{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T07:01:11Z","timestamp":1782975671819,"version":"3.54.5"},"reference-count":82,"publisher":"IEEE","license":[{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T00:00:00Z","timestamp":1779062400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,5,18]]},"DOI":"10.1109\/sp63933.2026.00170","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T19:34:20Z","timestamp":1782934460000},"page":"4479-4496","source":"Crossref","is-referenced-by-count":0,"title":["TDXRay: Microarchitectural Side-Channel Analysis of Intel TDX for Real-World Workloads"],"prefix":"10.1109","author":[{"given":"Tristan","family":"Hornetz","sequence":"first","affiliation":[{"name":"CISPA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hosein","family":"Yavarzadeh","sequence":"additional","affiliation":[{"name":"University of California San Diego"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Albert","family":"Cheu","sequence":"additional","affiliation":[{"name":"Google"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Adria","family":"Gascon","sequence":"additional","affiliation":[{"name":"Google"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Lukas","family":"Gerlach","sequence":"additional","affiliation":[{"name":"CISPA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Daniel","family":"Moghimi","sequence":"additional","affiliation":[{"name":"Google"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Phillipp","family":"Schoppmann","sequence":"additional","affiliation":[{"name":"Google"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Michael","family":"Schwarz","sequence":"additional","affiliation":[{"name":"CISPA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ruiyi","family":"Zhang","sequence":"additional","affiliation":[{"name":"CISPA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Strengthening vm isolation with integrity protection and more","year":"2020","journal-title":"White Paper"},{"key":"ref2","article-title":"Intel\u00ae tdx module: Base architecture specification (v1.5)","volume-title":"Technical Report","author":"Corporation","year":"2023"},{"key":"ref3","article-title":"Design and verification of the arm confidential compute architecture","volume-title":"16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22)","author":"Li"},{"key":"ref4","volume-title":"Bringing transparency to confidential computing with slsa"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/3318464.3386127"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2022-0093"},{"key":"ref7","volume-title":"Enabling more private generative ai","author":"Developers","year":"2025"},{"key":"ref8","volume-title":"Whatsapp private processing for ai tools","author":"Engineering","year":"2025"},{"key":"ref9","volume-title":"Confidential inference via trusted virtual machines","year":"2025"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.43"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897867"},{"key":"ref12","article-title":"Tlbleed: When protecting your cpu caches is not enough","author":"Gras","year":"2018","journal-title":"Black Hat"},{"key":"ref13","first-page":"719","article-title":"FLUSH+RELOAD: A high resolution, low noise, 13 cache Side-Channel attack","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Yarom"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_14"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3296957.3173204"},{"key":"ref16","first-page":"955","article-title":"Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Gras"},{"key":"ref17","article-title":"(M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels","author":"Zhang","year":"2023","journal-title":"USENIX Security"},{"key":"ref18","volume-title":"Guidelines for mitigating timing side channels against cryptographic implementations","year":"2022"},{"key":"ref19","article-title":"Tdxploit: Novel techniques for single-stepping and cache attacks on intel tdx","author":"Rauscher","year":"2025","journal-title":"USENIX Secuirty 2025"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.45"},{"key":"ref21","volume-title":"Reimagining secure infrastructure for advanced ai","year":"2025"},{"key":"ref22","volume-title":"Private Cloud Compute: A new frontier for AI privacy in the cloud"},{"key":"ref23","volume-title":"Intel software guard extensions (intel sgx)","year":"2025"},{"key":"ref24","article-title":"Building a secure system using trustzone technology","year":"2009","journal-title":"document Number PRD29-GENC-009492C"},{"key":"ref25","article-title":"AMD64 architecture programmer\u2019s manual volume 2: System programming","year":"2025","journal-title":"revision 3.43"},{"key":"ref26","article-title":"White paper - intel trust domain extensions","year":"2022","journal-title":"document Number 343961-003US"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833768"},{"key":"ref28","article-title":"Heracles: Chosen plaintext attack on amd sev-snp","author":"Schl\u00fcter","year":"2025","journal-title":"ACM CCS"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00066"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3193111.3193112"},{"key":"ref31","article-title":"Farfetch\u2019d: A side-channel analysis framework for privacy applications on confidential virtual machines","author":"Zhang","year":"2025","journal-title":"NDSS"},{"key":"ref32","volume-title":"Azure confidential computing for ai","author":"Azure","year":"2025"},{"key":"ref33","volume-title":"Confidential ai - intel confidential computing zoo","year":"2025"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134038"},{"key":"ref35","article-title":"Intel trust domain extensions (tdx) security review","author":"Aktas","year":"2023","journal-title":"Google security review"},{"key":"ref36","year":"2025","journal-title":"Intel