Privacy primitives on the same page: a reading of IEEE S&P 2026

The 47th IEEE Symposium on Security and Privacy wrapped in San Francisco this week. A surface-level scan of the accepted papers list would seem to claim that confidential computing took another beating. Three independent groups published memory-bus and chip-interconnect attacks against Intel TDX and AMD SEV-SNP. Two more groups published purely microarchitectural side-channels against confidential VMs and SGX enclaves. MongoDB Research published a leakage attack against TEE-based encrypted databases.

But confidential computing has been taking attacks for two years, through Battering RAM in early 2025, through TEE.fail in October, through the hyperscaler disclosure cadence that documented more than a dozen Intel and AMD firmware issues across the two vendors' confidential-VM stacks. What's one more cluster at one more venue?

The bigger points are in the rest of the program. For most of the past decade, papers attacking deployed TEEs and papers proposing new FHE constructions sat at incommensurate levels of seriousness. TEEs were the deployed primitive being adversarially tested. FHE, MPC, and ZK were sometimes regarded as the long-tail bet being theoretically advanced. That made the architecture discussion easy to short-circuit: pick the only primitive with product-grade implementations and absorb the threat-model caveats.

The discussion does not stay short-circuited if the cryptographic alternatives show up at the same venue with construction papers, audited deployments, and bug-finding frameworks.

The attack cluster

Battering RAM, from KU Leuven and Birmingham, is the formal venue publication of the under-$1,000 DDR4 interposer attack that broke Intel TDX and AMD SEV-SNP attestation in early 2025. Transparent Domain eXtensions, from Georgia Tech, Purdue, Northeastern, and independent researcher Stephan van Schaik, extends the same technique to DDR5, the memory standard that current Xeon and EPYC confidential-computing deployments use.

BreakFAST, from ETH Zurich, misconfigures the AMD Infinity Fabric to trick the Platform Security Processor, AMD SEV-SNP's hardware root of trust, into issuing unauthorized privileged writes to sensitive platform configurations. The consequences are forging cryptographic attestations and enabling debug mode on production-configured confidential VMs. Three independent groups, two attack surfaces across two memory generations and the on-chip interconnect, one primitive class. The pattern is that the academic field has decided that the physical-attack-out-of-scope carve-out is the productive place to attack.

The microarchitectural side has its own pattern. TDXRay, from CISPA, UC San Diego, and Google, is a host-side framework with four side-channel primitives: SEPTrace (page-table controlled-channel), Load+Probe (cache contention), TSX-Probe, and MWAIT-Probe, that systematically extracts cache-line-granular memory access traces from Intel TDX confidential VMs. The paper shows these traces as sufficient to extract exact tokens processed by an LLM running inside a confidential VM. Private inference inside Intel TDX, the substrate underlying enterprise confidential AI on every major cloud, leaks the user prompt to a malicious host operator under the threat model the paper describes. AMD published a security bulletin acknowledging the paper while classifying the techniques as already-known out-of-scope behaviors for SEV-SNP.

AEX-NStep, from ETH Zurich, is the first interrupt-counting attack against Intel's AEX-Notify mitigation, the ISA extension Intel introduced specifically to defeat the earlier SGX-Step attack family. It shows that AEX-Notify's "obfuscated forward progress" security guarantee does not hold, and constructs a practical ECDSA key leakage attack on an AEX-Notify-enabled SGX enclave. VMScape, also from ETH Zurich, is the first end-to-end Spectre branch-target-injection exploit across the standard VM-host boundary in commodity cloud virtualization (CVE-2025-40300); it is not specifically a confidential-computing paper, but the underlying isolation gap it exposes in branch-predictor state on AMD Zen (through Zen 5) and older Intel CPUs is the kind of hardware-level gap that confidential-VM deployments inherit. Linux kernel mitigations via conditional IBPB on VMexit have shipped.

The memory-bus and interconnect attacks require an adversary with physical access to the server and the capability to build or rent custom hardware. The microarchitectural attacks require only co-tenancy or sustained access to the cloud environment.

MongoDB Research

Leafblower is the application-layer paper of this cycle. The attacker is a multi-snapshot external-memory adversary that sees the encrypted database files on disk after each operation, comparing pages across snapshots, and reconstructs the approximate order of insertions by exploiting the structural leakage of node splits and rebalances. Given auxiliary distribution information, the approximate order maps to approximate values. Up to 96% exact recovery on small-domain real datasets (Amazon product ratings, Texas hospital discharges) under the paper's optimal conditions; the attack assumes each snapshot corresponds to one record insertion and that no deletions occur.

The instantiations the authors evaluate are SQLite under Gramine (Intel SGX LibOS), SQLCipher, and SQLite3 Multiple Ciphers, i.e., the deployed configurations where existing applications are lifted-and-shifted into TEEs without modification. But the paper's framing of the target category is broader than TEEs: the authors coin "page-level encryption (PLE) systems" as the class, and explicitly generalize the attack to (a) encrypted storage engines in Azure SQL, InnoDB, and WiredTiger, and (b) disaggregated database systems including Amazon Aurora, Alibaba PolarDB, Azure SQL Hyperscale, Databricks Neon, Huawei GaussDB, and Turso. Three of the four authors are at MongoDB Research; responsible disclosure was made to MongoDB, PostgreSQL, InnoDB, and Turso alongside the named TEE-database vendors.

What Leafblower establishes is that the attack literature against confidential computing has moved into the application layer and that the deployed configuration is the named target, with an adversary model (cloud backup snapshots, forensic captures, intermittent storage access) that is realistic for most managed-cloud databases.

Vendor R&D is in the room

Two papers in the same accepted list have Intel Labs and AMD as co-authors.

