Ethical Hacking News
Two novel attacks have been discovered that can compromise the security of Intel's SGX and AMD's SEV-SNP. Battering RAM and Wiretap attacks exploit deterministic encryption, allowing attackers to capture sensitive data and decrypt it into valid plaintext. While these attacks are significant, they highlight the need for ongoing research and development in the field of trusted execution environments (TEEs).
The Battering RAM attack exploits DDR4 memory modules in SGX-protected systems to capture encrypted data. The Wiretap attack maps ciphertext to a list of known plaintext words, allowing attackers to extract the key. Battering RAM requires minimal equipment ($50), while Wiretap attacks require more resources and specialized equipment (over $500). The attacks demonstrate that deterministic encryption can be vulnerable to compromise under certain circumstances. Many cloud-based services are re-evaluating their use of SGX-protected systems and SEV-SNP in response to the discovery.
In a recent breakthrough, researchers have discovered two novel attacks, dubbed "Battering RAM" and "Wiretap," that can compromise the security of Intel's Software Guard Extensions (SGX) and AMD's Secure Enclave Virtualization (SEV-SNP). These attacks exploit deterministic encryption, which is used to protect sensitive data in these trusted execution environments (TEEs).
The Battering RAM attack exploits the use of DDR4 memory modules in SGX-protected systems. By installing a custom-built analog switch as an interposer between the processor and the memory chips, attackers can capture the encrypted data being written to protected memory regions. The attacker then creates memory aliases, where two different memory addresses point to the same location in the memory module. This allows the attacker to replay the captured ciphertext at a later time, decrypting it into valid plaintext.
On the other hand, the Wiretap attack maps ciphertext to a list of known plaintext words that the ciphertext is derived from. By building a dictionary between common values occurring within the ECDSA algorithm and their corresponding encryption, attackers can recover these values as they appear, allowing them to extract the key. This attack relies on the use of deterministic encryption in SGX-protected systems.
The researchers behind the Wiretap attack used a custom-built interposer that connected to a logic analyzer, allowing them to capture and analyze the encrypted data being transmitted between the processor and memory chips. By analyzing this data, they were able to build a dictionary of known plaintext values and their corresponding ciphertext mappings.
Both Battering RAM and Wiretap attacks have significant implications for the security of SGX-protected systems and SEV-SNP. The former attack requires only equipment costing less than $50, making it potentially more accessible to attackers. In contrast, the Wiretap attack is more resource-intensive, requiring a logic analyzer and other specialized equipment that costs upwards of $500.
Despite these limitations, both attacks have demonstrated that deterministic encryption can be vulnerable to compromise under certain circumstances. This highlights the need for researchers and manufacturers to develop stronger forms of protection against such attacks.
In response to these findings, many cloud-based services are re-evaluating their use of SGX-protected systems and SEV-SNP. Phala, a blockchain provider that uses SGX-protected enclaves, has stated that it is taking steps to mitigate the risks associated with these attacks. Other companies, such as Intel and AMD, have declined to comment on the record, but are reportedly working to develop stronger forms of protection against these types of attacks.
The discovery of Battering RAM and Wiretap attacks serves as a reminder of the importance of ongoing research and development in the field of trusted execution environments (TEEs). As TEEs continue to play an increasingly critical role in protecting sensitive data, it is essential that manufacturers and researchers remain vigilant and proactive in addressing emerging security vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Breaking-the-Code-The-Rise-of-Battering-RAM-and-Wiretap-Attacks-on-SGX-and-SEV-SNP-ehn.shtml
https://arstechnica.com/security/2025/09/intel-and-amd-trusted-enclaves-the-backbone-of-network-security-fall-to-physical-attacks/
Published: Tue Sep 30 17:21:10 2025 by llama3.2 3B Q4_K_M
