CONCEPT Cited by 1 source
TEE side-channel vulnerability¶
Definition¶
A TEE side-channel vulnerability is any information-leakage path that bypasses the TEE's intended isolation boundary — typically through microarchitectural state, timing, power, electromagnetic emissions, or implementation-specific oversights — letting an attacker recover plaintext or secrets that the TEE's threat model nominally protects.
TEEs (Intel SGX, Intel TDX, AMD SEV-SNP, Arm CCA) make a strong claim: data inside the enclave / CVM is confidential against the host OS, hypervisor, and operator. Side-channel research repeatedly demonstrates that this claim is leaky in implementation — the math says one thing, the silicon does another.
Why this is a structural concern, not a fixable bug¶
The 2026-05-27 Google post articulates this directly:
"TEE isolation mechanisms are constantly evolving. Researchers regularly discover side-channel vulnerabilities that can be leveraged by an attacker to either invalidate TEE guarantees, or application-level specific guarantees (SNPeek, TDXray). While the community is working towards hardening existing solutions against known side-channel attacks, new side-channel vulnerabilities are expected to be discovered. Therefore, in an ideal system, data would be protected by multiple layers of security so that even if a TEE's security model fails, the data is not compromised."
The key wiki-relevant phrase: "new side-channel vulnerabilities are expected to be discovered." This frames TEE side-channels as a persistent ongoing risk class, not an exception that gets patched and forgotten. The architectural response is composition with an independent defense layer, not waiting for side-channels to be eliminated.
Side-channel taxonomy in TEE context¶
| Class | Mechanism | Example |
|---|---|---|
| Cache timing | Shared L1/L2/LLC cache hit/miss timing leaks access patterns | Foreshadow / L1TF (SGX) |
| Branch prediction | Indirect-branch predictor state leaks control flow | BranchScope, Spectre-class against SGX |
| Speculative execution | Transient instructions in mis-speculation reveal protected memory | Spectre, Meltdown variants |
| Power / EM | Power draw or electromagnetic emanations leak compute | TPM-Fail, Plundervolt |
| Page faults | Host hypervisor observes guest page-fault patterns | Controlled-channel attacks against SGX |
| Memory bus | Memory controller / bus traffic patterns observable to host | TDX-internals, SEV-SNP-internals |
| Performance counters | PMU events readable by host correlate with secret | DataBleed, similar |
Each class has produced multiple published attacks; the pattern repeats every few years as new microarchitectural features (and new TEE designs) ship. The Google post specifically cites SNPeek (a 2025-class side-channel against SEV-SNP) and TDXray (against TDX) as recent examples.
Threat-model implication: TEE as a layer, not a foundation¶
A system that depends on a TEE's confidentiality as the only confidentiality mechanism is implicitly betting that no side-channel exploitable for that workload will be discovered for the workload's lifetime. The 2026 Google design rejects this bet:
"The cryptographic layer ensures that individual raw data is never exposed or reconstructed in any server memory — not even within the hardware-protected perimeters."
Translation: the secure-aggregation cryptographic layer ensures that even if a side-channel reveals what's running inside the TEE, all the attacker sees is encrypted ciphertexts and key shares, not plaintext contributions. Side-channel exfiltration is constrained to data that is already cryptographically protected.
This is the cryptography-plus-TEE defense-in-depth pattern in its load-bearing form.
What TEE attestation does and doesn't help with¶
TEE attestation proves which binary is running, not that it's side-channel-free. A binary that's certified correct can still be exploited by a side-channel that exfiltrates state through the microarchitecture without the binary's cooperation. So:
- Attestation defends against: malicious binary swap, tampered code.
- Attestation does not defend against: side-channel exfiltration of the correct binary's state.
This is why the 2026 Google design uses attestation for transparency (which binary is running, is it the publicly-reviewable one) but not as the confidentiality primitive — that role is the cryptographic layer's.
Defense-in-depth response¶
The named architectural response in the post:
| Defense layer | Mitigates |
|---|---|
| TEE attestation + transparency | Wrong / tampered binary running |
| Cryptographic secure-aggregation | Side-channel exfiltrating useful data — exfiltrated bytes are encrypted, not plaintext |
| Differential privacy | Even if the aggregate is recovered, individual contribution is ε-bounded |
| Committee-held key shares | Even if server is fully compromised, no key can decrypt individuals |
The composition is intentional: each layer compensates for the failure mode of the others. TEE side-channel risk is the explicit motivating threat for the cryptographic layer.
Related side-channel concepts on the wiki¶
- concepts/compression-side-channel-attack — different domain (compression in shared-context HTTP), same primitive idea (an observable side metric leaks the confidential payload).
Caveats¶
- Side-channel hardening is not "done" — Intel TDX, AMD SEV-SNP, and successors continue iterating; published attacks are followed by microcode updates and hardware revisions. Production systems have to treat this as a moving target.
- Side-channels are not always exploitable end-to-end — many published attacks demonstrate information leakage in a controlled setting but require specific co-residency / measurement access not available to remote attackers. The risk is real but graduated.
- Side-channels apply to non-TEE workloads too — composition with TEE doesn't create the side-channel surface, it just means TEE doesn't eliminate it.
- Defending against unknown side-channels is structurally impossible for a single layer. The Google framing makes this explicit; the defense is composition, not assertion.
Seen in¶
- sources/2026-05-27-google-private-analytics-via-zero-trust-aggregation — canonical wiki articulation that TEE side-channels are a persistent risk class motivating composition with cryptographic privacy layers, not a fixable point-in-time bug. Specifically cites SNPeek + TDXray as recent examples; frames "new side-channel vulnerabilities are expected to be discovered" as the load-bearing assumption for the architecture.
Related¶
- concepts/trusted-execution-environment — the protected boundary that side-channels bypass
- concepts/remote-attestation — attests which binary, not side-channel-freedom
- concepts/defense-in-depth — generalising principle
- concepts/compression-side-channel-attack — sibling side-channel in a different domain
- patterns/cryptography-plus-tee-defense-in-depth — architectural response to TEE side-channel risk
- systems/intel-tdx
- systems/amd-sev-snp
- systems/snpeek-side-channel-research
- systems/tdxray-side-channel-research
- systems/cvm-confidential-virtual-machine