New findings from ETH Zurich compromise confidence in confidential cloud computing
Cloud services have become essential for individuals and organizations alike, enabling secure data storage and powerful processing from anywhere. For highly sensitive workloads—such as healthcare or financial data—cloud providers offer confidential computing environments. These are designed so that data remains encrypted not just at rest and in transit, but also while it is being processed. This level of protection promises that even the cloud operator or host system cannot read the data.
But a recent discovery by the Secure & Trustworthy Systems Group at ETH Zurich has cast a shadow over this ideal. Researchers led by Professor Shweta Shinde identified a vulnerability, nicknamed RMPocalypse, that could undermine the safeguards of confidential computing environments. The finding shows that in some configurations, a determined attacker with remote access could bypass protective mechanisms and gain access to secure data areas in the cloud.
What is RMPocalypse and why does it matter?
RMPocalypse targets a hardware mechanism known as the Reverse Map Table (RMP), part of AMD’s security stack used in confidential computing environments. These environments typically rely on SEV-SNP (Secure Encrypted Virtualisation with Secure Nested Paging) to protect data during storage, transmission, and processing. SEV-SNP is widely used in major cloud offerings from providers like Microsoft Azure, Google Cloud, and AWS, often on servers powered by AMD processors.
According to ETH researchers, the vulnerability is especially critical because it affects how memory access is securely managed at VM startup. If attackers can exploit this weakness, they may trigger hidden functions, forge attestations, or perform replay attacks to restore prior states and inject code. In their tests, the team achieved a 100% success rate in bypassing the protective mechanisms on the tested workloads, demonstrating the potential for wide-ranging impact.
Scope and risk: who is affected?
The vulnerability does not infect all cloud services or all workloads. Instead, it targets the specific hardware security features used to shield confidential data within AMD-based systems. While ordinary consumer apps like Word or Excel are not impacted, the risk is significant for workloads that rely on confidential computing to process sensitive information in the cloud. A breach could expose encrypted data during execution, undermining trust in cloud services used for AI data analysis and other high-stakes operations.
Impact on trust, security posture, and response
The discovery emphasizes a few key realities about confidential computing: even robust hardware-backed protections can have subtle weaknesses, and the security of the entire stack depends on the weakest link. The researchers’ disclosure to AMD allowed the company to rapidly address the vulnerability and strengthen mitigations on affected processors. This collaborative approach to vulnerability disclosure is essential for maintaining digital sovereignty and public confidence in cloud infrastructure.
From a risk management perspective, cloud users should monitor for vendor advisories, update firmware and security patches promptly, and validate that their confidential workloads are running on patched hardware configurations. For enterprises handling particularly sensitive data, auditing the deployment of SEV-SNP-based environments and reviewing attestation results are prudent steps to confirm that protections are intact.
What comes next for confidential computing?
RMPocalypse serves as a reminder that security is an ongoing, evolving effort. The ETH findings will likely influence how cloud providers design future generations of SEV-SNP and related technologies, driving improvements in memory protection, startup integrity checks, and attestation mechanisms. As hardware, system software, and cloud services continue to converge, transparent vulnerability reporting and rapid remediation remain essential to preserving the confidentiality guarantees that underpin modern cloud computing.
Conclusion: collaboration over secrecy
By promptly sharing their results with AMD, ETH researchers helped ensure flaws could be remediated before exploitation became widespread. The ongoing dialogue between researchers, hardware vendors, and cloud providers is crucial to maintaining trust in confidential computing environments and enabling secure AI-driven applications that rely on processing sensitive data in the cloud.
