A team of researchers from KU Leuven and the University of Birmingham has unveiled a critical vulnerability named Battering RAM that allows bypassing security measures in Intel and AMD cloud processors. The researchers developed a low-cost interposer, costing around $50, which operates discreetly within the memory path of the processor. Initially masquerading as trustworthy hardware during the system’s startup, it can later switch to a malicious mode, redirecting protected memory addresses to locations controlled by an attacker. This functionality opens up avenues for memory corruption and decryption of secured data.
The Battering RAM attack compromises Intel’s Software Guard Extensions (SGX) and AMD’s Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP). These technologies aim to encrypt data in memory and protect it while in use, particularly for confidential computing tasks in public cloud environments. The attack exploits systems utilizing DDR4 memory and primarily focuses on cloud workloads where data is safeguarded by hardware-level memory encryption.
This exploit employs the interposer to manipulate signals between the processor and memory, effectively gaining unauthorized access to sensitive memory regions. Once on Intel platforms, the attack may allow attackers to read or write plaintext in protected areas, while on AMD systems, it can bypass firmware protections previously implemented against the BadRAM vulnerability, thereby facilitating undetected backdoor insertion into virtual machines.
The investigation into Battering RAM indicates exploiting this vulnerability could enable an unethical cloud service provider or someone with limited physical access to undermine remote attestation, risking the introduction of backdoors into secure workloads. The researchers notified Intel, AMD, and Arm about their findings earlier this year. However, the vendors have deemed physical attacks out of scope for current security measures. Addressing the Battering RAM vulnerability may necessitate significant redesigns of existing memory encryption paradigms, according to the researchers.
Battering RAM sheds light on the systemic limitations of current memory encryption methods used by Intel and AMD, which prioritize larger memory protection sizes over cryptographic freshness checks. By highlighting the ability to dynamically introduce memory aliases during runtime, the attack reveals shortcomings in existing boot-time alias verification processes.
This discovery follows AMD’s recent release of mitigations against attacks named Heracles and Relocate-Vote, which involve data leaks from cloud services reliant on AMD’s SEV-SNP through malicious hypervisors. Researchers have also highlighted emerging vulnerabilities like L1TF Reloaded, which combines prior threats to exploits virtual machine memory.
Google facilitated this research by providing a secure environment for tests and rewarded the findings with a significant bug bounty. Meanwhile, Amazon confirmed that L1TF Reloaded does not compromise data protection for AWS customers when using its Nitro hypervisor infrastructure. Despite ongoing advancements in CPU security over the years, variants of vulnerabilities like Spectre still present ongoing threats to cloud computing environments, continually evolving to exploit gaps in virtualization and isolation mechanisms.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.