Heracles: New Attack Exploits AMD SEV-SNP to Steal Data from Protected VMs
Researchers at ETH Zurich have unveiled a novel attack against AMD’s SEV-SNP hardware isolation mechanism, enabling a hypervisor-level adversary to extract sensitive data from protected virtual machines. Dubbed Heracles, the attack demonstrates how to construct a chosen-plaintext oracle capable of decrypting memory contents with single-byte precision.
AMD SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging) is designed for confidential computing, encrypting guest VM memory with a binding to physical addresses to ensure isolation from the hypervisor. Yet Heracles exploits three architectural characteristics: the ability to relocate encrypted memory pages via trusted APIs, the automatic re-encryption of data upon relocation, and the deterministic nature of the encryption scheme. SEV-SNP’s XEX (XOR-Encrypt-XOR) encryption generates tweak values based on a page’s physical address, making re-encryption predictable when an attacker controls data placement.
Leveraging APIs such as SNP_PAGE_MOVE, SNP_PAGE_SWAP_IN/OUT, and the MPDMA engine, a malicious hypervisor can shuffle guest memory pages to create conditions for cryptographic analysis. By injecting controlled data into the victim’s memory via standard interfaces—such as ICMP—the attacker can build a dictionary mapping known plaintexts to their encrypted representations. This mapping then allows them to deduce previously unseen data simply by observing ciphertexts.
The researchers developed four distinct leakage primitives, including byte-by-byte copying mechanisms (targeting functions like memcpy, Bash, and sudo), block-boundary leaks caused by memory shifts during processing, and exploitation of mutable in-place values. They demonstrated Heracles in action against five real-world applications—Linux memcpy, Bash shell, sudo, the Mongoose web server, and the mbedtls cryptographic library—successfully extracting passwords, cryptographic keys, and session cookies in each case.
The attack remains effective against non-repetitive data and can retrieve bytes with remarkable precision. In the worst case, exfiltrating a single byte takes around 2.5 seconds, but with a narrowed search space (e.g., known ASCII constraints), this time is greatly reduced. Tests showed that a 16-character sudo password could be extracted in as little as 6.5 seconds.
To mitigate the threat, the authors recommend disabling at least one of two hypervisor functions: encrypted memory read access for CVMs, or the ability to relocate pages. The latter can be addressed via firmware updates, and AMD has already announced such a feature in the SEV-SNP ABI 1.58 specification (May 2025). Additionally, AMD’s upcoming 5th-generation EPYC (Zen 5) processors are expected to introduce a ciphertext-hiding feature, though at the time of publication this option caused errors due to missing firmware and BIOS support.
The researchers stress that current software-based defenses aimed at side-channel attack prevention are insufficient, as Heracles targets both user-space and kernel-space data. Hardware-level changes—such as regenerating tweak values on every write—could halt the attack entirely, but would require significant architectural modifications and incur substantial performance costs.
