A team of researchers from the Universities of Leuven, Lübeck, and Birmingham has developed a BadRAM attack (CVE-2024-21944) to bypass the attestation mechanism and compromise environments protected by the SEV-SNP extension in AMD CPUs. To perform the attack, with few exceptions, an attacker must have physical access to the memory modules and be able to execute ring-0-level code on a server running protected guest environments.
Background on AMD SEV-SNP
AMD SEV (Secure Encrypted Virtualization) extensions aim to provide guarantees of virtual machine memory integrity, as well as protection from tampering and analysis by a host system administrator capable of executing code at the hypervisor level. Initially, AMD SEV protection was limited to encryption of guest system memory contents and register isolation. However, AMD EPYC processors later implemented the SEV-SNP (Secure Nested Paging) extension, which enables secure work with nested memory page tables, guarantees memory integrity, and prevents the hypervisor from modifying guest system memory.
The AMD SEV-SNP mechanism is designed to ensure that intelligence agencies or personnel at data centers and cloud providers running secure guest systems cannot interfere with the guest system. The BadRAM attack provides a way to bypass these safeguards by modifying the SPD (Serial Presence Detect) metadata in DDR4 or DDR5 memory modules. If successful, the attacker can overwrite encrypted data in the guest system memory (at the ciphertext level, without decrypting it) and bypass the attestation mechanism—for example, to hide the introduction of a backdoor into a virtual machine protected by SEV-SNP technology.
Technical Details of the Attack
The attack is based on setting fictitious memory module parameters in the SPD, forcing the processor to access non-existent addresses mapped to existing memory areas. The attacker adjusts the SPD in such a way that the memory module reports a size larger than its actual capacity. This allows the attacker to map the fictitious non-existent memory to a real DRAM location that is already being used in encrypted form by secure guest systems.
This manipulation results in a situation where different addresses point to the same physical memory (i.e., two areas are mapped to the same DRAM chip). The fictitious mapped memory area can then be used to access real memory already in use, effectively bypassing the CPU’s memory protection mechanisms.
Requirements for the Attack
To perform the attack, all that is needed is a simple programmer costing about $10, consisting of a Raspberry Pi Pico microcontroller, a socket for DDR4/DDR5 modules, and a power supply. The tools used in the attack, including a kernel module and prototype exploits, have been published on GitHub.
For some memory vendors that do not block SPD rewrites, it is possible to perform the attack programmatically without physical access to the server. For instance, Corsair’s RGB-backlit memory modules can be modified programmatically. In fully software-based attacks, the system could be compromised via a malicious BIOS update or sabotage by server administrators in cloud services.
Demonstrated Attacks
Two specific attacks have been demonstrated to validate the method:
-
Ciphertext Replay Attack: When using AMD SEV, memory data is stored in encrypted form. While the attacker cannot decrypt the content, they can read the encrypted data and substitute it with other encrypted content. This attack demonstrates the ability to replay ciphertext.
-
Attestation Bypass Attack: The SEV-SNP attestation mechanism provides cryptographic proof of the integrity of a virtual machine running in a secure environment. An attacker can intercept the attestation report of a legitimate virtual machine and substitute it for a compromised virtual machine, thereby hiding traces of backdoor injection.
Affected Processors and Mitigation
The vulnerability affects the 3rd and 4th generations of AMD’s EPYC series processors, which ship under the codenames Milan, Milan-X, Genoa, Bergamo, Genoa-X, and Siena. To address the vulnerability, AMD has released an SEV firmware update that implements an ALIAS_CHECK mechanism, which prevents the memory manipulation inherent in this attack.
Comparison with Intel and ARM Technologies
Intel’s Scalable SGX and TDX technologies are not vulnerable to this attack because they have necessary checks in place from the start. The older Intel SGX technology, which was deprecated in 2021, is partially vulnerable to the attack (similar to the previously known MemBuster attack). In such cases, an attacker can analyze accesses to encrypted memory to read ciphertext but cannot overwrite it.
ARM’s Confidential Compute Architecture (CCA) extensions have not been tested against this attack.
Additional Vulnerability in AMD SEV-SNP
An additional vulnerability related to AMD SEV-SNP has been reported. This issue exists in AMD’s QEMU emulator fork, which is designed to run virtual machines with SEV-SNP. The vulnerability allows a host environment administrator to gain root access to guest systems through manipulation of ACPI tables. The problem arises because, during a guest system’s boot process, the integrity of the Linux kernel, initial RAM disk, and kernel parameters are checked, but ACPI tables are ignored. This allows specially crafted AML (ACPI Machine Language) code to be exposed by the hypervisor and executed within the guest environment.
It is argued that this issue is not specific to QEMU and is present in all hypervisors and emulators, as the Linux kernel inherently trusts any ACPI data provided by the hypervisor.
References:
In case you have found a mistake in the text, please send a message to the author by selecting the mistake and pressing Ctrl-Enter.
https://techplanet.today/storage/posts/2024/12/14/H6xvak51R0Ho4zYjwWwaS5TTp5HPguHQM1xkIyd7.webp
2024-12-14 02:31:00