When Memory Lies: Breaching Processor Security via Rogue Memory Modules

Abstract

Trusted Execution Environments (TEEs) such as AMD SEV-SNP, Intel SGX, and Intel TDX are critical to securing sensitive data in cloud computing, promising protections even against hardware attackers. However, recent scalable designs have loosened the robustness of their memory encryption to support larger protected memory sizes. These reduced guarantees necessitate strong access control to prevent vulnerabilities stemming from the static encryption. Our research has shown that an incorrect memory controller configuration could bypass these checks, re-enabling these attacks. In this talk, we will present BadRAM, a novel attack that exploits the memory initialization by modifying the Serial Presence Detect (SPD) chip in common DDR4 and DDR5 memory modules. Using a low-cost, practical setup, we show how the memory controller can be tricked into creating ghost memory regions that alias with protected ranges. We then demonstrate how this memory aliasing can bypass TEE protections, leading to critical vulnerabilities in AMD SEV-SNP, including the ability to corrupt or replay ciphertext, and even fully compromise their attestation feature. We will also explore the broader impact of memory aliasing on other TEEs, including write-pattern leakage in classical SGX and the robust countermeasures deployed by Scalable SGX and TDX. Finally, we will discuss mitigations, such as alias checking and the adoption of cryptographically strong memory protection, and compare the current mitigations in SEV-SNP, Scalable SGX, and TDX. In this talk, we will highlight the critical need for robust defenses against physical and software-level attacks on DRAM, as well as reevaluate trust assumptions in scalable TEE designs.