CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP

Stefan Gast; Hannes Weissteiner; Robin Leander Schröder; Daniel Gruss

CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP

Stefan Gast^*, Hannes Weissteiner, Robin Leander Schröder, Daniel Gruss

^*Corresponding author for this work

Institute of Information Security (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

Confidential virtual machines (VMs) promise higher security by running the VM inside a trusted execution environment (TEE). Recent AMD server processors support confidential VMs with the SEV-SNP processor extension. SEV-SNP provides guarantees for integrity and confidentiality for confidential VMs despite running them in a shared hosting environment.

In this paper, we introduce CounterSEVeillance, a new side-channel attack leaking secret-dependent control flow and operand properties from performance counter data. Our attack is the first to exploit performance counter side-channel leakage with single-instruction resolution from SEV-SNP VMs and works on fully patched systems. We systematically analyze performance counter events in SEV-SNP VMs and find that 228 are exposed to a potentially malicious hypervisor. CounterSEVeillance builds on this analysis and records performance counter traces with an instruction-level resolution by single-stepping the victim VM using APIC interrupts in combination with page faults. We match CounterSEVeillance traces against binaries, precisely recovering the outcome of any secret-dependent conditional branch and inferring operand properties. We present four attack case studies, in which we exemplarily showcase concrete exploitable leakage with 6 of the exposed performance counters. First, we use CounterSEVeillance to extract a full RSA-4096 key from a single Mbed TLS signature process in less than 8 minutes. Second, we present the first side-channel attack on TOTP verification running in an AMD SEV-SNP VM, recovering a 6-digit TOTP with only 31.1 guesses on average. Third, we show that CounterSEVeillance can leak the secret key from which the TOTPs are derived from the underlying base32 decoder. Fourth and finally, we show that CounterSEVeillance can also be used to construct a plaintext-checking oracle in a divide-and-surrender-style attack. We conclude that moving an entire VM into a setting with a privileged adversary increases the attack surface, given the vast amounts of code not vetted for this specific security setting.

Original language	English
Title of host publication	Network and Distributed System Security (NDSS) Symposium 2025
Number of pages	16
Publication status	Accepted/In press - Feb 2025
Event	Network and Distributed System Security Symposium 2025: NDSS 2025 - San Diego, United States Duration: 23 Feb 2025 → 28 Feb 2025 https://www.ndss-symposium.org/ndss2025/

Conference

Conference	Network and Distributed System Security Symposium 2025
Abbreviated title	NDSS 2025
Country/Territory	United States
City	San Diego
Period	23/02/25 → 28/02/25
Internet address	https://www.ndss-symposium.org/ndss2025/

Keywords

Performance Counter
Confidential Virtual Machines
AMD SEV

ASJC Scopus subject areas

Computer Science (miscellaneous)

Fields of Expertise

Information, Communication & Computing

Access to Document

counterseveillanceAccepted author manuscript, 331 KBLicence: Unspecified

https://stefangast.eu/papers/counterseveillance.pdfLicence: Unspecified

EU - FSSec - Foundations for Sustainable Security
Gruss, D. (Co-Investigator (CoI))
1/03/23 → 29/02/28
Project: Research project
Special Research Area (SFB) F85 Semantic and Cryptographic Foundations of Security and Privacy by Compositional Design
Mangard, S. (Co-Investigator (CoI))
1/01/23 → 31/12/26
Project: Research project

1 Invited talk
1 Talk at conference or symposium

CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP
Gast, S. (Speaker)
26 Feb 2025
Activity: Talk or presentation › Talk at conference or symposium › Science to science
CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP
Gast, S. (Speaker)
28 Feb 2025
Activity: Talk or presentation › Invited talk › Science to public

Cite this

@inproceedings{446654a5b62042d18da86bce270a8181,

title = "CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP",

abstract = "Confidential virtual machines (VMs) promise higher security by running the VM inside a trusted execution environment (TEE). Recent AMD server processors support confidential VMs with the SEV-SNP processor extension. SEV-SNP provides guarantees for integrity and confidentiality for confidential VMs despite running them in a shared hosting environment.In this paper, we introduce CounterSEVeillance, a new side-channel attack leaking secret-dependent control flow and operand properties from performance counter data. Our attack is the first to exploit performance counter side-channel leakage with single-instruction resolution from SEV-SNP VMs and works on fully patched systems. We systematically analyze performance counter events in SEV-SNP VMs and find that 228 are exposed to a potentially malicious hypervisor. CounterSEVeillance builds on this analysis and records performance counter traces with an instruction-level resolution by single-stepping the victim VM using APIC interrupts in combination with page faults. We match CounterSEVeillance traces against binaries, precisely recovering the outcome of any secret-dependent conditional branch and inferring operand properties. We present four attack case studies, in which we exemplarily showcase concrete exploitable leakage with 6 of the exposed performance counters. First, we use CounterSEVeillance to extract a full RSA-4096 key from a single Mbed TLS signature process in less than 8 minutes. Second, we present the first side-channel attack on TOTP verification running in an AMD SEV-SNP VM, recovering a 6-digit TOTP with only 31.1 guesses on average. Third, we show that CounterSEVeillance can leak the secret key from which the TOTPs are derived from the underlying base32 decoder. Fourth and finally, we show that CounterSEVeillance can also be used to construct a plaintext-checking oracle in a divide-and-surrender-style attack. We conclude that moving an entire VM into a setting with a privileged adversary increases the attack surface, given the vast amounts of code not vetted for this specific security setting.",

