Research

external page RMPocalypse: How a Catch-22 Breaks AMD SEV-SNP
RMPocalypse presents a critical hardware vulnerability in AMD SEV‑SNP: the “reverse map table” (RMP), meant to enforce integrity of confidential VMs, is compromised during its own initialization because the protections (barriers and trusted memory regions) fail to fully block hypervisor‐controlled writes. By exploiting this initialization gap, the authors show they can corrupt the RMP, forge attestations, enable debug mode, inject code, and thus break both confidentiality and integrity of the protected VM environment.

external page Heracles: Chosen Plaintext Attack on AMD SEV-SNP
Heracles presents a chosen-plaintext attack on AMD SEV-SNP: the hypervisor’s ability to move encrypted pages (causing deterministic re-encryption using address-dependent AES-XEX tweaks) creates a chosen-plaintext oracle that lets an attacker recover guest data (passwords, keys, cookies) by dictionary/primitives—calling for limits on page-moves or blocking hypervisor ciphertext access.

external page OpenCCA: An Open Framework to Enable Arm CCA Research
OpenCCA is an open research framework that enables early exploration and evaluation of Arm Confidential Compute Architecture (CCA) on readily available, lock-free, non-CCA hardware. This makes it possible to estimate the performance of CCA designs and interact with real-world peripherals, going beyond the limits of pure software simulation. By systematically adapting the Arm software stack from bootloader and firmware to hypervisor and kernel, OpenCCA emulates key CCA operations while maintaining functional correctness with minimal code changes. We demonstrate its effectiveness with typical life-cycle measurements and case studies on an easily available Arm v8.2 Rockchip board that costs $250.

external page Xray: Detecting and Exploiting Vulnerabilities in Arm AXI Interconnects
Xray is an automatic tool for assessing the security and correctness of AXI interconnects. It models the interconnect as a transaction-processing unit, defines 13 key properties, and uses targeted traffic generation with automated checkers to detect violations. Applied to 7 AXI interconnects, Xray uncovered 41 vulnerabilities, 19 known and 22 new, and demonstrated three FPGA-based exploits leaking data, dropping transactions, and corrupting memory.

external page Sigy: Breaking Intel SGX Enclaves with Malicious Exceptions & Signals
Sigy is an attack on Intel SGX which demonstrates that a malicious operating system can use signal injection to compromise enclave execution. The operating system uses the signals to arbitrarily trigger global effect signal handlers that can compromise compromise execution integrity, and data confidentiality and integrity in the enclaves. Our in-depth analysis on SGX library OSes and runtimes reveal that seven popular library OSes and runtimes are vulnerable to the attack.

external page Dorami: Privilege Separating Security Monitor on RISC-V TEEs
Dorami improves the security of RISC-V based Trusted Execution Environments (TEEs) by introducing privilege separation between the security monitor and platform firmware. This removes the firmware from the TEE’s trusted computing base (TCB), significantly reducing the attack surface. Dorami leverages existing RISC-V ISA features, which enables its broad adoption without requiring hardware changes.

external page eXpect: On the Security Implications of Violations in
AXI Implementations
eXpect is a systematic framework for detecting functional and security flaws in AXI protocol implementations. The AXI protocol is widely used in SoCs to connect processors, memories, and IPs, so bugs in its implementation can compromise system security. Using eXpect, we analysed 7 AXI implementations, including AMD Xilinx and RISC-V PULP, uncovering 135 violations and seven exploits.

external page WeSee: Using Malicious #VC Interrupts to Break AMD SEV-SNP
WeSee demonstrates that a malicious hypervisor can inject the new #VC exception (interrupt 29) into AMD SEV-SNP VMs to force VM handlers to perform data/register copies, enabling sensitive data leakage (e.g., kTLS keys), kernel-data corruption (e.g., firewall rules), and kernel-space code injection—undermining SEV-SNP’s confidentiality and integrity guarantees.

external page Heckler: Breaking Confidential VMs with Malicious Interrupts
Heckler shows that a malicious hypervisor can inject non-timer interrupts into confidential VMs (AMD SEV-SNP and Intel TDX) to trigger guest interrupt handlers as “gadgets,” altering registers, data, and control flow to exfiltrate secrets (e.g., SSH/sudo auth), corrupt results, and break CVM confidentiality and integrity.

external page Acai: Protecting Accelerator Execution with Arm Confidential Computing Architecture
Acai enables accelerators as a first-class abstraction with Arm Confidential Computing Architecture. To do this, Acai systematically extends Arm CCA security invariants to accelerators and show that these security invariants, when upheld, allows for the secure composition of CCA-based confidential VMs and confidential computing enabled accelerators. To enforce the invariants, Acai mirrors the CPU-side memory isolation mechanisms to the accelerator side by reusing CCA hardware memory filters and memory translation mechanisms.

external page SmashEx: Smashing SGX Enclaves Using Exceptions
SmashEx is an attack that exploits re-entrancy vulnerabilities in the exception handling designs of Intel SGX (Software Guard eXtensions) enclave runtimes. It is powerful enough to allow an attacker to read secrets or perform arbitrary code execution inside the victim enclave.