It's a Feature, Not a Bug: Secure and Auditable State Rollback for Confidential Cloud Applications, from Wisconsin and Intel Labs, addresses an operational gap. Prior security frameworks (Memoir, ROTE, Ariadne, Nimble) treated all rollback as malicious and categorically blocked it through monotonic counters and cryptographic sealing, which means a confidential VM also cannot be rolled back legitimately for operational recovery from corruption, misconfiguration, or vulnerability disclosure. The paper proposes REBOUND, a reference monitor that mediates state transitions under authorization policy, guarantees atomicity, and emits a tamper-evident log that audit tooling can consume. The title literalizes the argument: rollback as a feature, when authorized, rather than only as a bug to suppress.

Defeating Transient Execution Attacks by Limiting Secret Reachability through Register Hiding and ShadowCFI, from MIT and AMD, proposes two complementary software-based techniques against Spectre v2-style attacks. The techniques are implemented as a Linux kernel 6.8 patch and are explicitly hardware-agnostic. Performance: replacing the most recently deployed Spectre v2 defenses on AMD Zen 4 with REGISTER HIDING and SHADOWCFI reduces overall mitigation overhead from 114.1% to 75.9% on LEBench, and from 33.4% to 25.8% across server workloads. The AMD co-authorship signals R&D engagement with the defense layer, not silicon implementation; the contribution is that the software stack can do this work better than the existing software stack does.

Post-deployment, attacks come, defenses come, the product category survives. A Trusted Execution Environment cannot be sold as a black box that defeats all adversaries. It can be sold as a primitive that defeats a specifically-described class of adversaries, and the description gets sharper at each cycle.

The cryptographic column

The conference's program includes papers that target the same workloads the TEE category dominates, using cryptography rather than hardware.

APEX: Accurate Parallel Expressive Homomorphic Execution for Encrypted Databases, from the University of Hong Kong, addresses the database-query workload by computing operators homomorphically on encrypted records. APEX's design proposes a path where queries run over FHE-encrypted records. FHE is still orders of magnitude slower than unencrypted execution, but the workload class Leafblower attacks now has a cryptographic answer in the same venue.

Parasol Compiler: Pushing the Boundaries of FHE Program Efficiency, from Sunscreen and Connecticut, attacks the compiler layer above FHE primitives. The construction is an LLVM-based compiler that takes C as input, compiles to a custom virtual processor with a custom ISA, and runs against an in-house TFHE variant using circuit bootstrapping plus homomorphic multiplexer trees.

Concretely-Efficient Multi-Key Homomorphic Secret Sharing and Applications, from MIT, Tinfoil, and Université Paris Cité, is the first concretely-efficient implementation of multi-key HSS, a primitive introduced theoretically by Couteau et al. at Eurocrypt 2025. An algorithmic insight reducing the largest modulus from N⁴ to N² yields a 45× speedup over the theoretical baseline, bringing homomorphic multiplication from 224.6 milliseconds to 5.0 milliseconds. The paper's main application is attribute-based non-interactive key exchange, demonstrated at a geolocation-based key exchange in 1.65 seconds and a fuzzy PAKE on an 8-word passphrase in 7.59 seconds. Not a database or inference workload, but a cryptographic-only path to attribute-conditioned identity primitives that have previously required online interaction.

It's notable that private information retrieval is one of the cryptographic primitives Vitalik Buterin named in his short-term Ethereum privacy roadmap under the access-layer track.

The audit column

Auditing Apple's DifferentialPrivacy.framework: Implementation Bugs, Misconfigurations, and Practical Risks, from Betterdata.ai, MBZUAI, and the National University of Singapore, received the Distinguished Paper Award at this year's symposium. The same framework was studied in a 2017 paper by Tang, Korolova, and colleagues at the macOS Sierra implementation level; the 2026 paper is the deeper formal-venue audit nine years downstream, with new categories of findings (implementation bugs, misconfigurations, practical risk) that the earlier work did not surface.

zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits, from Columbia, brings fuzzing to ZK circuits using a Trace-Constraint Consistency Test framework that captures both under-constrained (soundness) and over-constrained (completeness) vulnerabilities. Language-Agnostic Detection of Computation-Constraint Inconsistencies in ZKP Programs via Value Inference, from VUB, Nokia Bell Labs, the UCL Centre for Blockchain Technologies, and zkSecurity, targets the broader class of computation-constraint inconsistencies via value inference, across multiple ZKP languages.

The blockchain column

Jigsaw: Doubly Private Smart Contracts, from UC Berkeley, Rutgers, and Swirlds Labs, addresses a structural gap in current privacy-DeFi designs. Existing privacy-preserving smart-contract systems protect on-chain data but rely on trusted off-chain parties, a decentralized exchange's matching engine, an order book aggregator, that see client data and identities in the clear. Jigsaw's "doubly private" framing is on-chain plus off-chain: clients submit requests in a privacy-preserving manner to a group of mutually untrusting servers that collaboratively process them without learning the underlying data or identities. The construction extends the ZEXE architecture with collaborative zkSNARKs to enable efficient proof generation by the server group.

Weighted Batched Threshold Encryption with Applications to Mempool Privacy, from Category Labs, Ashoka, Bar-Ilan, and George Mason, extends Bormet et al.'s BEAT-MEV scheme from USENIX 2025 to support weighted committees. The mechanism is the standard one for threshold-encrypted mempools, transactions are encrypted until included in a block, guarded against front-running and sandwich patterns, but the weighted-committee feature matters for the deployment configuration that actually exists in production: stake-weighted proof-of-stake validator sets, where a uniform threshold scheme does not fit.

What's next

What the next several months will show is how the academic developments at this conference translates into real-world deployment, which will be favorable, given that the community's privacy stack architecture discussions have been working toward that end for a long time.