TEE attacks categorisation

Attack Category

Simple Explanation

Technical Details

Defense Mechanisms

Speculative Execution

CPU guesses what code will run next and executes it early. If guess is wrong, results are thrown away. But secret data touched during wrong guess leaves traces in cache.

Modern CPUs use branch predictors (PHT, BTB) to guess conditional jumps. Speculatively executed instructions modify microarchitectural state (cache, TLB, BTB) before being squashed. Covert/Spectre-like attacks train predictor, cause victim speculation down wrong path, then observe cache state changes via timing. In SGX, this leaks enclave secrets across trust boundary.

Speculation barriers (LFENCE), microcode patches, Retpoline for indirect branches, IBRS/STIBP (Indirect Branch Restricted Speculation), disable SMT, constant-time programming

Cache Timing Side-Channels

Accessing data in cache (nanoseconds) is much faster than RAM (100+ ns). By measuring timing, attackers learn which memory locations victim accessed, revealing secrets.

CPU cache hierarchy (L1: 32-128KB, ~4 cycles; L2: 256KB-2MB, ~12 cycles; L3: 2-32MB, ~40 cycles; DRAM: GB+, ~200 cycles). Prime+Probe: attacker fills cache sets, victim runs, attacker times re-access. Eviction indicates victim used those sets. Flush+Reload: requires shared memory; attacker flushes line (clflush), victim accesses, attacker reloads and times. Fast = cache hit = victim accessed.

Cache partitioning (CAT - Cache Allocation Technology), cache coloring, randomized cache replacement, time-invariant implementations, masking/blinding, disable shared memory

Voltage Fault Injection

Temporarily lower CPU voltage below safe level. This makes transistors switch slower, causing timing errors that skip instructions or flip bits in registers.

DVolt/DVFS interfaces allow software voltage control (originally for power management). Plundervolt exploited this on SGX by inducing voltage drops during crypto operations. Faults occur when Vdd < Vmin causes setup/hold violations: data doesn't meet timing requirements at clock edge. Creates deterministic bit flips or instruction skips exploitable for key extraction.

BIOS voltage locks, disable DVFS interfaces, hardware voltage monitoring, redundant computation with comparison, temporal/spatial redundancy, ECC on critical data

Clock Glitching

Insert extra clock pulses or speed up clock. Circuits don't have time to stabilize before capturing data, causing incorrect values to be latched.

Clock glitching manipulates clock signal (CLK) to shorten period below tCLK-min or insert extra edges. Digital logic has propagation delay (tpd); if CLK period < tpd, output hasn't stabilized when sampled. This violates setup time (tsu: data must be stable tsu before CLK edge). Result: metastability, wrong values latched. Used to skip security checks or corrupt crypto state.

Clock monitoring circuits, frequency limit enforcement, clock jitter detection, dual-rail logic with delay insensitive encoding, watchdog timers, mesh shielding

Electromagnetic Fault Injection (EMFI)

Generate powerful electromagnetic pulse near chip with coil. Induced currents disrupt flip-flops and circuit timing, causing faults in specific chip regions.

EMFI uses ferrite core coil driven by high-voltage pulse generator. Electromagnetic pulse induces Eddy currents in chip substrate and interconnect. Two mechanisms: (1) Induced voltage delays signal propagation → timing violations; (2) EM field directly couples to flip-flop transistors → forces state changes. Spatial targeting via 3D probe positioning. Bypasses software/protocol security by direct hardware manipulation.

EM shielding (Faraday cage), power supply filtering, balanced/differential logic, random delays, loop sensors detecting EM pulses, tamper-evident packaging

Rowhammer DRAM Attack

Repeatedly access (hammer) one DRAM row. Electrical interference causes bit flips in neighboring rows due to charge leakage between nearby capacitors.

