Trail of Bits Blog
Follow
What we learned about TEE security from auditing WhatsApp's Private Inference
WhatsApp's new Private Inference feature aims to integrate end-to-end encryption with AI by processing messages in secure hardware enclaves called Trusted Execution Environments (TEEs). These TEEs, utilizing AMD's SEV-SNP and Nvidia's confidential GPU platforms, are designed to prevent even Meta from accessing plaintext messages. A pre-launch audit identified numerous vulnerabilities, including eight high-severity issues that could have compromised user privacy. These vulnerabilities stemmed from untrusted data loaded after attestation measurement and incorrect verification of security patch levels. For instance, loading environment variables or ACPI tables after the attestation measurement created backdoors for malicious code injection. The system also initially trusted firmware's claimed patch levels rather than verifying them against cryptographic certificates. Furthermore, a lack of freshness guarantees in attestation reports allowed for replay attacks, enabling attackers to impersonate secure servers indefinitely. Meta addressed these issues by implementing strict validation of variables, custom bootloaders, certificate-based patch level verification, and including nonces in attestation reports. The audit emphasizes that TEEs are not a foolproof solution and require meticulous attention to detail during implementation and deployment. Key lessons learned include the importance of measuring all critical data, validating inputs, and conducting thorough negative testing. Physical security and achieving reproducible transparency also present ongoing challenges in TEE deployments. Ultimately, securing TEE-based systems depends on rigorous attention to security at every layer, not just major architectural choices.
