 / 40

```
int ret1() {
    return 1;
2
3 }
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
       ret0();
12
13
14 }
```

#### 1 main: push %rbp 2 mov %rsp,%rbp 3 mov \$0x0,%eax 4 Cache: call <ret1> 5 main:13 test %eax,%eax 6 ine 118c <main+0x25> Memory: lea 0xe80(%rip),%rax 8 main:6 mov %rax,%rdi 9 call <printf@plt> 10 mov \$0x0,%eax Registers: 11 call 1158 <ret0> 12 EAX: 1imp 116f <main+0x8> 13

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| main:                                     |                                                                                                                                                                                                                                                                       |
|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| push %rbp                                 |                                                                                                                                                                                                                                                                       |
| mov %rsp,%rbp                             |                                                                                                                                                                                                                                                                       |
| mov \$0x0,%eax                            | Cache:                                                                                                                                                                                                                                                                |
| <pre>call <ret1></ret1></pre>             |                                                                                                                                                                                                                                                                       |
| test %eax.%eax                            | main:13                                                                                                                                                                                                                                                               |
|                                           |                                                                                                                                                                                                                                                                       |
| jne 118c <main+0x25></main+0x25>          | Memory:                                                                                                                                                                                                                                                               |
| lea Oxe80(%rip),%rax                      |                                                                                                                                                                                                                                                                       |
| -                                         | main:6                                                                                                                                                                                                                                                                |
| mov %rax,%rdl                             |                                                                                                                                                                                                                                                                       |
| <pre>call <printf@plt></printf@plt></pre> |                                                                                                                                                                                                                                                                       |
| mov \$0x0,%eax                            | Registers:                                                                                                                                                                                                                                                            |
| call 1158 <ret0></ret0>                   | EAX: <b>1</b>                                                                                                                                                                                                                                                         |
| jmp 116f <main+0x8></main+0x8>            |                                                                                                                                                                                                                                                                       |
|                                           | <pre>push %rbp<br/>mov %rsp,%rbp<br/>mov \$0x0,%eax<br/>call <ret1><br/>test %eax,%eax<br/>jne 118c <main+0x25><br/>lea 0xe80(%rip),%rax<br/>mov %rax,%rdi<br/>call <printf@plt><br/>mov \$0x0,%eax<br/>call 1158 <ret0></ret0></printf@plt></main+0x25></ret1></pre> |

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| 1  | main:                                     |               |
|----|-------------------------------------------|---------------|
| 2  | push %rbp                                 |               |
| 3  | mov %rsp,%rbp                             | INVD          |
| 4  | mov \$0x0,%eax                            | Cache:        |
| 5  | call <ret1></ret1>                        | main:13       |
| 6  | test %eax,%eax                            | Inalii.15     |
| 7  | jne 118c <main+0x25></main+0x25>          | Memory:       |
| 8  | <pre>lea 0xe80(%rip),%rax</pre>           |               |
| 9  | mov %rax,%rdi                             | main:6        |
| 10 | <pre>call <printf@plt></printf@plt></pre> |               |
| 11 | mov \$0x0,%eax                            | Registers:    |
| 12 | call 1158 <ret0></ret0>                   | EAX: <b>1</b> |
| 13 | jmp 116f <main+0x8></main+0x8>            |               |
|    |                                           |               |

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| 1  | main:                                     |               |
|----|-------------------------------------------|---------------|
| 2  | push %rbp                                 |               |
| 3  | mov %rsp,%rbp                             | INVD          |
| 4  | mov \$0x0,%eax                            | Cache:        |
| 5  | <pre>call <ret1></ret1></pre>             | Cacile.       |
| 6  | test %eax,%eax                            |               |
| 7  | jne 118c <main+0x25></main+0x25>          | Memory:       |
| 8  | <pre>lea 0xe80(%rip),%rax</pre>           | · ·           |
| 9  | mov %rax,%rdi                             | main:6        |
| 10 | <pre>call <printf@plt></printf@plt></pre> |               |
| 11 | mov \$0x0,%eax                            | Registers:    |
| 12 | call 1158 <ret0></ret0>                   | EAX: <b>1</b> |
| 13 | jmp 116f <main+0x8></main+0x8>            |               |
|    |                                           |               |

