AEX-NStep: Probabilistic Interrupt Counting Attacks on Intel SGX

Authors: Nicolas Dutly, Friederike Groschupp, Ivan Puddu, Kari Kostiainen, and Srdjan Čapkun
Proceedings of the 47th IEEE Symposium on Security and Privacy (SP 2026)
PDF
Code

Abstract

To mitigate interrupt-based stepping attacks (notably using SGX-Step), Intel introduced AEX-Notify, an ISA extension to Intel SGX that aims to prevent deterministic single-stepping. In this work, we introduce AEX-NStep, the first interrupt counting attack on AEX Notify-enabled Enclaves. We show that deterministic single-stepping is not required for interrupt counting attacks to be practical and that, therefore, AEX-Notify does not entirely prevent such attacks. We specifically show that one of AEX-Notify’s security guarantees, obfuscated forward progress, does not hold, and we introduce two new probabilistic interrupt counting attacks. We use these attacks to construct a practical ECDSA key leakage attack on an AEX-Notiy-enabled SGX enclave. Our results extend the original security analysis of AEX-Notify and inform the design of future mitigations.

Research Area: Trusted Computing

People

Nicolas Dutly
Doctoral Student
Friederike Groschupp
Doctoral Student
Dr. Kari Kostiainen
Senior Scientist