Not So Secure TSC

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

Modern cloud environments greatly facilitate efficiency as workloads of multiple tenants running on the same physical system, often grouped by functionality, e.g., function-as-a-service containers, or platform-as-a-service virtual machines. However, the sharing of physical hardware resources across mutually distrusting tenants comes with security implications. Consequently, cloud providers also offer higher security levels with trusted execution environments in the form of confidential virtual machines, e.g., Intel TDX and AMD SEV-SNP. Many works have shown that attackers can exploit microarchitectural side channels in cloud scenarios, including attacks on trusted-execution environments. However, the practical relevance of these attacks hinges on the co-location of the attacker with its victim on the same physical machine within the data center. Prior work has presented co-location detection techniques that work inside containers or on regular virtual machines. However, co-location detection techniques for confidential virtual machines, e.g., AMD SEV-SNP, have not been studied yet, as these have to be performed from within AMD SEV-SNP virtual machines to target the same physical host machine.

In this paper, we present the first co-location detection technique working on confidential virtual machine hosts. We exploit the new SecureTSC feature supported on recent AMD processors with SEV-SNP. SecureTSC is intended to provide a trusted timing source to confidential virtual machines that cannot be tampered with by the host. We systematically study the behavior of SecureTSC and show that it can be exploited to detect whether two confidential virtual machines are co-located. We demonstrate our co-location detection in a concrete scenario, where two confidential virtual machines attempt to co-locate with each other. Our attack uses a minimal network protocol, TsCupid, to determine whether any of the connected confidential virtual machines are co-located. We practically evaluate our attacks and show that we can detect co-location within 0.13 seconds in a fully parallelized way, minimizing the cost for an attack. Finally, we show that our attack cannot be mitigated without modifying the SecureTSC feature and propose a concrete design change that would fully prevent our attack.
Original languageEnglish
Title of host publicationApplied Cryptography and Network Security
Subtitle of host publication23rd International Conference, ACNS 2025, Munich, Germany, June 23rd-26th, 2025, Proceedings
PublisherSpringer
Publication statusPublished - 23 Jun 2025
Event23rd International Conference on Applied Cryptography and Network Security - Munich, Germany
Duration: 23 Jun 202526 Jun 2025
http://acns2025.fordaysec.de/

Conference

Conference23rd International Conference on Applied Cryptography and Network Security
Abbreviated titleACNS
Country/TerritoryGermany
CityMunich
Period23/06/2526/06/25
Internet address

Fields of Expertise

  • Information, Communication & Computing

Fingerprint

Dive into the research topics of 'Not So Secure TSC'. Together they form a unique fingerprint.

Cite this