T-Time: A Fine-Grained Timing-Based Controlled-Channel Attack Against Intel TDX
摘要
Intel’s Trust Domain Extensions (TDX) is a Confidential Virtual Machine (CVM) technology designed to enhance security through Trusted Execution Environments (TEEs). Although TDX effectively mitigates interrupt-based stepping attacks, it remains vulnerable to controlled-channel attacks, which exploit page-level memory access patterns to infer secret-dependent control flows. Current defenses confine sensitive execution within single memory pages to reduce observable access patterns. We challenge this strategy by introducing T-Time, a fine-grained timing-based controlled-channel attack targeting Intel TDX. T-Time precisely measures dwell time—the interval between consecutive page faults—to uncover previously hidden sensitive control flows. We further enhance T-Time’s precision through a cache-based amplification technique. We validate T-Time in two practical scenarios: extracting a 4096-bit RSA private key from MbedTLS, and reconstructing a WebP image through timing analysis during decoding. Our findings demonstrate that existing page-level defenses are inadequate against fine-grained timing attacks.