VYPR
researchPublished Jul 4, 2026· 1 source

Confidential Computing's Core Trust Mechanism Compromised by New Research

New research reveals fundamental flaws in attested TLS protocols used for confidential computing's remote attestation, enabling diversion and relay attacks that undermine trust.

Confidential computing, a technology touted as crucial for cloud security and data sovereignty, faces a significant challenge as new research uncovers critical vulnerabilities in its core trust mechanism. The technology relies on remote attestation, a process where a server cryptographically proves to a client that it is operating within a genuine, unmodified Trusted Execution Environment (TEE) before sensitive data is exchanged. Vendors like Intel and Google Cloud have promoted confidential computing as a safeguard for data privacy and control, promising enhanced security for sensitive workloads.

However, independent research by Muhammad Usama Sardar and his co-authors from TU Dresden has revealed that the attested TLS protocols, designed to facilitate this remote attestation, are susceptible to fundamental architectural flaws. Using formal verification tools like ProVerif, the researchers identified diversion and relay attacks that can silently redirect client connections to compromised machines without the client's knowledge. This is possible because the protocols primarily verify the integrity of the software running on the server, not its geographical location, leaving a critical gap in the trust model.

The implications of these findings are substantial, as they directly challenge the security guarantees offered by confidential computing. The ability for an attacker to redirect a client's connection to a malicious server, even if that server is running the correct, attested software, means that sensitive data could be intercepted or manipulated. This undermines the very premise of confidential computing, which is to ensure that data remains protected even during processing.

Sardar's latest work, presented at the AsiaCCS 2026 conference and accepted for ESORICS 2026, delves deeper into the problem by examining intra-handshake attestation. This method generates attestation evidence during the TLS handshake itself. The research found that seven different methods of cryptographically binding this evidence to the underlying connection are insufficient to prevent relay attacks. In such attacks, a client might successfully verify the credentials of a legitimate server but end up encrypting its traffic to an entirely different, malicious entity.

The research categorizes the problem into three levels of cryptographic binding. The weakest level ties evidence only to the initial key exchange, while the strongest, level three, ties it to the application traffic key used for encrypting sensitive data. The paper concludes that achieving level three binding within the current intra-handshake attestation architecture may be impossible without compromising other essential TLS 1.3 properties. This suggests that even the best available fixes might only offer partial protection, failing to guarantee the security of data throughout the entire communication session.

These vulnerabilities are not theoretical; they have been observed in real-world implementations. The research team analyzed four production systems, including Meta's Private Processing for WhatsApp, Edgeless Systems' Contrast, and the open-source Cocos AI platform. The attacks were found to be applicable to specific versions of Cocos AI. The disclosure has led to the assignment of CVE-2026-33697, which has been rated as high severity (7.5 CVSS), significantly higher than other recent confidential computing vulnerabilities like BadRAM.

Both the Confidential Computing Consortium (CCC) and the IETF's TLS working group have acknowledged the existence of these relay attacks. The findings highlight a critical need for a re-evaluation of the security protocols underpinning confidential computing. As organizations increasingly rely on these technologies for sensitive data processing, addressing these fundamental trust issues is paramount to maintaining the integrity and security of confidential computing environments.

Synthesized by Vypr AI