Intel’s Trust Domain Extensions (TDX) is a Confidential Virtual Machine (CVM) technology designed to enhance security through Trusted Execution Environments (TEEs). Although TDX effectively mitigates interrupt-based stepping attacks, it remains vulnerable to controlled-channel attacks, which exploit page-level memory access patterns to infer secret-dependent control flows. Current defenses confine sensitive execution within single memory pages to reduce observable access patterns. We challenge this strategy by introducing T-Time, a fine-grained timing-based controlled-channel attack targeting Intel TDX. T-Time precisely measures dwell time—the interval between consecutive page faults—to uncover previously hidden sensitive control flows. We further enhance T-Time’s precision through a cache-based amplification technique. We validate T-Time in two practical scenarios: extracting a 4096-bit RSA private key from MbedTLS, and reconstructing a WebP image through timing analysis during decoding. Our findings demonstrate that existing page-level defenses are inadequate against fine-grained timing attacks.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

T-Time: A Fine-Grained Timing-Based Controlled-Channel Attack Against Intel TDX

  • Woomin Lee,
  • Taehun Kim,
  • Seunghee Shin,
  • Junbeom Hur,
  • Youngjoo Shin

摘要

Intel’s Trust Domain Extensions (TDX) is a Confidential Virtual Machine (CVM) technology designed to enhance security through Trusted Execution Environments (TEEs). Although TDX effectively mitigates interrupt-based stepping attacks, it remains vulnerable to controlled-channel attacks, which exploit page-level memory access patterns to infer secret-dependent control flows. Current defenses confine sensitive execution within single memory pages to reduce observable access patterns. We challenge this strategy by introducing T-Time, a fine-grained timing-based controlled-channel attack targeting Intel TDX. T-Time precisely measures dwell time—the interval between consecutive page faults—to uncover previously hidden sensitive control flows. We further enhance T-Time’s precision through a cache-based amplification technique. We validate T-Time in two practical scenarios: extracting a 4096-bit RSA private key from MbedTLS, and reconstructing a WebP image through timing analysis during decoding. Our findings demonstrate that existing page-level defenses are inadequate against fine-grained timing attacks.