Next, a script developed as part BadRAM allows the attacker to quickly find the memory locations of ghost memory bits. These aliases give the attacker access to memory regions that SEV-SNP is supposed to make inaccessible. This allows the attacker to read and write to these protected memory regions.
Access to this normally fortified region of memory allows the attacker to copy the cryptographic hash SEV-SNP creates to attest to the integrity of the VM. The access also permits the attacker to boot an SEV-compliant VM that has been backdoored. Normally, this malicious VM would trigger a warning in the form of a cryptographic hash. BadRAM allows the attacker to replace this attestation failure hash with the attestation success hash collected earlier.
The primary steps involved in BadRAM attacks are:
- Compromise the memory module to lie about its size and thus trick the CPU into accessing the nonexistent ghost addresses that have been silently mapped to existing memory regions.
- Find aliases. These addresses map to the same DRAM location.
- Bypass CPU Access Control. The aliases allow the attacker to bypass memory protections that are supposed to prevent the reading of and writing to regions storing sensitive data.
Beware of the ghost bit
For those looking for more technical details, Jesse De Meulemeester, who along with Luca Wilke was lead co-author of the paper, provided the following, which more casual readers can skip:
In our attack, there are two addresses that go to the same DRAM location; one is the original address, the other one is what we call the alias.
When we modify the SPD, we double its size. At a low level, this means all memory addresses now appear to have one extra bit. This extra bit is what we call the “ghost” bit, it is the address bit that is used by the CPU, but is not used (thus ignored) by the DIMM. The addresses for which this “ghost” bit is 0 are the original addresses, and the addresses for which this bit is 1 is the “ghost” memory.
This explains how we can access protected data like the launch digest. The launch digest is stored at an address with the ghost bit set to 0, and this address is protected; any attempt to access it is blocked by the CPU. However, if we try to access the same address with the ghost bit set to 1, the CPU treats it as a completely new address and allows access. On the DIMM side, the ghost bit is ignored, so both addresses (with ghost bit 0 or 1) point to the same physical memory location.
A small example to illustrate this:
Original SPD: 4 bit addresses:
CPU: address 1101 -> DIMM: address 1101Modified SPD: Reports 5 bits even though it only has 4:
CPU: address 01101 -> DIMM: address 1101
CPU: address 11101 -> DIMM: address 1101In this case 01101 is the protected address, 11101 is the alias. Even though to the CPU they seem like two different addresses, they go to the same DRAM location.
As noted earlier, some DIMM models don’t lock down the SPD chip, a failure that likely makes software-only modifications possible. Specifically, the researchers found that two DDR4 models made by Corsair contained this flaw.
