Next, a script developed as half BadRAM permits the attacker to rapidly discover the reminiscence places of ghost reminiscence bits. These aliases give the attacker entry to reminiscence areas that SEV-SNP is meant to make inaccessible. This permits the attacker to learn and write to those protected reminiscence areas.
Access to this usually fortified area of reminiscence permits the attacker to repeat the cryptographic hash SEV-SNP creates to attest to the integrity of the VM. The entry additionally permits the attacker as well an SEV-compliant VM that has been backdoored. Normally, this malicious VM would set off a warning within the type of a cryptographic hash. BadRAM permits the attacker to exchange this attestation failure hash with the attestation success hash collected earlier.
The major steps concerned in BadRAM assaults are:
- Compromise the reminiscence module to lie about its dimension and thus trick the CPU into accessing the nonexistent ghost addresses which were silently mapped to present reminiscence areas.
- Find aliases. These addresses map to the identical DRAM location.
- Bypass CPU Access Control. The aliases enable the attacker to bypass reminiscence protections which can be supposed to stop the studying of and writing to areas storing delicate information.
Beware of the ghost bit
For these searching for extra technical particulars, Jesse De Meulemeester, who together with Luca Wilke was lead co-author of the paper, offered the next, which extra informal readers can skip:
In our assault, there are two addresses that go to the identical DRAM location; one is the unique handle, the opposite one is what we name the alias.
When we modify the SPD, we double its dimension. At a low degree, this implies all reminiscence addresses now seem to have one additional bit. This additional bit is what we name the “ghost” bit, it’s the handle bit that’s utilized by the CPU, however just isn’t used (thus ignored) by the DIMM. The addresses for which this “ghost” bit is 0 are the unique addresses, and the addresses for which this bit is 1 is the “ghost” reminiscence.
This explains how we will entry protected information just like the launch digest. The launch digest is saved at an handle with the ghost bit set to 0, and this handle is protected; any try and entry it’s blocked by the CPU. However, if we attempt to entry the identical handle with the ghost bit set to 1, the CPU treats it as a very new handle and permits entry. On the DIMM aspect, the ghost bit is ignored, so each addresses (with ghost bit 0 or 1) level to the identical bodily reminiscence location.
A small instance as an example this:
Original SPD: 4 bit addresses:
CPU: handle 1101 -> DIMM: handle 1101Modified SPD: Reports 5 bits despite the fact that it solely has 4:
CPU: handle 01101 -> DIMM: handle 1101
CPU: handle 11101 -> DIMM: handle 1101In this case 01101 is the protected handle, 11101 is the alias. Even although to the CPU they appear like two completely different addresses, they go to the identical DRAM location.
As famous earlier, some DIMM fashions do not lock down the SPD chip, a failure that doubtless makes software-only modifications potential. Specifically, the researchers discovered that two DDR4 fashions made by Corsair contained this flaw.
