Researchers from three European universities recently demonstrated the so-called BadRAM attack. This attack is made possible because of a vulnerability in AMD EPYC processors, and primarily threatens cloud-solution providers and virtualization systems. In the worst-case scenario, the vulnerability could be used to compromise data from highly secure virtual machines.

However, implementing this scenario in practice would be quite difficult. The attack requires physical access to the server, plus the highest level of access to the software. Before discussing the BadRAM attack in detail, we should first understand the concept of a trusted execution environment (TEE).

Features of TEE

Software errors are inevitable. Estimates from as early as the 1990s suggest that there are between one and 20 errors for every thousand lines of code. Some of these errors lead to vulnerabilities that malicious actors can exploit to access confidential information. Therefore, when certain data or computational processes (for example, processing private encryption keys) must be highly secure, it makes sense to isolate this data — or these processes — from the rest of the code. This is the essence of the trusted execution environment concept.

There are numerous TEE implementations designed for various tasks, each varying in the degree of security they provide. In AMD processors, TEE is implemented as Secure Encrypted Virtualization (SEV) — a technology that enhances the protection of virtual machines. It encrypts the data of a virtual system in memory so that other virtual systems — or even the operators of the physical server running these virtual OSs — can’t access it. Secure Nested Paging, a more recent extension of this technology, can detect unauthorized attempts to access virtual system data.

Consider the scenario where a financial institution uses third-party infrastructure to run its virtual systems. These virtual OSs process highly confidential data, and it’s essential to ensure their absolute security. While it’s possible to impose stringent requirements on the provider of the infrastructure, in some cases it’s easier to operate under the assumption that they can’t be fully trusted.

Secure Encrypted Virtualization, just like Intel’s similar Trusted Domain Extensions (TDX) technology, essentially uses a separate processor. Although it’s physically part of the server processor (Intel or AMD), it’s effectively isolated from the main processor cores. By participating in the data encryption process, this isolated module provides an additional layer of security.

Details of the BadRAM attack

Let’s return to the BadRAM attack. It bypasses the Secure Encrypted Virtualization protection and gains access to the encrypted data of a virtual system in such a way that the Secure Nested Paging technology is also unable to detect the breach. This video shows how a “malicious” application on a server can read data from a protected virtual machine running on the same server.

How does it work? The authors of the study used a very unusual attack method — modifying the hardware itself. Every computer has random access memory (RAM). Each memory module contains several chips for storing data, plus one service chip — known as the SPD. This chip announces the presence of the memory module in the system and transmits key parameters (such as the optimal operating frequency of the memory chips and their capacity) to the processor. It was precisely this information about the capacity that the researchers modified.

This is a rather paradoxical attack method. First, the attackers take a 32GB memory module; then, they re-flash the SPD chip, setting its capacity to twice that amount — 64GB. The processor trusts this information and tries to use the memory module as if its capacity was indeed 64GB. Under normal circumstances, this would quickly lead to freezes or other failures: some data blocks would simply overwrite others, and information from various applications would get corrupted. To prevent this, the researchers restricted write-access to the modified memory module for all processes except the target virtual system.

So what does this accomplish? If the processor thinks that the memory capacity is twice as large as it actually is, then each pair of virtual addresses maps to only one physical memory cell. This allows a scenario where a real memory area is simultaneously used by a protected virtual OS — and accessible to another, malicious, application. The latter won’t write to the memory cells, but can read what the virtual OS writes to them. This is precisely the scenario that AMD’s SEV technology is designed to prevent, but in this case it proves ineffective — both memory access protection and encryption are bypassed.

We’re glossing over many important details of the study, but the main takeaway is that this malicious memory module creates a situation where the supposedly highly-secure data of a virtual machine becomes accessible to an external application. Yes, this is an extremely complex attack — requiring physical access to the server in addition to “hacking” the server’s software to gain the highest access privileges. However, compare this to a previous study, where a similar result was achieved using an extremely expensive ($170,000) hardware device that intercepted data transmission between the processor and the memory module in real time.

In the BadRAM attack, the SPD chip is modified using a simple kit consisting of a microcomputer and readily available software costing around $10 in total. After modification, physical access to the server is no longer required, and all subsequent attack stages can be carried out remotely. In some memory modules, even remote rewriting of the SPD data may be possible.

Fortunately, the vulnerabilities exploited in this attack have been patched in firmware updates for AMD EPYC 3^rd Gen and 4^th Gen processors. The protection technology now includes a mechanism capable of detecting “malicious” memory modules. By the way, the researchers also tested Intel’s TDX technology, which appears to already have a similar RAM integrity-check in place, making attacks like BadRAM impossible.

The concept of a trusted execution environment is designed for work in highly hostile environments. We discussed a scenario where the owner of a virtual OS doesn’t trust the hosting provider. Even under such paranoid conditions, avoiding errors remains a significant challenge — as demonstrated by the BadRAM study. The authors generally argue that TEE system developers rely too heavily on the difficulty of extracting data from RAM, and illustrate how even the most sophisticated security systems can be bypassed using relatively simple means.

Kaspersky official blog – ​Read More