keywords = "Performance Counter, Confidential Virtual Machines, AMD SEV",

author = "Stefan Gast and Hannes Weissteiner and Schr{\"o}der, {Robin Leander} and Daniel Gruss",

year = "2025",

month = feb,

language = "English",

booktitle = "Network and Distributed System Security (NDSS) Symposium 2025",

note = "Network and Distributed System Security Symposium 2025 : NDSS 2025, NDSS 2025 ; Conference date: 23-02-2025 Through 28-02-2025",

url = "https://www.ndss-symposium.org/ndss2025/",

}

TY - GEN

T1 - CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP

AU - Gast, Stefan

AU - Weissteiner, Hannes

AU - Schröder, Robin Leander

AU - Gruss, Daniel

PY - 2025/2

Y1 - 2025/2

N2 - Confidential virtual machines (VMs) promise higher security by running the VM inside a trusted execution environment (TEE). Recent AMD server processors support confidential VMs with the SEV-SNP processor extension. SEV-SNP provides guarantees for integrity and confidentiality for confidential VMs despite running them in a shared hosting environment.In this paper, we introduce CounterSEVeillance, a new side-channel attack leaking secret-dependent control flow and operand properties from performance counter data. Our attack is the first to exploit performance counter side-channel leakage with single-instruction resolution from SEV-SNP VMs and works on fully patched systems. We systematically analyze performance counter events in SEV-SNP VMs and find that 228 are exposed to a potentially malicious hypervisor. CounterSEVeillance builds on this analysis and records performance counter traces with an instruction-level resolution by single-stepping the victim VM using APIC interrupts in combination with page faults. We match CounterSEVeillance traces against binaries, precisely recovering the outcome of any secret-dependent conditional branch and inferring operand properties. We present four attack case studies, in which we exemplarily showcase concrete exploitable leakage with 6 of the exposed performance counters. First, we use CounterSEVeillance to extract a full RSA-4096 key from a single Mbed TLS signature process in less than 8 minutes. Second, we present the first side-channel attack on TOTP verification running in an AMD SEV-SNP VM, recovering a 6-digit TOTP with only 31.1 guesses on average. Third, we show that CounterSEVeillance can leak the secret key from which the TOTPs are derived from the underlying base32 decoder. Fourth and finally, we show that CounterSEVeillance can also be used to construct a plaintext-checking oracle in a divide-and-surrender-style attack. We conclude that moving an entire VM into a setting with a privileged adversary increases the attack surface, given the vast amounts of code not vetted for this specific security setting.

AB - Confidential virtual machines (VMs) promise higher security by running the VM inside a trusted execution environment (TEE). Recent AMD server processors support confidential VMs with the SEV-SNP processor extension. SEV-SNP provides guarantees for integrity and confidentiality for confidential VMs despite running them in a shared hosting environment.In this paper, we introduce CounterSEVeillance, a new side-channel attack leaking secret-dependent control flow and operand properties from performance counter data. Our attack is the first to exploit performance counter side-channel leakage with single-instruction resolution from SEV-SNP VMs and works on fully patched systems. We systematically analyze performance counter events in SEV-SNP VMs and find that 228 are exposed to a potentially malicious hypervisor. CounterSEVeillance builds on this analysis and records performance counter traces with an instruction-level resolution by single-stepping the victim VM using APIC interrupts in combination with page faults. We match CounterSEVeillance traces against binaries, precisely recovering the outcome of any secret-dependent conditional branch and inferring operand properties. We present four attack case studies, in which we exemplarily showcase concrete exploitable leakage with 6 of the exposed performance counters. First, we use CounterSEVeillance to extract a full RSA-4096 key from a single Mbed TLS signature process in less than 8 minutes. Second, we present the first side-channel attack on TOTP verification running in an AMD SEV-SNP VM, recovering a 6-digit TOTP with only 31.1 guesses on average. Third, we show that CounterSEVeillance can leak the secret key from which the TOTPs are derived from the underlying base32 decoder. Fourth and finally, we show that CounterSEVeillance can also be used to construct a plaintext-checking oracle in a divide-and-surrender-style attack. We conclude that moving an entire VM into a setting with a privileged adversary increases the attack surface, given the vast amounts of code not vetted for this specific security setting.

KW - Performance Counter

KW - Confidential Virtual Machines

KW - AMD SEV

M3 - Conference paper

BT - Network and Distributed System Security (NDSS) Symposium 2025

T2 - Network and Distributed System Security Symposium 2025

Y2 - 23 February 2025 through 28 February 2025

ER -

CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP

Abstract

Conference

Keywords

ASJC Scopus subject areas

Fields of Expertise

Access to Document

Fingerprint

Projects

EU - FSSec - Foundations for Sustainable Security

Special Research Area (SFB) F85 Semantic and Cryptographic Foundations of Security and Privacy by Compositional Design

Activities