Earlier work such as the 2018 Foreshadow speculative execution attack on Intel SGX had already shown that once a TEE’s hardware boundary is bypassed, its confidentiality and integrity guarantees can collapse.
Zero-knowledge proofs make a different tradeoff, replacing hardware trust with cryptographic verification at higher computational cost. Combining the two approaches offers a way to spread risk across both hardware and proof systems.
Key Findings
- Low-cost physical attacks like TEE.fail show TEEs can fail once hardware boundaries are bypassed.
- Remote attestation lets TEEs prove code launched on genuine chips, but a cloned attestation key can enable forged enclaves.
- ZKPs verify computation without trusting hardware, yet high proving costs and soundness bugs such as Zcash’s CVE-2019-7167 remain significant risks.
- Hybrid systems can use TEEs for execution speed and ZKPs for auditability, reducing reliance on any single trust anchor.
- Both TEEs and ZKP stacks face long-term pressure from memory-integrity gaps and post-quantum cryptographic risk.
Trusted Execution Environments: Fast but Fragile
TEEs such as Intel SGX, AMD SEV-SNP and Nvidia confidential computing features isolate code and data in protected memory regions while aiming for performance close to native execution. Remote attestation, in which the processor signs a report describing the code and its initial state, lets a cloud customer check that a workload launched on genuine hardware in an expected configuration.
Foreshadow, documented by the SGX-focused site Foreshadow, used a speculative execution bug to read SGX enclave memory, extract sealing and attestation keys from Intel architectural enclaves, and forge local and remote attestation quotes. The attack showed that compromising enclave isolation could undermine both confidentiality of data and the integrity of the attestation chain.
Seven years later, the TEE.fail work extended this pattern to physical attacks by building a DDR5 interposer that inspects encrypted memory traffic, as detailed by the TEE.fail project. The researchers demonstrated extraction of provisioning certification keys for Intel SGX and TDX and signing keys from AMD SEV-SNP virtual machines.
They also explained how confidential virtual machines used as trust anchors can undermine Nvidia’s GPU confidential-computing attestation when compromised.
Intel and AMD classify such interposer-based physical attacks as out-of-scope for their TEE threat models. The TEE.fail bill of materials indicates that a working DDR5 interposer can be built from off-the-shelf parts for under one thousand dollars.
Once an attestation key is cloned, any remote attestation protocol that relies on that key alone can be fooled into accepting forged enclaves or virtual machines that are not actually protected by TEE isolation.
More Technology Articles
Zero-Knowledge Proofs: Verifiable, at a Price
Zero-knowledge proofs let a prover convince a verifier that a computation was carried out correctly without revealing private inputs and without depending on trusted hardware. Standard definitions describe three core guarantees: completeness, soundness and zero-knowledge.
This means that honest proofs are accepted, false statements should be accepted only with negligible probability, and the verifier learns nothing beyond the statement being proven.
In practice, soundness can fail when implementations are flawed. A National Vulnerability Database entry for CVE-2019-7167 on the Zcash protocol explains that, before the Sapling upgrade in 2018, a bug in the Sprout-era zk-SNARK key-generation process allowed a cheating prover to transform a proof of one statement into an apparently valid proof of a different statement.
This created a counterfeiting vulnerability in the system’s soundness.
Proving complex computations is also costly. The Beige Media analysis of zero-knowledge proofs for building-information modeling notes that generating zk-SNARK proofs for large models remains computationally intensive even with modern hardware.
Some succinct proof systems further depend on trusted setup ceremonies, where leaked or mismanaged setup secrets could let an attacker generate fraudulent proofs that still verify.
Both TEEs and many deployed ZK schemes rely on public-key cryptography that would be vulnerable to a large-scale quantum computer running Shor’s algorithm. Long-term designs must therefore consider post-quantum alternatives.
Hybrid Designs: Speed Meets Auditability
Hybrid TEE–ZKP designs aim to pair fast execution with independent verification. One pattern is to execute a workload inside a TEE, then produce a zero-knowledge proof that the enclave followed a specified program on given inputs.
Downstream parties can then check the proof instead of relying only on a hardware attestation quote.
In such a system, a TEE compromise like Foreshadow or TEE.fail still threatens enclave confidentiality. However, it does not automatically allow an attacker to fabricate unlimited outputs that others will trust.
To preserve confidence in results, the attacker would need both to subvert the enclave and to generate matching proofs in a sound proof system. This raises the bar compared with hardware attestation alone.
The interaction can also run in the opposite direction, with TEEs used to accelerate proof generation. Because TEEs can run arbitrary code with low overhead, they can host zk-SNARK or zk-STARK provers and keep witnesses such as proprietary models or user data inside the enclave boundary while proofs are produced.
This does not remove the need to harden proof systems, but it can reduce proving costs and limit how much sensitive material is exposed if a prover’s environment is later compromised.
Open Risks and the Road Ahead
Memory-encryption schemes that add integrity and replay protection are intended to make ciphertext tampering or observation less useful to an attacker. However, deploying new server generations takes time.
TEE.fail shows that determined researchers can assemble practical DDR5 interposers with current components. This leaves existing deployments exposed to classes of attacks that vendors consider outside their formal threat models.
If another low-cost physical attack emerges, systems that depend only on attestation keys will again face the risk that a single leak can undermine many deployments.
Hybrid designs that combine TEEs for execution with zero-knowledge proofs for verification do not eliminate hardware trust. But they can reduce the “single key compromises everything” failure mode by shifting what downstream parties ultimately rely on: a verifiable proof of correct computation rather than a hardware quote alone.
The broader lesson from Foreshadow and TEE.fail is that TEEs are best treated as performance and confidentiality tools, not as the only line of defense for correctness. Systems that must remain dependable over years should assume that some trust anchors will fail and design for containment: key rotation and revocation paths, independent verification where it matters, and clear threat-model boundaries that match real-world physical access.
In that framing, the road ahead is less about choosing TEEs or ZKPs than about composing them carefully, auditing both stacks, and planning for the long tail of cryptographic change, including post-quantum migration.
Sources
- Chuang et al. "TEE.fail: Breaking Trusted Execution Environments via DDR5 Memory Bus Interposition." TEE.fail, 2025.
- Van Bulck et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution." USENIX Security Symposium, 2018.
- NIST National Vulnerability Database. "CVE-2019-7167: Zcash Counterfeiting Vulnerability." National Institute of Standards and Technology, 2019.
- Beige Media. "Inside TEE.fail: Limits of Confidential Computing TEEs." Beige Media, 2025.
- Beige Media. "ZK Proofs in BIM: Selective Disclosure and Liability." Beige Media, 2025.
Credits
Michael LeSane (editor)