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| 1  | main:                                     |         |
|----|-------------------------------------------|---------|
| 2  | push %rbp                                 |         |
| 3  | mov %rsp,%rbp                             |         |
| 4  | mov \$0x0,%eax                            | Cache   |
| 5  | <pre>call <ret1></ret1></pre>             | Cache   |
| 6  | test %eax,%eax                            |         |
| 7  | jne 118c <main+0x25></main+0x25>          | Memor   |
| 8  | <pre>lea 0xe80(%rip),%rax</pre>           |         |
| 9  | mov %rax,%rdi                             | main:   |
| 10 | <pre>call <printf@plt></printf@plt></pre> |         |
| 11 | mov \$0x0,%eax                            | Registe |
| 12 | <pre>call 1158 <ret0></ret0></pre>        | EAX:    |
| 13 | jmp 116f <main+0x8></main+0x8>            |         |
|    |                                           |         |

ry: :6

ers: 0

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| 1  | main:                                     |         |
|----|-------------------------------------------|---------|
| 2  | push %rbp                                 |         |
| 3  | mov %rsp,%rbp                             |         |
| 4  | mov \$0x0,%eax                            | Cache   |
| 5  | <pre>call <ret1></ret1></pre>             |         |
| 6  | test %eax,%eax                            | main:   |
| 7  | jne 118c <main+0x25></main+0x25>          | Memo    |
| 8  | <pre>lea 0xe80(%rip),%rax</pre>           |         |
| 9  | mov %rax,%rdi                             | main:   |
| 10 | <pre>call <printf@plt></printf@plt></pre> |         |
| 11 | mov \$0x0,%eax                            | Registe |
| 12 | call 1158 <ret0></ret0>                   | EAX:    |
| 13 | jmp 116f <main+0x8></main+0x8>            |         |
|    |                                           |         |

ie: :6 ory: :6

ers: 0

```
int ret1() {
    return 1;
2
3 }
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

#### 1 main: push %rbp 2 mov %rsp,%rbp 3 mov \$0x0,%eax 4 call <ret1> 5 test %eax,%eax 6 ine 118c <main+0x25> 7 lea 0xe80(%rip),%rax 8 mov %rax,%rdi 9 call <printf@plt> 10 mov \$0x0,%eax 11 call 1158 <ret0> 12 imp 116f <main+0x8> 13

Cache: main:6 Memory: main:6

Registers: EAX: 0

