Staleus | XCA

Search<br>Search<br>Cancel

Loading search index…<br>No recent searches<br>No results for "Query here "

Summary here

to select<br>to navigate<br>to close<br>Search by FlexSearch

Staleus<br>Breaking AMD SEV-SNP via Memory Incoherence(USENIX Security 2026)<br>Paper

Citation

Summary#<br>Confidential computing allows cloud tenants to offload sensitive computations and data to remote resources without needing to trust the cloud service provider. Hardware-based trusted execution environments, like AMD SEV-SNP, achieve this by creating Confidential Virtual Machines (CVMs). With Staleus, we present a novel attack that induces memory incoherence between the secure co-processor (PSP) and x86 cores. By rendering the PSP memory incoherent, a malicious hypervisor can forge critical CVM metadata, enabling arbitrary read and write access within a fully attested CVM, completely breaking SEV-SNP security guarantees.<br>What is AMD SEV-SNP?#<br>Standard cloud environments expose tenant computation and data in use to potentially untrusted cloud service providers. Confidential computing addresses this by using Confidential Virtual Machines (CVMs): hardware-shielded environments that isolate active workloads and guarantee complete data privacy from the host. Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) is an AMD hardware extension that enables CVMs on AMD server CPUs. Unlike Intel TDX or Arm CCA, AMD anchors its Root of Trust in a dedicated secure co-processor: the Platform Security Processor (PSP).<br>What is Memory Coherence?#<br>Modern heterogeneous computing platforms contain distinct components, CPU cores, I/O peripherals, and co-processors like the PSP. These components all share access to the same physical DRAM. Memory coherence ensures that every components sees a consistent view of memory, regardless of what data may be cached locally. Without coherence, one component could read stale data from DRAM while another holds a more recent version in its cache, leading to inconsistencies.

Illustration 1: Memory coherence mechanism on AMD Zen platforms.<br>AMD enforces coherence through Coherence Controllers as shown in Illustration 1. When any components issues a memory request, the Coherence Controller broadcasts probe requests to all caches to check whether they cache the target data. If any cache holds a more recent copy of the requested line, it supplies that data directly, keeping all components in sync.<br>Staleus Overview#<br>In the confidential computing threat model, the hypervisor is untrusted and potentially malicious. In Staleus, we identify that the platform exposes a security-critical configuration register. The configuration register controls the cache coherence attributes of PSP memory transactions. More importantly, we find that a malicious hypervisor can modify this register to assert the NoSnoop attribute on all PSP memory accesses, forcing the PSP to bypass cache snooping and read or write DRAM directly.<br>This allows the attacker to induce a split memory view: the PSP operates on stale DRAM data while x86 cores hold divergent, more recent values in their caches. Staleus exploits this divergence in two ways. First, when the PSP reads DRAM, it retrieves stale data that does not reflect recent x86 cache writes. Second, when the PSP writes to DRAM, a subsequent x86 cache eviction silently overwrites the PSP-committed data. We leverage these primitives to forge the Guest Context Page, a PSP-protected structure holding the CVM attestation report and GuestPolicy fields, enabling the hypervisor to activate debug mode on a production CVM and gain arbitrary read and write access to CVM memory.

Illustration 2: PSP writes to DRAM, but the Coherency Controller does not ensure cache coherence. A subsequent cache flush overwrites PSP written data.<br>Attack Details#<br>In more detail, AMD Zen CPUs employ so-called bridges that translate between different bus protocols. The SYSHUB is one such bridge and serves as AMD’s architectural gateway for integrating third-party IP blocks into the Data Fabric. Among other functions, it converts standard AXI transactions into AMD’s proprietary Scalable Data Port (SDP) bus protocol. Our reverse engineering efforts reveal that the SYSHUB services multiple clients, all of which interface via an internal crossbar. Crucially, the PSP functions as one of these clients whenever it initiates access to the Data Fabric (e.g., targeting x86 DRAM). The SYSHUB is responsible for translating PSP AXI signaling into compatible SDP signals.

Illustration 3: Simplified data path for PSP memory requests.

Illustration 3 visualizes this data flow from the PSP through the SYSHUB to the Data Fabric. Because the translation from AXI to SDP is not a one-to-one mapping, and given that data and control signals possess differing widths, the SYSHUB must aggregate specific AXI data lines or synthesize new SDP-specific signals. The configuration for the SYSHUB exposes control bits that define how the cache coherence attributes...