This paper addresses ciphertext side-channel attacks against deterministic memory encryption in trusted execution environments (TEEs), where attackers infer plaintext by analyzing temporal patterns in ciphertexts accessed at the same memory address. We propose a compiler-level defense that synergistically integrates software-defined probabilistic encryption with key-aware register allocation, implemented in LLVM. Our approach breaks ciphertext determinism via probabilistic AES round-key scheduling and mitigates key reuse and ciphertext pattern leakage through sensitive-data lifetime–aware register allocation. Evaluated across multiple cryptographic implementations, our solution incurs only 3.2% average performance overhead—significantly lower than CipherFix—while completely eliminating exploitable ciphertext timing and pattern correlations. The method achieves strong security guarantees without hardware modifications, offering a practical, low-overhead mitigation for deterministic memory encryption vulnerabilities in TEEs.

Cryptographic implementations bolster security against timing side-channel attacks by integrating constant-time components. However, the new ciphertext side channels resulting from the deterministic memory encryption in Trusted Execution Environments (TEEs), enable ciphertexts to manifest identifiable patterns when being sequentially written to the same memory address. Attackers with read access to encrypted memory in TEEs can potentially deduce plaintexts by analyzing these changing ciphertext patterns. In this paper, we design CipherGuard, a compiler-aided mitigation methodology to counteract ciphertext side channels with high efficiency and security. CipherGuard is based on the LLVM ecosystem, and encompasses multiple mitigation strategies, including software-based probabilistic encryption and secret-aware register allocation. Through a comprehensive evaluation, we demonstrate that CipherGuard can strengthen the security of various cryptographic implementations more efficiently than existing state-of-the-art defense mechanism, i.e., CipherFix.