Potential Risk of CVE

TEE.fail: Another perspective on how intercepting DDR5 memory bus can compromise a trusted execution environment. (4th Nov 2025)

Leave a comment

Preface: The recent research, released in a paper titled “TEE.fail: Breaking Trusted Execution Environments via DDR5 Memory Bus Interposition”, does not change Intel’s previous out of scope statement for these types of physical attacks.

Background: Intel SGX protects memory by creating encrypted “enclaves,” which are isolated, private regions within an application’s address space. These enclaves are stored in the Enclave Page Cache (EPC) within the processor’s reserved memory (PRM), and the CPU encrypts data as it is written to the EPC and decrypts it on the fly as it’s read from the CPU, preventing unauthorized access from even privileged software like the operating system or hypervisor.

When the CPU writes data to memory, the memory controller uses the plaintext and address as input to deterministically encrypt it. Writing the same plaintext to the same address will always produce the same ciphertext. Attackers cannot directly read a victim’s secret messages through aliasing mechanisms. However, a doctoral researcher at KU Leuven in Belgium claims it is possible to capture a victim’s ciphertext, and then the victim can simply replay the ciphertext at the same physical location to decrypt it into valid but outdated plaintext.

Ref: ACPI Machine Language (AML) is the platform independent code that ACPI utilizes. ASL is ACPI source language. It is a more human-readable form of the byte code that is AML.

For example the OS has a driver for an Embedded Controller device, and AML can actually talk to the OS driver. Or ACPI can reserve certain hardware resources, so that AML can use them directly, and the OS knows it is not allowed to use them.

Vulnerability details: Independent researchers have separately published methods to attack Intel® Software Guard Extensions (Intel® SGX) with a physical interposer device.

In the WireTap paper, researchers from Georgia Tech and Purdue University applied a passive interposer to read ciphertext memory of low entropy data to create a ciphertext-to-plain-text dictionary.

In the Battering RAM paper, researchers from KU Leuven and University of Birmingham developed a custom interposer to actively alias memory and gain arbitrary read/write access into Intel SGX-protected memory.​

Both research teams assume a physical adversary has direct access to the hardware with a memory bus interposer.

Official announcement: Please refer to the link for details – https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2025-10-28-001.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.