Chip makers like Intel and AMD for years have been building security features into their chips, arguing that such capabilities in hardware rather than relying on software-only defenses increase the protections of servers and other systems.

However, putting security in processors, as the Spectre and Meltdown vulnerabilities that emerged in 2018 illustrated, isn’t foolproof, and various side-channel and other flaws since have further demonstrated that.

European researchers from the University of Lübeck in Germany, the UK’s University of Birmingham, and KU Leuven in Belgium this week poked another hole in hardware security, unveiling an inexpensive way to break a protection in AMD’s latest Epyc data center chips. Targeting a flaw they dubbed “BadRAM,” the researchers outlined a process for bypassing AMD’s SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) feature designed to protect memory in virtual machines.

And all a bad actor needs is about $10 worth of cheap hardware.

“We found that tampering with the embedded SPD [serial presence detect] chip on commercial DRAM modules allows attackers to bypass SEV protections – including AMD’s latest SEV-SNP version,” they wrote. “For less than $10 in off-the-shelf equipment, we can trick the processor into allowing access to encrypted memory. We build on this BadRAM attack primitive to completely compromise the AMD SEV ecosystem, faking remote attestation reports and inserting backdoors into any SEV-protected VM.”

That said, the researchers worked with AMD to mitigate the BadRAM vulnerability, with the chip maker issuing firmware updates to securely validate memory configurations when the chip boots. Organizations are urged to update the processor’s firmware.

AMD Adds to Epyc Memory Protections

In AMD’s chips, SEV enables the encryption of a VM’s memory by using a unique key to protect against unauthorized access to sensitive data in the virtual machine, even via the hypervisor. It’s aimed in particular at systems used in cloud environments, in which multiple VMs can share a host system.

Earlier this year, the chip maker introduced an added protection – SNP – to its 3^rd Gen Epyc processors. SNP adds another layer of protection by preventing hypervisor-based attacks that could tamper with the memory in a VM and the data is holds.

“AMD SEV technology encrypts virtual machine memory to ensure data security,” the vendor wrote in a document in June detailing the introduction of SNP, which was created in conjunction with Google Cloud. “AMD SEV-SNP builds on this by adding memory integrity protections, enhancing the overall security posture. These technologies together deliver robust performance for demanding computational tasks, ensuring both security and efficiency.”

BadRAM in 3 Easy Steps

According to the researchers, the SPD chip – a component on a RAM module that stores information like the module’s speed and capacity – can be relatively easily modified using a “low-cost, off-the-shelf microcontroller.” In this case, they used a Raspberry Pi Pico, which costs about $10.

They outlined a three-step process for exploiting the vulnerability, starting with compromising the memory module by making the module intentionally lief about its size. This tricks the CPU into “accessing nonexistent ‘ghost’ addresses that are silently mapped to existing memory regions,” they wrote.

This leads to two CPU addresses mapping to the same DRAM location, which the researchers found within in minutes using their Raspberry Pi Pico.

“Through these aliases, attackers can bypass CPU memory protections, exposing sensitive data or causing disruptions,” they wrote.

SPD Chip is Key

To exploit BadRAM, hackers need access to the SPD chip on the DIMM to modify the contents. The chip can be exposed through insider threats in the cloud environment or via software-based attacks that exploit DRAM in which the SPD chip isn’t properly locked and is left intentionally unlocked in the BIOS by the manufacturer to support features like RGB light for gaming situations.

“If SPD is not securely locked, attackers with root privileges could launch BadRAM attacks entirely through software, without physical access,” the researchers wrote. “Furthermore, since memory initialization is handled by the BIOS, a compromised BIOS could also enable BadRAM exploits.”

The security flaw can be exploited on systems within an on-premises data center, though they wrote that it’s primarily relevant “in a cloud scenario with TEEs [Trusted Execution Environments], where you inherently may not trust the cloud providers owning the systems.”