To appear at IEEE S&P 2026

Tristan Hornetz *  ·  Hosein Yavarzadeh *
Albert Cheu  ·  Adria Gascon  ·  Lukas Gerlach
Daniel Moghimi  ·  Phillipp Schoppmann  ·  Michael Schwarz  ·  Ruiyi Zhang

* Equal contribution joint first authors

Read Paper Code Watch Demo

Background

Confidential
Computing Promises Privacy

Cloud providers now let you run code inside hardware-protected virtual machines — called Confidential VMs — where even the cloud operator cannot see what's happening inside. Intel TDX (Trust Domain Extensions) is one such technology, increasingly used to protect sensitive tasks like private AI inference, financial applications, and medical analytics.

TDX encrypts all guest memory and prevents the hypervisor (host) from reading or modifying guest data directly. Sounds airtight — but the host still shares physical hardware with the guest: caches, interconnects, and memory controllers all handle both.

TDXRay systematically exploits these shared resources as side channels — indirect signals that leak what the encrypted VM is doing, without ever breaking the cryptographic boundary.

Intel TDX CPU
Cache state observable from host

Four Side-Channel Primitives in TDX

How TDXRay Sees
Through Encryption

We exploit four host-observable signals in Intel TDX. Each exploits a different shared resource — together they cover everything from page-level to cache-line granularity.

01 — Page Level

SEPTrace

Intel TDX exposes a host API to temporarily block/unblock guest memory page translations. We show a malicious hypervisor can repeatedly block all pages in a region and wait for faults — each fault reveals exactly which page the guest just accessed, building a deterministic page-level trace.

4 kB / 2 MB granularity
02 — Cache Level

Load+Probe

Although TDX prevents reading encrypted guest memory, reading a physical alias address still takes measurably longer when the guest previously cached that line. The timing difference reveals not only whether a cache line is cached — but even whether the guest read or wrote it.

64-byte granularity · Cross-core
03 — Timer-Free

TSX-Probe

Intel TSX hardware transactions abort when they encounter a conflicting cache line. We wrap a read of a guest memory alias inside a TSX transaction — if the guest has that line cached in L1, the transaction aborts. No timer needed, no frequency-scaling noise — a clean binary signal.

64-byte · Rd/Wr distinction
04 — Synchronization

MWAIT-Probe

The mwait instruction pauses execution until a specific memory address is accessed. We show it works on the physical address — including TDX private memory. This provides cache-line-granular synchronization: the host can precisely align its measurements with guest execution.

64-byte · Synchronizing primitive

The Framework

TDXRay: Putting It All Together

TDXRay is a Linux kernel module that combines all four primitives into a practical tracing system. It operates entirely within legitimate host interfaces, requires no guest cooperation, and produces cache-line-granular memory access traces of any unmodified confidential VM.

Untrusted Host (VMM)
Block Victim Pages via seamcall
Resume TD execution
TD runs
Access blocked page → #PF (TD-exit)
Probe cache state (TSX-Probe)
Log GPA + accessed cache lines → Unblock
Cache-line-granular access trace

AES Benchmark Results

We validated TDXRay on the classic AES T-table cache attack — a standard benchmark for cache side channels. All four primitives successfully recover the secret key.

Evaluated on Intel Xeon 6736P (Granite Rapids) · TDX Module v2.0

Case Study: Private LLM Inference

Stealing User Prompts
from Encrypted VMs

Confidential computing is rapidly adopted for private AI inference — users want their prompts kept secret from the cloud operator. TDXRay directly threatens this guarantee.

0%
Avg. similarity · Llama 3.2
0%
Avg. similarity · Gemma 3
0%
Full credit card details leaked
0%
SSN recovery · Gemma 3

Why Tokenization Leaks

Before an LLM processes your prompt, it runs a tokenizer — a program that converts text into numeric IDs using a hash map stored in memory. Each word or sub-word lookup traverses a linked list in that hash map, creating a predictable, secret-dependent memory access pattern.

The attacker monitors which hash map nodes the tokenizer visits — and since the hash function is public, the bucket traversal uniquely identifies each token. Stitch the tokens together, and you have the full prompt.