DRAM stores charge in capacitor + access transistor per cell. Capacitor ~30 fF, holds around 100K electrons. Repeatedly activating (ACTIVATE cmd) wordline to one row causes: (1) Capacitive coupling to adjacent wordlines via parasitic capacitance; (2) EM interference from switching currents; (3) Hot carrier injection into gate oxide. All three leak charge from victim cells. If charge drops below sensing threshold before REFRESH (32-64ms interval), bit flips. TRH (RowHammer threshold) decreased: DDR3=139K acts, DDR4=10K, DDR5~500. RowPress keeps row active (high tAggON) causing more leakage with fewer activations.

TRR (Target Row Refresh) - refresh neighbors of frequently accessed rows, PARA (Probabilistic Adjacent Row Activation), GRAPHENE, TWiCe, row activation counters, ECC DRAM, RowPress-resistant DRAM timings

Physical Memory Bus Interception

Place hardware between CPU and RAM modules to intercept encrypted memory traffic. Pattern analysis of encrypted data reveals secrets despite encryption.

DDR4/5 memory bus between CPU and DIMM carries encrypted data (SGX uses AES-XEX, SEV uses AES-CTR). WireTap uses FPGA-based interposer inserted between CPU socket and DIMM (requires physical access). Deterministic encryption (same plaintext → same ciphertext at same address) creates observable patterns. Statistical analysis of ciphertext across multiple accesses reveals secrets. Attack extracts attestation keys stored in SGX Scalable protected memory, bypassing memory encryption confidentiality.

Use probabilistic/randomized encryption (SGX v1 design), add per-page nonces, encrypt memory bus, physical tamper detection, use authenticated encryption (AE) preventing modification

Privilege Escalation

Exploit bugs to move from user-level code to kernel/TEE OS. Insufficient input validation or dangerous system calls allow attacker to gain full control.

TEE architecture: Normal World (REE) vs. Secure World (TEE OS + TAs). System Management Calls (SMC) provide interface. Privilege escalation exploits: (1) Buffer overflows in TA → shellcode execution; (2) Inadequate syscall input validation in TEE kernel → arbitrary memory access; (3) Type confusion or integer overflows → OOB writes. Successful escalation grants TEE kernel privilege: read/write all secure memory, access crypto keys, modify XPU (memory protection), blow fuses.

Input validation, reduce syscall attack surface (REZONE approach), principle of least privilege, capability-based security, CFI (Control-Flow Integrity), stack canaries, ASLR, W^X

Cryptographic Implementation Flaw

Implementation reuses encryption IVs, uses weak random numbers, or has logic errors. These fundamental crypto mistakes allow key recovery or security bypass.

Samsung Keymaster: AES-GCM encryption with static IV across multiple operations. In GCM, IV reuse allows: (1) XOR ciphertexts to reveal plaintext XOR; (2) Forgery via polynomial hash collision; (3) Full key recovery with ~2^32 repeated nonces. Downgrade attack: Key blobs versioned but no rollback protection (monotonic counter). Attacker with privileged access writes old blob format with known vulnerability. System accepts due to valid signature but outdated format has exploitable weakness (e.g., hardcoded key derivation).

Use cryptographically secure RNG (TRNG/DRNG), proper IV generation (random/counter-based, never reuse), regular security audits, use vetted crypto libraries (not custom), implement key rotation

Protocol Downgrade/Rollback

Force system to use older vulnerable software version. Without version enforcement, attacker downgrades to patched vulnerability and exploits it again.

Firmware/software updates signed with manufacturer key. Old versions also validly signed. Without anti-rollback: (1) Bootloader verifies signature but not version freshness; (2) Attacker with sufficient access replaces new firmware with old signed version; (3) System boots old version with known CVE; (4) Attacker exploits patched vulnerability. Mitigation requires monotonic counter (fuse-based or RPMB) incremented each update, bootloader rejects if version < stored counter.

Monotonic counter (fuse-based), secure version storage (RPMB), bootloader version check, signed version manifest, measured boot with attestation, hardware root of trust