The security mechanism AMD uses to protect virtual machine memory can be bypassed using a $5 Raspberry Pi Pico single board computer. This was discovered by a group of scientists from Belgium, Germany and the UK, who developed the BadRAM attack scheme.
Image source: amd.com
AMD has developed Secure Encrypted Virtualization (SEV) technology, which provides a Trusted Execution Environment (TEE). Competitors have similar solutions: Software Guard Extensions (SGX) and Trusted Domain Extensions (TDX) from Intel, as well as Arm Confidential Compute Architecture (CCA). These technologies are used by cloud service providers and ensure that administrators with access to data center equipment cannot copy sensitive information from customer virtual machines. Information in memory is encrypted, protecting cloud platform clients from untrustworthy service providers and unscrupulous government officials.
Scientists have been researching a new version of one of these technologies, AMD SEV-SNP (Secure Nested Paging), which adds protection against memory redistribution attacks from the hypervisor. However, as it turned out, this technology has flaws. To bypass restrictions on access to memory contents in TEE, you need a Raspberry Pi Pico single-board computer, a DDR connector and a 9 V battery. The BadRAM attack proposed by scientists involves abusing the mechanisms of the SPD (Serial Presence Detect) chip, which is responsible for identifying the module by the system. By manipulating the SPD, aliases are created in physical memory, allowing its contents to be examined for confidential information.
The attack doubles the apparent size of the DIMM installed in the system, allowing the CPU memory controller to be tricked into using additional addressing bits. As a result, the same DRAM location is referenced by two physical addresses. The method works with DDR4 and DDR5 memory. Theoretically, the attack could be carried out without physical access to the hardware, for example via SSH, since some DRAM suppliers leave the SPD chip unlocked. This was found on two DDR4 modules from Corsair. To implement an attack on DDR3, the SPD must be removed or replaced. AMD SEV-SNP technology is used in Amazon AWS, Google Cloud and Microsoft Azure. Scientists note that the BadRAM attack scheme allows you to add “undetectable backdoors to any SEV-protected virtual machine.”
Current Intel SGX and TDX technologies are not affected by this vulnerability due to implemented countermeasures that prevent the creation of memory aliases. Only the outdated version of SGX is vulnerable, which is no longer used by the manufacturer. Arm CCA is also protected at the specification level, but researchers were unable to verify this due to lack of equipment. Scientists provided the attack scheme and sample code to AMD on February 26, 2024. They intend to present their findings in 2025 at the IEEE Symposium on Security and Privacy. The company registered the vulnerability under the numbers CVE-2024-21944 and AMD-SB-3015 – it published information about them the day before.
«AMD believes that exploitation of the disclosed vulnerability requires that the attacker either has physical access to the system, access to the operating system kernel, or has a modified malicious BIOS installed. AMD recommends using memory modules that disable Serial Presence Detect (SPD) and following physical system security best practices. AMD has also released firmware updates to customers that will mitigate the vulnerability,” the company told The Register.