Critically, this attack happens entirely on the CPU during tokenization — before inference even begins — meaning GPU confidentiality offers no protection.

An example of tokenization
① Your Prompt up to 10 words · press ↵
0 / 10
BPE Tokenizer
② Tokenized Ġ = word-boundary marker (BPE)
③ Vocab Hash Map Look-Up
Attacker Reconstructs Prompt from Page Faults and Hot Cache Lines
③ Reconstructed Prompt
Video Demo
TDXRay demo

Watch Demo

Defenses

Mitigations

We investigate both short-term software-level mitigations and long-term architectural changes that hardware vendors can adopt.

🔐

Data-Oblivious Tokenization

Replace the standard hash map with a data-oblivious map that produces indistinguishable access patterns regardless of input. We implement this for Llama 3.2's full 128K-token vocabulary and show acceptable performance overhead — inference time still dominates for real workloads.

📊

Anomaly Detection in Guest

TDXRay leaves observable microarchitectural footprints: inflated page fault rates and elevated cache miss counts. A monitor inside the confidential VM can track these performance counters and detect when monitoring is occurring. TDX supports virtualized performance counters, making this practical.

🏷️

HKID-Aware Cache Tags

Load+Probe and TSX-Probe work because the cache coherence protocol doesn't distinguish cache lines with identical physical addresses but different encryption key IDs (HKIDs). Incorporating HKID into cache tags would allow these lines to coexist, eliminating the conflict-based timing signal.

Cite

BibTeX

BIBTEX 
@inproceedings{TDXRay,
  title     = {{TDXRay}: Microarchitectural Side-Channel Analysis of
               Intel {TDX} for Real-World Workloads},
  author    = {Hornetz, Tristan and Yavarzadeh, Hosein and Cheu, Albert
               and Gascon, Adria and Gerlach, Lukas and Moghimi, Daniel
               and Schoppmann, Phillipp and Schwarz, Michael
               and Zhang, Ruiyi},
  booktitle = {IEEE Symposium on Security and Privacy (S\&P)},
  year      = {2026},
}

FAQ

Frequently Asked Questions

If you are running workloads that process sensitive data — especially LLM inference with user prompts — inside Intel TDX and your hypervisor is potentially untrusted or compromised, then yes, these attacks apply.
TDXRay does not break TDX's cryptographic guarantees — no encrypted memory is read directly. Instead, it exploits microarchitectural side effects of shared hardware. Intel's own threat model explicitly excludes microarchitectural side channels, so this is a known limitation of the technology that this paper makes concrete and quantifies against real workloads.
No. TDXRay runs entirely in software on the host machine — specifically in the hypervisor/kernel. The attacker model is a malicious or compromised cloud operator who controls the host kernel and hypervisor.
This paper focuses exclusively on Intel TDX. AMD SEV-SNP and ARM CCA have different hardware interfaces, and while similar microarchitectural attack classes exist (e.g., cache attacks on AMD SEV have been demonstrated by others), the specific primitives described here — SEPTrace, Load+Probe, TSX-Probe, and MWAIT-Probe — exploit Intel-specific hardware features.
Yes. We followed responsible disclosure and notified Intel and major vendors that publicly rely on confidential computing for private inference — including Apple, Anthropic, Google, Microsoft, Meta, and OpenAI — in November 2025.
We evaluated TDXRay on three TDX-enabled Intel Xeon processors: Xeon Silver 4510 (Sapphire Rapids), Xeon Gold 6526Y (Emerald Rapids), and Xeon 6736P (Granite Rapids). All three are affected. These represent the current generation of Intel server CPUs that support TDX.

Research Team

Authors

* Equal contribution joint first authors

Tristan Hornetz

Tristan Hornetz *

CISPA

Hosein Yavarzadeh

Hosein Yavarzadeh *

UC San Diego/Google

Albert Cheu

Albert Cheu

Google

Adria Gascon

Adria Gascon

Google

Lukas Gerlach

Lukas Gerlach

CISPA

Daniel Moghimi

Daniel Moghimi

Google

Phillipp Schoppmann

Phillipp Schoppmann

Google

Michael Schwarz

Michael Schwarz

CISPA

Ruiyi Zhang

Ruiyi Zhang

CISPA