

# BadRAM: Practical Memory Aliasing Attacks on Trusted Execution Environments

Jesse De Meulemeester\*1, Luca Wilke\*2, David Oswald3, Thomas Eisenbarth2, Ingrid Verbauwhede1, and Jo Van Bulck1













### Memory isolation in TEEs





- TEEs ensure isolation from hypervisor
- Isolation requires **physical address checks**

## Aliasing via malicious DIMM configuration **CPU** DIMM DIMM **Physical DRAM** DRAM **Address Space Address Space Address Space** BIOS configures memory controller Malicious SPD contents introduces aliases

### A \$10 hack that erodes trust in the cloud



\$2 socket



- Low-cost setup for DDR4 and DDR5 DIMMs
- **Open-source** practical SPD tools

#### **Breaking AMD SEV-SNP Guest Owner** HV SP Launch 🐷 Request **(2**) **Encrypt** Image A Image B Image B 3 IdBlock Hash(A) Guest Context SP Replay Set to Hash(B) LD: Hash(A) LD: Hash(A) Finalize VM Abort if LD != IdBlock Mark VM "secure" **Static encryption** enables ciphertext replay **E2E attack** breaking SEV-SNP's attestation

#### DRAM trust in TEEs

| TEE          | Encryption        | Guarantees      |           |           |
|--------------|-------------------|-----------------|-----------|-----------|
|              |                   | Confidentiality | Integrity | Freshness |
| Classic SGX  | AES-CTR           | <b>✓</b>        | <b>✓</b>  | <b>✓</b>  |
| Scalable SGX | AEX-XTS           | <b>✓</b>        | X         | X         |
| TDX          | AES-XTS           | <b>✓</b>        | <b>✓</b>  | X         |
| SEV-SNP      | AES-XEC           | <b>✓</b>        | X         | X         |
| CCA          | AES-XEX/<br>QARMA | ✓               | X         | X         |



- Scalable TEEs forgo strong crypto
- Need for additional aliasing mitigations







