AMD’s Secure Encrypted Virtualization (SEV), meant to protect processor memory from prying eyes in virtual machine (VM) environments, can be tricked into giving access to its encrypted memory contents using a test rig costing less than $10, researchers have revealed.Dubbed “BadRAM” by researchers from the University of Lübeck in Germany, KU Leven in Belgium, and the University of Birmingham in the UK, the proposed attack is conceptually simple as well as cheap: trick the CPU into thinking it has more memory than it really has, using a rogue memory module, and get it to write its supposedly secret memory contents to the “ghost” space.The researchers achieved this using a test rig anyone could buy, consisting of a Raspberry Pi Pico, costing a few dollars, and a DIMM socket to hold DDR4/5 RAM modules. First, they manipulated the serial presence detect (SPD) chip built into the memory module to misreport the amount of onboard memory when booting up, the “BadRAM” part of the attack.This created two physical addresses referring to the same DRAM location, which, using some reverse engineering to locate these memory aliases, gave them access to memory contents, bypassing the system’s trusted execution environment (TEE).The accessible memory contents were still encrypted, but even getting that far shouldn’t have been possible. The whole point of AMD’s SEV TEE is that it stops attackers from gaining access to memory by encrypting its contents, something that is especially important in cloud data centers where the physical machines are not under an organization’s control. Because of this, AMD’s SEV is widely used in the cloud industry by every major platform provider, which makes the discovery of the weakness significant. This is where the attack becomes more hypothetical. An attacker using BadRAM has access to the data used by the microprocessor, but not in its unencrypted plaintext form. However, according to Jo Van Bulck of the University of KU Leuven in Belgium, that doesn’t mean that the data can’t be manipulated in other ways.”With BadRAM, the exploit is not just that you can read the encrypted contents, but that you can overwrite the encrypted contents,” he told CSO Online via email. This is a function of the static nature of encryption, which encrypts values in ciphertext in a way an attacker can predict.He used the example of a bank account showing an encrypted balance of $100. If this figure was then reduced by subsequent spending, an attacker could in theory replace it with the higher original, but still encrypted, $100 value. “There’s basically no means in the AMD CPU to distinguish this old, outdated value from the correct, current value,” said Van Bulck.
An attacker needs physical access
The above is a form of replay attack, and would presumably require time and additional software to interact with the encrypted data. That would present practical challenges for any attacker in a large data center environment where monitoring is taken seriously.However, perhaps the biggest limitation is that any attack would require physical access to the system in which the virtual machine was running. While this is plausible in an insider or rogue admin scenario, it does reduce the possibility of an attack, compared to a remote or software-only exploit.
Could BadRAM be used against non-AMD systems?
It seems less likely that BadRAM attacks could be used against non-AMD processors, the researchers said. Intel’s Software Guard Extensions (SGX) and Trusted Domain Extensions (TDX), and Arm’s upcoming Confidential Compute Architecture (CCA) also use TEEs, but employ countermeasures against memory aliasing attacks.Nevertheless, according to Van Bulck, in Intel’s case, it would depend on the generation of SGX being used. The older SGX, dating back to 2015, could be affected, but the impact would be minimal because of strong encryption.However, the more recent TDX and SGX trusted-execution technologies could not be compromised, thanks to built-in anti BadRAM defenses. The impact on Arm’s CCA (Confidential Compute Architecture) is as yet unclear.”We think BadRAM should theoretically apply to these upcoming platforms, but they have not yet been publicly released,” Van Bulck said. “We hope CCA platforms will have similar checks in place to detect BadRAM attack attempts at boot time, which may, however, be further complicated by the inherent heterogeneity of the Arm landscape.”
AMD’s BadRAM fix
Revealed to AMD by the researchers in February, the vulnerability is tracked as CVE-2024-21944, and relates specifically to the company’s third and fourth generation EPYC enterprise processors. “AMD recommends utilizing memory modules that lock SPD, as well as following physical security best practices,” its advisory states. It has also issued firmware updates, although these will vary due to each OEM’s BIOS, it said.The company said it planned to make mitigation reminders prominent. “There is specific status information that is provided and available for a Host OS/Hypervisor, and also available for a Virtual Machine (Guest) to indicate that the mitigation has been deployed,” it said.
The bottom line
It would be easy to dismiss BadRAM as overblown. It has a fancy name and a memorable logo faintly reminiscent of a disappointed character from Angry Birds.The counter argument is that this is the sort of basic weakness chip makers should spot without having to have it pointed out to them. Using a logo and a name that IT teams hear about is one way to get vendors and their customers to fix problems and apply patches in an industry where patches are often put off for another day.BadRAM is the second significant vulnerability in AMD hardware since the summer. In August, a security vendor released details of “Sinkclose”( CVE-2023-31315), a flaw affecting nearly all AMD EPYC series and Ryzen series CPUs.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3622917/amd-data-center-chips-vulnerable-to-revealing-data-through-badram-attack.html
