AMD secure VM tech undone by DRAM meddling

Researchers have found that the security mechanism AMD uses to protect virtual machine memory can be bypassed with $10 of hardware – and perhaps not even that.

AMD Secure Encrypted Virtualization (SEV) is designed to provide a Trusted Execution Environment (TEE) that safeguards computation and memory, along the lines of similar TEE offerings from rival vendors like Intel's Software Guard Extensions (SGX) and Trusted Domain Extensions (TDX), and Arm's Confidential Compute Architecture (CCA).

SEV and the like are commonly used by cloud service providers to ensure that those with access to datacenter hardware cannot siphon secrets from tenant virtual machines. These technologies encrypt memory, so that users have some defense against an untrustworthy provider or snooping authorities.

Boffins from KU Leuven in Belgium, the University of Lübeck in Germany, and the University of Birmingham in the UK have taken a look at AMD SEV-SNP (Secure Nested Paging) – a recent SEV enhancement that adds protection against memory remapping attacks from a malicious hypervisor. And they've found that it's not as secure as its name suggests.

In a paper [PDF] titled "BadRAM: Practical Memory Aliasing Attacks on Trusted Execution Environments," co-authors Jesse De Meulemeester, Luca Wilke, David Oswald, Thomas Eisenbarth, Ingrid Verbauwhede, and Jo Van Bulck describe how they devised a way to bypass TEE-based memory access restrictions with a Raspberry Pi Pico, a DDR socket, and a 9V battery.

The BadRAM attack – which does require physical access to hardware (for example, a rogue admin scenario) – works by abusing the SPD (Serial Presence Detect) chip on a memory module, which identifies the module to hardware. It manipulates the SPD into creating aliases for physical memory, which subsequently can be scoured for secrets in contravention of the TEE integrity goals.

"In our attacks, we double the apparent size of the Dual Inline Memory Module (DIMM) installed in the system to trick the CPU's memory controller into using additional 'ghost' addressing bits," the authors explain. "These addressing bits will be unused within the virtually enlarged DIMM, creating an interesting aliasing effect where two different physical addresses now refer to the same DRAM location."

The technique, which applies to DDR4 and DDR5 memory, could potentially also be functional for local, software-only attackers without physical access to hardware (via SSH), because some DRAM vendors leave the SPD chip unlocked. While most vendors lock their memory modules, per the JEDEC specification, the authors report they found at least two off-the-shelf DDR4 DIMMS from Corsair "that leave the base configuration entirely unprotected, possibly exposing them to software-only BadRAM attacks."

• Hardware-level Apple Silicon vulnerability can leak cryptographic keys
• Arm security defense shattered by speculative execution 95% of the time
• Spectre flaws continue to haunt Intel and AMD as researchers find fresh attack method
• New side-channel leak: Boffins bash operating system page caches until they spill secrets

Older memory like DDR3 that would otherwise prevent memory size meddling through permanent write protection can also be affected – by removing or swapping the SPD, it's claimed.

"BadRAM completely undermines trust in AMD's latest Secure Encrypted Virtualization (SEV-SNP) technology, which is widely deployed by major cloud providers, including Amazon AWS, Google Cloud, and Microsoft Azure," Jo Van Bulck, professor in the DistriNet lab at the Department of Computer Science of KU Leuven, told The Register in an email.

"BadRAM for the first time studies the security risks of bad RAM – rogue memory modules that deliberately provide false information to the processor during startup. We show how BadRAM attackers can fake critical remote attestation reports and insert undetectable backdoors into any SEV-protected VM."

Intel scalable SGX and TDX are not affected, because they implement countermeasures against memory aliasing. Arm CCA appears to be protected based on the specification, according to the boffins, but no hardware was available to test it. The older, discontinued classic version of SGX is said to be partially vulnerable.

The researchers write that they disclosed their SPD aliasing attack and proof of concept code to AMD on February 26, 2024. They are scheduled to present their paper at the 2025 IEEE Symposium on Security and Privacy.

AMD is tracking the vulnerability under CVE-2024-21944 and AMD-SB-3015. The Ryzen designer confirmed to The Register that it plans to issue an advisory on Tuesday, December 10, 2024.

"AMD believes exploiting the disclosed vulnerability requires an attacker either having physical access to the system, operating system kernel access on a system with unlocked memory modules, or installing a customized, malicious BIOS," the Epyc house explained in a statement.

"AMD recommends utilizing memory modules that lock Serial Presence Detect (SPD), as well as following physical system security best practices. AMD has also released firmware updates to customers to mitigate the vulnerability." ®