Academic researchers have devised a new attack that relies on cheap equipment to provide false information to the system processor during startup and break AMD’s latest trusted execution environment guarantees.
Called BadRAM, the new attack uses $10 off-the-shelf equipment to break AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging), cutting-edge memory integrity protections that rely on encryption and isolation to prevent information leaks and hypervisor-based attacks.
The attack, academics from KU Leuven, University of Lubeck, and University of Birmingham explained in a research paper (PDF), uses a rogue memory module that lies about its size to deceive the processor into revealing encrypted memory.
To break SEV, however, the attacker requires physical access to the memory module’s embedded SPD chip, which stores information about the module’s size.
By tampering with the chip, the attacker can cause aliasing in the physical address space, bypassing control mechanisms to manipulate memory mappings, and resulting in the full compromise of SEV-SNP’s attestation feature.
“We found that tampering with the embedded SPD chip on commercial DRAM modules allows attackers to bypass SEV protections — including AMD’s latest SEV-SNP version. For less than $10 in off-the-shelf equipment, we can trick the processor into allowing access to encrypted memory,” the researchers note.
By doubling the apparent size of the installed DRAM module, the researchers deceived the processor into using ghost addressing bits, creating an aliasing effect where two different physical addresses would refer to the same DRAM location.
After locating these aliases, the researchers discovered that the BadRAM attack could be used to tamper with or replay ciphertexts, and manipulate reverse map table data structure to introduce page-remapping attacks, which SEV-SNP is meant to mitigate.
The academics also discovered that Intel’s SGX protections prevent ciphertext replay or corruption attacks, although they allow write access patterns to be discerned, and that certain DRAM vendors leave SPD unlocked, which could lead to software-only BadRAM attacks.
On Tuesday, AMD announced firmware updates that mitigate the underlying BadRAM weakness. Tracked as CVE-2024-21944 (CVSS score of 5.3), the vulnerability impacts AMD’s 3rd and 4th generation EPYC processors (formerly codenamed Milan, Milan-X, Genoa, Bergamo, Genoa-X, and Siena).
“Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss of guest data integrity,” AMD says in its advisory.
AMD notes that using memory modules that lock SPD, following physical security best practices, and applying the newly released AGESA and SEV firmware updates would mitigate the attack, and the academics verify that the updates resolve the issue.
“BadRAM can be mitigated by considering the SPD data as untrusted and performing memory alias checking at boot time, as seen in Intel’s Alias Checking Trusted Module for TDX and scalable SGX. The countermeasures introduced by AMD will similarly validate SPD metadata during the boot process in trusted firmware,” the researchers note.
Related: New CounterSEVeillance and TDXDown Attacks Target AMD and Intel TEEs
Related: Google Cloud Announces General Availability of New Confidential Computing Options
Related: Intel Responds to SGX Hacking Research
Related: Researchers Devise ‘VoltSchemer’ Attacks Targeting Wireless Chargers
