Cloud Computing’s Blind Spot: Flaws in Trusted Execution Environments Exposed

The rise of cloud computing has brought about a new set of challenges for data privacy and trust, prompting the development of Trusted Execution Environments (TEEs). These secure environments within CPUs aim to safeguard sensitive data processing by isolating it from the rest of the system. However, as research reveals, even robust security mechanisms like Intel’s TDX can be vulnerable to sophisticated attacks, such as single-stepping attacks that exploit subtle differences in system behavior. This study highlights the importance of rigorous testing and validation in ensuring the long-term security and trustworthiness of cloud-based services, and proposes design changes to mitigate these threats.

Major vendors have touted the integration of Trusted Execution Environments (TEE) into CPUs as a solution to the data privacy and trust issues introduced by cloud computing. However, the security of TEEs is threatened by side-channel attacks, with single-stepping attacks being the most powerful ones. Single-stepping attacks allow attackers to execute the TEE one instruction at a time, enabling numerous controlled and side-channel based security issues.

In this context, Intel recently launched its second-generation TEE, Intel TDX, which protects whole virtual machines (VMs). To minimize the attack surface to side-channels, TDX comes with a dedicated single-stepping attack countermeasure. However, as we will see in the following sections, this countermeasure has significant design flaws that can be exploited by attackers.

Single-stepping attacks are a type of side-channel attack that allows attackers to execute the TEE one instruction at a time. This is made possible by the TEE attcker model, which enables single-stepping attacks. By executing the TEE one instruction at a time, attackers can gain control over the execution flow and exploit numerous security issues.

In the case of Intel TDX, the single-stepping attack countermeasure relies on a detection heuristic that uses elapsed processing time to detect potential attacks. However, as we will see in the following sections, this heuristic can be circumvented by deluding the TDX security monitor about the elapsed processing time used.

This design flaw allows attackers to leak the number of instructions executed by the TDX-protected VM, enabling a novel attack known as StumbleStepping. Both single-stepping and StumbleStepping attacks work on the most recent Intel TDX-enabled Xeon Scalable CPUs.

The implications of single-stepping and StumbleStepping attacks are significant, as they can be used to exploit numerous security issues in cloud computing. In particular, these attacks can be used to compromise the security of virtual machines (VMs) protected by Intel TDX.

Using StumbleStepping, we demonstrate a novel end-to-end attack against wolfSSL’s ECDSA implementation, exploiting a control flow side-channel in its truncation-based nonce generation algorithm. We also provide a systematic study of non-cetruncation implementations revealing similar leakages in OpenSSL, which we exploit with our single-stepping primitive.

To mitigate these attacks, design changes can be made to Intel TDX to prevent single-stepping and StumbleStepping attacks from occurring in the first place. In particular, the detection heuristic within the single-stepping countermeasure can be modified to use more robust methods of detecting potential threats.

Additionally, the prevention mechanism within the single-stepping countermeasure can be strengthened to prevent attackers from leaking the number of instructions executed by the TDX-protected VM. By making these design changes, Intel TDX can be made more secure and resistant to attacks.

In conclusion, single-stepping and StumbleStepping attacks are significant threats to the security of cloud computing, particularly in the context of Trusted Execution Environments (TEE). These attacks can be used to exploit numerous security issues and compromise the security of virtual machines (VMs) protected by Intel TDX.