To mitigate interrupt-based stepping attacks (notably using SGX-Step), Intel introduced AEX-Notify, an ISA extension to Intel SGX that aims to prevent deterministic single-stepping. In this work, we introduce AEX-NStep, the first interrupt counting attack on AEX-Notify-enabled Enclaves. We show that deterministic single-stepping is not required for interrupt counting attacks to be practical and that, therefore, AEX-Notify does not entirely prevent such attacks. We specifically show that one of AEX-Notify's security guarantees, obfuscated forward progress, does not hold, and we introduce two new probabilistic interrupt counting attacks. We use these attacks to construct a practical ECDSA key leakage attack on an AEX-Notify-enabled SGX enclave. Our results extend the original security analysis of AEX-Notify and inform the design of future mitigations.
Cite
@article{arxiv.2510.14675,
title = {AEX-NStep: Probabilistic Interrupt Counting Attacks on Intel SGX},
author = {Nicolas Dutly and Friederike Groschupp and Ivan Puddu and Kari Kostiainen and Srdjan Capkun},
journal= {arXiv preprint arXiv:2510.14675},
year = {2025}
}
Comments
Author's version, to appear, 2026 IEEE Symposium on Security and Privacy (SP)