BadRAM: Historical side channel undermines confidential computing in the cloud
Servers protect data with complex functions for confidential computing that can be tricked by memory latches with a fake configuration.
In principle, both AMD and Intel processors are affected by BadRAM. However, attackers have more options with AMD's Epyc CPUs.
(Image: c't)
A team of European security experts have demonstrated a comparatively simple hack that overrides the super-complicated RAM encryption functions of modern servers. The researchers manipulate the configuration chip of the memory modules, the so-called SPD-EEPROM –, a technique that has been in use for around 30 years, but which is unfortunately often implemented sloppily and insecurely, as is common in the PC industry.
Also, typical: The extremely complex, subsequently grafted and repeatedly improved functions for setting up Trusted Execution Environments (TEEs) for confidential computing do not take sufficient account of the historical substructure so that it can be misused as a side channel for attacks.
BadRAM attacks AMD Secure Encrypted Virtualization - Secure Nested Paging (SEV-SNP) as well as Intel's Software Guard Extensions (SGX) and Trusted Domain Extensions (TDX). BadRAM mainly affects AMD Epyc processors, as reported by AMD in Security Bulletin AMD-SB-3015, and carries CVE-2024-21944.
With SGX/TDX, BadRAM only makes it possible to access metadata from write accesses, such as access patterns – but not the data itself. With AMD SEV-SNP, however, BadRAM enables replay attacks with encrypted data as well as the manipulation of remote attestation and thus any changes to a supposedly secure virtual machine (VM).
Videos by heise
Shaky basis of trust
The BadRAM attack on Confidential Computing is very complex and the manipulation of memory modules requires physical access to the attacked server. However, the concepts of AMD SEV-SNP and Intel SGX/TDX are all about protecting the TEEs even against malicious administrators and proving their trustworthiness through remote attestation. Confidential computing is intended to protect sensitive health data in the electronic patient record (ePA), for example, or passkeys that are created in Google Chrome and synchronized via the cloud. Google uses Project Oak for this, which explicitly relies on AMD SEV-SNP. The ePA specification calls a TEE "Trusted Execution Environment" (VAU).
Due to the growing importance of confidential computing with TEEs, public institutions are also promoting research into their security, for example the German Federal Ministry of Education and Research (BMBF) via "Security on all systems through chains of trust and isolation" (SASVI).
(Image: c’t)
Historical foundation
Since the end of the 1990s, memory modules (Dual Inline Memory Modules, DIMMs) have carried a small flash memory chip that contains a kind of digital data sheet. This flash chip, which was connected via I2C up to the DDR4 generation and via I3C from DDR5 onwards, is called Serial Presence Detect Electrically Erasable Programmable Read-Only Memory (SPD-EEPROM) for historical reasons. And the I2C or I3C bus on server mainboards is also known as the System Management Bus (SMBus).
When the server is started, the BIOS (today: the UEFI BIOS) reads the SPD-EEPROMs of all inserted DIMMs to optimally configure the RAM modules. The SPD-EEPROM not only contains information on the clock frequency and latency of the memory chips soldered onto the DIMM, but also on their interconnection (organization) and capacity.
BadRAM manipulates this information in the SPD-EEPROM to trick the system into believing memory areas that are not physically present (memory aliasing). These "ghost address ranges" of the RAM can then be used for the aforementioned replay attacks, for example.
Blind trust
Among other things, BadRAM highlights the problem that the UEFI BIOS of many servers blindly trusts the information in the SPD-EEPROM of the memory modules. However, the SPD EEPROM is not particularly well protected, especially not with digital signatures.
Although the JEDEC specifications for the SPD-EEPROM provide functions for protection against unauthorized overwriting (write protection), some DIMM manufacturers do not implement these. And even if write protection is implemented, it is comparatively easy to override: the security researchers used a Raspberry Pi or a Raspberry Pi Pico, for example. In principle, the trick has been known for many years.
According to the BadRAM discoverers, the attack can also work without manipulating the SPD EEPROM of a DIMM, namely by changing the BIOS code. However, in the case of server boards used for confidential computing, this code should be protected against manipulation by digital signatures and, if possible, by additional measures such as BootGuard or a security chip.
(ciw)
