[MagicalTux]

Battering RAM has been demonstrated to work well against Intel's "Scalable SGX" which is also known as SGX 2, and uses static encryption key to allow SGX to use more of the system's memory.

For example at VP.NET we're using SGX 1, which uses AES-CTR for memory encryption which is not susceptible to memory reply attack, and comes with a limit of 512MB of ram. It's a lot of pain working with a very small memory allocation (especially nowadays where most machines come with 128GB+). batteringram.eu calls that "Client SGX" with a checkmark on "Read", but reading the actual paper it only mentions being able to know which areas of memory were written to (see 7.1). There might be applications where memory access pattern gives detail on the underlying work performed, but this is likely coarse (encryption is likely per page) and unlikely to yield to anything useful.

This said we are also exploring other TEEs including Intel TDX, and having a wider array of options will give us the ability to instantly disable any technology for which we know security has been compromised.

[MoonObserver]

Intel TDX unfortunately suffers from the exact same vulnerability as Scalable SGX. The underlying root cause is the lack of randomized encryption; using a static-adversary encryption scheme (XTS) rather than a dynamic-adversary one. The result is that plaintext-ciphertext mappings are unchanged at a fixed memory address. While the choice of scheme might initially seem puzzling, it is due to a randomized encryption scheme requiring counters for each memory block, which has a prohibitive on-chip memory cost when scaling to hundreds of GBs of memory.