```
int ret1() {
    return 1;
2
3
4 int ret0() {
    return 0;
5
6
7 int main() {
    while(1) {
8
      if (ret1() == 0) {
9
         printf("Win!");
10
11
      ret0();
12
13
14 }
```

| 1  | main:                            |         |
|----|----------------------------------|---------|
| 2  | push %rbp                        |         |
| 3  | mov %rsp,%rbp                    |         |
| 4  | mov \$0x0,%eax                   | Cache   |
| 5  | <pre>call <ret1></ret1></pre>    | Cacile  |
| 6  | test %eax,%eax                   |         |
| 7  | jne 118c <main+0x25></main+0x25> | Memor   |
| 8  | <pre>lea 0xe80(%rip),%rax</pre>  |         |
| 9  | mov %rax,%rdi                    | main:   |
| 10 | call <printf@plt></printf@plt>   |         |
| 11 | mov \$0x0,%eax                   | Registe |
| 12 | call 1158 <ret0></ret0>          | EAX:    |
| 13 | jmp 116f <main+0x8></main+0x8>   |         |
|    |                                  |         |

ry: 6

ers: 0



• Bypass OpenSSH authentication: sys\_auth\_passwd



- Bypass OpenSSH authentication: sys\_auth\_passwd
- Break RSA-CRT: Drop write using INVD, generate faulty signature



- Bypass OpenSSH authentication: sys\_auth\_passwd
- Break RSA-CRT: Drop write using INVD, generate faulty signature
- Bypass sudo authentication:



- Bypass OpenSSH authentication: sys\_auth\_passwd
- Break RSA-CRT: Drop write using INVD, generate faulty signature
- Bypass sudo authentication:
  - Normal user: UID >0



- Bypass OpenSSH authentication: sys\_auth\_passwd
- Break RSA-CRT: Drop write using INVD, generate faulty signature
- Bypass sudo authentication:
  - Normal user: UID  $>0 \Rightarrow$  sudo fails



- Bypass OpenSSH authentication: sys\_auth\_passwd
- Break RSA-CRT: Drop write using INVD, generate faulty signature
- Bypass sudo authentication:
  - Normal user: UID  $>0 \Rightarrow$  sudo fails
  - Drop write when sudo checks UID (GUID, RUID, EUID)



- Bypass OpenSSH authentication: sys\_auth\_passwd
- Break RSA-CRT: Drop write using INVD, generate faulty signature
- Bypass sudo authentication:
  - Normal user: UID  $>0 \Rightarrow$  sudo fails
  - Drop write when sudo checks UID (GUID, RUID, EUID)
  - UID 0: root

• CPU provides hardware performance counters:



- CPU provides hardware performance counters:
  - Retired Instructions



- CPU provides hardware performance counters:
  - Retired Instructions
  - Retired Branch Instructions



- CPU provides hardware performance counters:
  - Retired Instructions
  - Retired Branch Instructions
  - Retired Taken Branch Instructions



- CPU provides hardware performance counters:
  - Retired Instructions
  - Retired Branch Instructions
  - Retired Taken Branch Instructions
- AMD: Report accurate values when SEV, SEV-ES, SEV-SNP CVMs run



- CPU provides hardware performance counters:
  - Retired Instructions
  - Retired Branch Instructions
  - Retired Taken Branch Instructions
- AMD: Report accurate values when SEV, SEV-ES, SEV-SNP CVMs run
- Intel: Disabled hardware performance counters when SGX enclaves, TDX CVMs run



- CPU provides hardware performance counters:
  - Retired Instructions
  - Retired Branch Instructions
  - Retired Taken Branch Instructions
- AMD: Report accurate values when SEV, SEV-ES, SEV-SNP CVMs run
- Intel: Disabled hardware performance counters when SGX enclaves, TDX CVMs run
- Leak whether branches (if) were taken



- CPU provides hardware performance counters:
  - Retired Instructions
  - Retired Branch Instructions
  - Retired Taken Branch Instructions
- AMD: Report accurate values when SEV, SEV-ES, SEV-SNP CVMs run
- Intel: Disabled hardware performance counters when SGX enclaves, TDX CVMs run
- Leak whether branches (if) were taken



