A group of academics from KU Leuven and the University of Birmingham has demonstrated a new vulnerability called Battering RAM to bypass the latest defenses on Intel and AMD cloud processors.
“We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks,” researchers Jesse De Meulemeester, David Oswald, Ingrid Verbauwhede, and Jo Van Bulck said on a website publicizing the findings. “Later, with just a flip of a switch, our interposer turns malicious and silently redirects protected addresses to attacker-controlled locations, allowing corruption or replay of encrypted memory.”
Battering RAM compromises Intel’s Software Guard Extensions (SGX) and AMD’s Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) hardware security features, which ensure that customer data remains encrypted in memory and protected during use.
It affects all systems using DDR4 memory, specifically those relying on confidential computing workloads running in public cloud environments to secure data from the cloud service provider using hardware-level access control and memory encryption.
The attack, in a nutshell, involves leveraging a custom-built, low-cost DDR4 interposer hardware hack to stealthily redirect physical addresses and gain unauthorized access to protected memory regions. The interposer makes use of simple analog switches to actively manipulate signals between the processor and memory, and can be built for less than $50.
On Intel platforms, Battering RAM achieves arbitrary read access to victim plaintext or write plaintext into victim enclaves, whereas on AMD systems, the attack can be used to sidestep recent firmware mitigations against BadRAM, which was documented by the researchers back in December 2024, and introduce arbitrary backdoors into the virtual machine without raising any suspicion.
Successful exploitation of the vulnerability can allow a rogue cloud infrastructure provider or insider with limited physical access to compromise remote attestation and enable the insertion of arbitrary backdoors into protected workloads.
The vulnerability was reported to the vendors earlier this year, following which Intel, AMD, and Arm responded that physical attacks are currently considered out of scope. However, defending against Battering RAM would require a fundamental redesign of memory encryption itself, the researchers noted.
“Battering RAM exposes the fundamental limits of the scalable memory encryption designs currently used by Intel and AMD, which omit cryptographic freshness checks in favor of larger protected memory sizes,” they added. “Battering RAM […] is capable of introducing memory aliases dynamically at runtime. As a result, Battering RAM can circumvent Intel’s and AMD’s boot-time alias checks.”
The disclosure comes as AMD released mitigations for attacks dubbed Heracles and Relocate-Vote disclosed by the University of Toronto and ETH Zürich,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
