SNPeek: Side-Channel Analysis for Privacy Applications on Confidential VMs

Confidential virtual machines (CVMs) based on trusted execution environments (TEEs) enable new privacy-preserving solutions. Yet, they leave side-channel leakage outside their threat model, shifting the responsibility of mitigating such attacks to developers. However, mitigations are either not generic or too slow for practical use, and developers currently lack a systematic, efficient way to measure and compare leakage across real-world deployments. In this paper, we present SNPeek, an open-source toolkit that offers configurable side-channel tracing primitives on production AMD SEV-SNP hardware and couples them with statistical and machine-learning-based analysis pipelines for automated leakage estimation. We apply SNPeek to three representative workloads that are deployed on CVMs to enhance user privacy-private information retrieval, private heavy hitters, and Wasm user-defined functions-and uncover previously unnoticed leaks, including a covert channel that exfiltrates data at 497 kbit/s. The results show that SNPeek pinpoints vulnerabilities and guides low-overhead mitigations based on oblivious memory and differential privacy, giving practitioners a practical path to deploy CVMs with meaningful confidentiality guarantees.

💡 Research Summary

This paper introduces SNPeek, an open-source framework designed to systematically measure and analyze side-channel leakage in Confidential Virtual Machines (CVMs) based on Trusted Execution Environments (TEEs), specifically targeting AMD SEV-SNP hardware. While CVMs encrypt memory to protect data from the hypervisor, side-channel attacks via page tables, caches, performance counters, and ciphertext visibility remain outside their threat model, leaving mitigation responsibility to application developers. SNPeek addresses the lack of practical tools for this task by providing configurable tracing primitives and automated analysis pipelines.

SNPeek operates in two main phases. First, in the trace extraction phase, it collects low-noise side-channel data from unmodified SEV-SNP guests. This includes page-table accesses, cache state via a novel and efficient “Multi-Prime+Probe” technique optimized for AMD’s non-inclusive last-level cache, hardware performance counter (HPC) values, and ciphertext patterns observable by the hypervisor. The framework incorporates filtering strategies to focus trace collection on relevant application parts, reducing overhead. Second, in the analysis phase, SNPeek processes the gathered traces using statistical methods and machine learning models (e.g., SVMs, neural networks) to automatically estimate information leakage. A key conceptual contribution is the formalization of a quantitative measure for privacy leakage, termed the “adversary’s advantage,” inspired by differential privacy. This metric compares the attacker’s probability of guessing a sensitive input before and after observing the side channels, accounting for prior knowledge and the potential for Sybil inputs (maliciously crafted data injected by the attacker).

The authors evaluate SNPeek on three real-world privacy-preserving workloads deployed on CVMs:

1. Private Information Retrieval (PIR): Analyzed implementations from Project Oak and Signal. SNPeek uncovered that even Oblivious RAM (ORAM), a mitigation designed to hide access patterns, can leak information on SEV-SNP due to ciphertext side channels, where identical plaintexts produce identical ciphertexts at fixed addresses.
2. Private Heavy Hitters (PHH): Evaluated Google’s TensorFlow Federated implementation. The study revealed data-dependent execution flows vulnerable to side-channel attacks, potentially exposing individual user inputs. SNPeek guided the evaluation of a partial mitigation using differential privacy noise injection.
3. WebAssembly User-Defined Functions (UDFs): In the context of Google’s Privacy Sandbox, where ad-tech companies can write custom aggregation functions. The paper demonstrates a powerful attack scenario where a malicious hypervisor, colluding with a specially crafted Wasm UDF query, can establish a high-speed covert channel exfiltrating data at 497 kbit/s via cache side channels.

The results demonstrate that SNPeek successfully pinpoints subtle vulnerabilities, quantifies the associated privacy risk, and provides a practical pathway for developing and evaluating low-overhead mitigations such as oblivious algorithms and differential privacy. The toolkit’s modular design, open-source availability, and rigorous threat model—which includes Sybil attacks—make it a valuable resource for practitioners seeking to deploy CVMs with meaningful confidentiality guarantees. While implemented for AMD SEV-SNP, the framework’s methodology and many findings are anticipated to be applicable to other CVM platforms like Intel TDX and ARM CCA.