```
char time_str[data->digits+1];
memset(time_str, 0, data->digits+1);
for (size_t i=0; i<data->digits; i++) {
    if (key[i] != time_str[i])
       return OTP_ERROR;
}
return OTP_OK;
```



# **Limitations & Solutions**



• No shared memory



- No shared memory
- No physical addresses



- No shared memory
- No physical addresses
- No access to high-precision timer: rdtsc<sup>a</sup>



- No shared memory
- No physical addresses
- No access to high-precision timer: rdtsc<sup>a</sup>
- No syscalls (SGX)

<sup>a</sup>AMD SEV-SNP and Intel TDX now have secure timers





• We can build our own timer [13, 15]



- We can build our own timer [13, 15]
- Start a thread that continuously increments a global variable



- We can build our own timer [13, 15]
- Start a thread that continuously increments a global variable
- The global variable is our timestamp





CPU cycles one increment takes

timestamp = rdtsc();



# while(1) { timestamp++; }



while(1) {
 timestamp++;
}

Sudheendra Neela



while(1) {
 timestamp++;
}

Sudheendra Neela



mov &timestamp , %rcx
1: incl (%rcx)
jmp 1b



mov &timestamp, %rcx
1: incl (%rcx)
jmp 1b



mov &timestamp, %rcx
1: incl (%rcx)
jmp 1b



mov &timestamp, %rcx
1: inc %rax
mov %rax, (%rcx)
jmp 1b



mov &timestamp, %rcx
1: inc %rax
mov %rax, (%rcx)
jmp 1b

#### Combining Everything: Malware Guard Extensions (on SGX) [15]



1. Use the counting primitive to measure DRAM accesses

#### Combining Everything: Malware Guard Extensions (on SGX) [15]



- 1. Use the counting primitive to measure DRAM accesses
- 2. Use DRAM side-channel to build eviction set



- 1. Use the counting primitive to measure DRAM accesses
- 2. Use DRAM side-channel to build eviction set
- 3. Mount Prime+Probe on the buffer containing the multiplier

Raw Prime+Probe trace...



...processed with a simple moving average...



Sudheendra Neela

#### ...allows to clearly see the bits of the exponent





• CVM / Enclave: executes many instructions until support from the hypervisor / host is required



- CVM / Enclave: executes many instructions until support from the hypervisor / host is required
- Single Step: CVM / Enclave executes only one instruction at a time

| F |  |
|---|--|
|   |  |
| E |  |
| F |  |
|   |  |

- CVM / Enclave: executes many instructions until support from the hypervisor / host is required
- Single Step: CVM / Enclave executes only one instruction at a time
- local Advanced Programmable Interrupt Controller (APIC)

| FI |  |
|----|--|
|    |  |
| ΕI |  |
| E  |  |

- CVM / Enclave: executes many instructions until support from the hypervisor / host is required
- Single Step: CVM / Enclave executes only one instruction at a time
- local Advanced Programmable Interrupt Controller (APIC)
- Timer: 3 modes



- CVM / Enclave: executes many instructions until support from the hypervisor / host is required
- Single Step: CVM / Enclave executes only one instruction at a time
- local Advanced Programmable Interrupt Controller (APIC)
- Timer: 3 modes
  - One-shot



- CVM / Enclave: executes many instructions until support from the hypervisor / host is required
- Single Step: CVM / Enclave executes only one instruction at a time
- local Advanced Programmable Interrupt Controller (APIC)
- Timer: 3 modes
  - One-shot
  - Periodic



- CVM / Enclave: executes many instructions until support from the hypervisor / host is required
- Single Step: CVM / Enclave executes only one instruction at a time
- local Advanced Programmable Interrupt Controller (APIC)
- Timer: 3 modes
  - One-shot
  - Periodic
  - TSC-deadline

Lastly, there are certain classes of attacks that are not in scope for any of these three features. Architectural side channel attacks on CPU data structures are not specifically prevented by any hardware means. As with standard software security practices, code which is sensitive to such side channel attacks (e.g., cryptographic libraries) should be written in a way which helps prevent such attacks. Fingerprinting attack protection is also not supported in the current generation of these



• TEEs / CVMs developed to protect sensitive information/critical code execution

Lastly, there are certain classes of attacks that are not in scope for any of these three features. Architectural side channel attacks on CPU data structures are not specifically prevented by any hardware means. As with standard software security practices, code which is sensitive to such side channel attacks (e.g., cryptographic libraries) should be written in a way which helps prevent such attacks. Fingerprinting attack protection is also not supported in the current generation of these



