BadRAM Breaks AMD’s SEV-SNP Trusted Execution Protection

This Will Be An Exploit To Remember

Today’s bad news comes from researchers at KU Leuven, the University of Lübeck, and the University of Birmingham and it concerns anyone running an EPYC processor.  They have discovered a very cheap way to break the protection offered by AMD’s SEV-SNP and have dubbed it BadRAM.  They’ve found a way to use either a $10 piece of hardware, or in some cases, software only, to cause DDR4 or DDR5 memory modules to misreport during bootup the amount of memory capacity they have.  Once that memory has been segregated it is used to suppress the cryptographic hash SEV-SNP uses to report if a virtual machine has been compromised.

While the fact you need physical access to the EPYC based system is relatively good news, this attack is aimed at cloud service providers.  If someone manages to get access to their banks of servers there is no telling how many systems could be compromised nor which sites would be affected.   Intel’s Scalable SGX and TDX processors are not vulnerable to BadRAM and at this time ARM based servers have not been tested.

If you want more technical details about BadRAM than the article at Ars Technica covers you can go straight to the source.