performance monitoring events"},{"key":"ref37","article-title":"Forward state for use in cache coherency in a multiprocessor system","volume-title":"U.S. Patent US6 922 756B2","author":"Hum","year":"2002"},{"key":"ref38","first-page":"51","article-title":"Prime+Abort: A Timer-FreeHigh-Precision 13 cache attack using intel TSX","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Disselkoen"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00063"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.46586\/uasc.2025.004"},{"key":"ref41","article-title":"Malicious management unit: Why stopping cache attacks in software is harder than you think","author":"Van Schaik","year":"2018","journal-title":"USENIX Security"},{"key":"ref42","article-title":"RELOAD+ REFRESH: Abusing cache replacement policies to perform stealthy cache attacks","author":"Briongos","year":"2020","journal-title":"USENIX Security"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/3320269.3384746"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484816"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179399"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3579856.3590332"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00028"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC63791.2024.00042"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3719027.3765061"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1007\/11605805_1"},{"issue":"2","key":"ref51","first-page":"23","article-title":"A new algorithm for data compression","volume":"12","author":"Gage","year":"1994","journal-title":"The C Users Journal"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/p16-1162"},{"key":"ref53","first-page":"66","article-title":"Subword regularization: Improving neural network translation models with multiple subword candidates","volume-title":"Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics, ACL 2018, Melbourne, Australia","volume":"1","author":"Kudo","year":"2018"},{"key":"ref54","article-title":"Google\u2019s neural machine translation system: Bridging the gap between human and machine translation","volume-title":"ArXiv","volume":"abs\/1609.08144","author":"Wu","year":"2016"},{"key":"ref55","article-title":"Lost in space marking","volume-title":"CoRR","volume":"abs\/2208.01561","author":"Jacobs","year":"2022"},{"key":"ref56","first-page":"385","article-title":"An embarrassingly simple method to mitigate undesirable properties of pretrained language model tokenizers","volume-title":"Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers)","author":"Hofmann"},{"key":"ref57","first-page":"arXiv","article-title":"The llama 3 herd of models","author":"Dubey","year":"2024","journal-title":"arXiv e-prints"},{"key":"ref58","article-title":"Gemma 3 technical report","author":"Kamath","year":"2025","journal-title":"arXiv preprint"},{"key":"ref59","volume-title":"sentencepiece","year":"2025"},{"key":"ref60","volume-title":"llama.cpp","year":"2025"},{"key":"ref61","volume-title":"Tiktoken","year":"2025"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/d16-1264"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/P18-2124"},{"key":"ref64","year":"2025","journal-title":"GPT-5"},{"key":"ref65","volume-title":"Faker v.37.11.0","year":"2025"},{"key":"ref66","volume-title":"Technology deep dive: Building a faster oram layer for enclaves","author":"Connell","year":"2022"},{"key":"ref67","first-page":"4033","article-title":"EnigMap: External-memory oblivious map for secure enclaves","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Tinoco"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1145\/3634737.3657005"},{"key":"ref69","volume-title":"Oblivious map","author":"Labs","year":"2024"},{"key":"ref70","volume-title":"oram","author":"Peters","year":"2024"},{"key":"ref71","volume-title":"Llama.cpp benchmark","author":"Test Suite","year":"2025"},{"key":"ref72","article-title":"Private set intersection: Are garbled circuits better than custom protocols?","author":"Huang","year":"2012","journal-title":"NDSS"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23193"},{"key":"ref74","article-title":"Telling Your Secrets Without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution","volume-title":"USENIX Security Symposium","author":"Van Bulck"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2026.240699"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-032-07894-0_17"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690230"},{"key":"ref78","volume-title":"Protected auction key\/value service","year":"2025"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690241"},{"key":"ref80","article-title":"Spill the beans: Exploiting cpu cache sidechannels to leak tokens from large language models","author":"Adiletta","year":"2025","journal-title":"arXiv preprint"},{"key":"ref81","article-title":"I know what you said: Unveiling hardware cache side-channels in local large language model inference","author":"Gao","year":"2025","journal-title":"arXiv preprint"},{"key":"ref82","article-title":"Remote timing attacks on efficient language model inference","volume-title":"arXiv preprint","author":"Carlini","year":"2024"}],"event":{"name":"2026 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2026,5,18]]},"end":{"date-parts":[[2026,5,21]]}},"container-title":["2026 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11573355\/11573356\/11573580.pdf?arnumber=11573580","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T05:28:10Z","timestamp":1782970090000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11573580\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,18]]},"references-count":82,"URL":"https:\/\/doi.org\/10.1109\/sp63933.2026.00170","relation":{},"subject":[],"published":{"date-parts":[[2026,5,18]]}}}