- TEEs / CVMs developed to protect sensitive information/critical code execution
- Allow for a very powerful threat model: Malicious hypervisor

Lastly, there are certain classes of attacks that are not in scope for any of these three features. Architectural side channel attacks on CPU data structures are not specifically prevented by any hardware means. As with standard software security practices, code which is sensitive to such side channel attacks (e.g., cryptographic libraries) should be written in a way which helps prevent such attacks. Fingerprinting attack protection is also not supported in the current generation of these

| $\underline{\mathbb{N}}$ | $\sim$ |
|--------------------------|--------|

- TEEs / CVMs developed to protect sensitive information/critical code execution
- Allow for a very powerful threat model: Malicious hypervisor
- SCAs often not "out of scope"



## Side-Channel Security

## Chapter 3: Trusted Execution Environments and Confidential Computing

Sudheendra Neela

March 13, 2025

Graz University of Technology

#### References

- AMD (2020). AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More.
- [2] ARM (2009). Building a Secure System using TrustZone Technology.
- [3] ARM (2021). Arm CCA Security Model 1.0.
- [4] Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., and Sadeghi, A.-R. (2017). Software Grand Exposure: SGX Cache Attacks Are Practical. In WOOT.
- [5] Costan, V. and Devadas, S. (2016). Intel SGX Explained.

- [6] Gast, S., Weissteiner, H., Schröder, R. L., and Gruss, D. (2025). CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP. In NDSS.
- [7] Gruss, D., Lipp, M., Schwarz, M., Genkin, D., Juffinger, J., O'Connell, S., Schoechl, W., and Yarom, Y. (2018). Another Flip in the Wall of Rowhammer Defenses. In S&P.
- [8] Intel (2024). Intel Trust Domain Extensions Module Base Architecture Specification.
- [9] Jang, Y., Lee, J., Lee, S., and Kim, T. (2017). SGX-Bomb: Locking Down the Processor via Rowhammer Attack. In *SysTEX*.
- [10] Kaplan, D. (2017). Protecting VM register state with SEV-ES.
- [11] Kaplan, D., Powell, J., and Woller, T. (2016). AMD Memory Encryption.

- [12] Li, M., Zhang, Y., Wang, H., Li, K., and Cheng, Y. (2021). CIPHERLEAKS: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel. In USENIX Security.
- [13] Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., and Mangard, S. (2016). ARMageddon: Cache Attacks on Mobile Devices. In USENIX Security Symposium.
- [14] Moghimi, A., Irazoqui, G., and Eisenbarth, T. (2017). CacheZoom: How SGX amplifies the power of cache attacks. In *CHES*.
- [15] Schwarz, M., Gruss, D., Weiser, S., Maurice, C., and Mangard, S. (2017). Malware Guard Extension: Using SGX to Conceal Cache Attacks. In *DIMVA*.
  [16] Schwarz, M., Weiser, S., and Gruss, D. (2019). Practical Enclave Malware with Intel SGX. In *DIMVA*.

- [17] Szefer, J., Keller, E., Lee, R. B., and Rexford, J. (2011). Eliminating the hypervisor attack surface for a more secure cloud. In *CCS*.
- [18] Van Bulck, J., Piessens, F., and Strackx, R. (2017a). SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control. In SysTEX.
- [19] Van Bulck, J., Weichbrodt, N., Kapitza, R., Piessens, F., and Strackx, R.
   (2017b). Telling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution. In USENIX Security.
- [20] Van Schaik, S., Seto, A., Yurek, T., Batori, A., AlBassam, B., Genkin, D., Miller, A., Ronen, E., Yarom, Y., and Garman, C. (2024). SoK: SGX.Fail: How Stuff Gets eXposed. In S&P.
- [21] Wang, W., Chen, G., Pan, X., Zhang, Y., Wang, X., Bindschaedler, V., Tang, H., and Gunter, C. A. (2017). Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX. In CCS.

- [22] Werner, J., Mason, J., Antonakakis, M., Polychronakis, M., and Monrose, F. (2019). The SEVerESt Of Them All: Inference Attacks Against Secure Virtual Enclaves. In AsiaCCS.
- [23] Wilke, L., Wichelmann, J., Rabich, A., and Eisenbarth, T. (2023). SEV-Step A Single-Stepping Framework for AMD-SEV. *CHES*.
- [24] Xu, Y., Cui, W., and Peinado, M. (2015). Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. In *S&P*.
- [25] Zhang, R., Center, C. H., Gerlach, L., Weber, D., Hetterich, L., Lü, Y., Kogler, A., and Schwarz, M. (2024). CacheWarp: Software-based Fault Injection using Selective State Reset. In USENIX Security.