Can a malicious cloud provider send bad notifications to break confidential VMs?

Disclosing #AhoiAttacks that break confidential computing offered by AMD SEV-SNP and Intel TDX by abusing interrupt delivery.

https://ahoi-attacks.github.io/

Our first attack #Heckler to appear Usenix Security 2024 breaks Intel TDX and AMD SEV-SNP by sending interrupts that trigger existing handlers to change the register state and variables in userspace. We break sshd, sudo, and other apps.

Our second attack #WeSee to appear IEEE Security & Privacy 2024 breaks AMD SEV-SNP by sending an interrupt specially introduced for SEV. Starting from a kernel read to arbitrary code injection, we gain a root shell.

Track CVE-2024-25742, CVE-2024-25743, CVE-2024-25744 for updates on fixes and patches.

A fantastic team effort by Benedict M. Schlüter, Supraja Sridhara, Andrin Bertschi, and Mark Kuhne!