A group of researchers from ETH Zurich has uncovered a severe weakness in AMD’s flagship virtualization security technology, SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging). The flaw, nicknamed Heracles, enables a malicious hypervisor to recover sensitive information such as passwords, cryptographic keys, or session cookies from supposedly confidential virtual machines.
The discovery raises serious concerns for cloud providers and enterprises relying on AMD EPYC processors to secure customer workloads, as it undermines the very promise of confidential computing—ensuring that not even the hypervisor can peek into a VM’s memory.
What SEV-SNP Is Supposed to Do
AMD introduced SEV-SNP as the next step in virtualization security. By encrypting each virtual machine’s memory using AES in XEX mode, it prevents unauthorized access, even from privileged software such as hypervisors. The “SNP” extension strengthens this protection by ensuring the integrity of nested page tables, making it harder for attackers to tamper with memory mappings or inject malicious code.
In theory, this makes Confidential VMs (CVMs) safe for running sensitive workloads in public cloud environments. In practice, Heracles shows otherwise.
How Heracles Works
The ETH Zurich researchers demonstrated that the combination of three factors breaks SEV-SNP’s guarantees:
- The hypervisor retains the ability to read encrypted guest memory.
- It can relocate memory pages within the system’s RAM.
- AMD uses static “tweak” values when re-encrypting memory at new physical addresses.
By relocating encrypted pages and comparing how known plaintext data gets re-encrypted, attackers can build a so-called chosen plaintext oracle. This allows them to infer the underlying secrets byte by byte.
In practice, this means an attacker controlling the hypervisor—or a compromised cloud provider—could exfiltrate sensitive data from guest VMs without breaking the AES encryption directly. Passwords and ASCII-based secrets could be leaked in seconds.
Why It Matters
This vulnerability is not just another theoretical side channel. Unlike previous CPU bugs such as Spectre or Meltdown, Heracles directly targets the foundations of confidential cloud computing. The whole idea of SEV-SNP was to assure customers renting VMs in the cloud that the provider cannot spy on their workloads. Heracles breaks that assumption.
As the researchers point out:
“If you rent a confidential VM in the cloud, you assume the provider cannot see your data. With Heracles, that privacy is broken.”
AMD’s Response
AMD was informed in January 2025, following responsible disclosure protocols. In a security bulletin, the company acknowledged ciphertext visibility as a known potential side channel in SEV-SNP and suggested mitigations rather than a full fix.
AMD’s mitigation strategies:
- Ciphertext Hiding: Introduced in 5th Gen EPYC processors (codename Turin), this feature prevents the hypervisor from viewing guest ciphertext in real time, reducing the chance of successful attacks.
- Guest Policy Controls: Admins can enable the PAGE_SWAP_DISABLE policy (added in SEV-SNP ABI 1.58, May 2025) to block hypervisors from relocating guest pages in DRAM.
While effective, these mitigations come at a cost: disabling memory relocation undermines dynamic memory management in cloud environments, potentially leading to performance degradation.
Security vs Performance: A Trade-off
Heracles highlights a dilemma AMD now faces:
- Preserve performance and flexibility, leaving a door open for attackers.
- Or close the vulnerability, sacrificing efficiency in large-scale cloud operations.
For administrators, this means choosing between reduced performance or exposing workloads to possible espionage.
Industry Impact
- Cloud providers relying on AMD EPYC with SEV-SNP will need urgent security reviews.
- Enterprises handling regulated data (finance, healthcare, government) must apply mitigations immediately.
- Competitors like Intel and ARM may seize the opportunity to stress-test their own confidential computing frameworks.
What’s Next
So far, no widespread exploitation of Heracles has been reported, but the publication of technical details by ETH Zurich makes it likely that proof-of-concept exploits will appear in the wild. Attackers with access to hypervisor-level privileges—whether malicious insiders or compromised cloud providers—are in a position to abuse it.
For now, AMD urges administrators to:
- Enable ciphertext hiding where hardware supports it.
- Enforce PAGE_SWAP_DISABLE in guest policies.
- Consult firmware updates and ensure compatibility with SEV-SNP ABI 1.58 or later.
Heracles is a stark reminder that no hardware is immune to side-channel attacks, and that “confidential computing” remains a moving target in the ongoing battle between performance, security, and trust.
vía: AMD
