back to article AMD secure VM tech undone by DRAM meddling

Researchers have found that the security mechanism AMD uses to protect virtual machine memory can be bypassed with $10 of hardware – and perhaps not even that. AMD Secure Encrypted Virtualization (SEV) is designed to provide a Trusted Execution Environment (TEE) that safeguards computation and memory, along the lines of …

  1. John Smith 19 Gold badge
    Unhappy

    So the DRAM module is not decoding some of the bits it should

    mapping the same data (in principle) to two separate locations, one of which could be rewritten,and it's data substituted for the real thing?

    Leaving the chip that secures the contents of DIMM modules writeable seems very insecure.

    1. DS999 Silver badge

      Re: So the DRAM module is not decoding some of the bits it should

      It has to be writable because they are writing during manufacture by testing DIMMs and setting the speeds/timings that it qualifies for.

      Even if they did it "right" by using fuses that are blown and can't be unblown it might be possible to increase the RAM size by blowing an unblown fuse depending on how it is encoded. What they need is a fuse that when blown prevents further writes. They probably don't have one (or at least all DIMM brands don't have one) because no one ever thought that SPD could be leveraged for an attack.

      According to wikipedia JEDEC requires a 128 bit EEPROM for this. So you'd have to put a fuse in front of it to block further writes, or have some other way to disable reprogramming the EEPROM.

      1. John Smith 19 Gold badge
        Coat

        "because no one ever thought that SPD could be leveraged for an attack."

        Because it wasn't

        And now it is.

        A golden rule of this stuff is "Walk through everything and how it is normally done. Now what the consequences of that? And then what are the consequences of not doing it?"

        BTW the "Unblown fuse" allowing readback of the source code to set top boxes in the cable TV industry enabled hacking of Sky services.

        Everything is old. Everything is new. Or rather old-but-a-bit-different.

      2. Snake Silver badge

        Re: blown fuses and write protection

        From an absolute sense, according to the article, all that doesn't really matter. If DDR3 can be bypassed by swapping out the SPD chip then the same attack can be done for DDR4 and DDR5 as well. Of course it means powering down the hardware to do the swap of modified memory but once they are really determined, and have access at hardware level, it's (pretty much always been) game over.

  2. DS999 Silver badge

    Seems like that would be easy to detect

    EFI/BIOS just needs to write a few patterns to different chunks of memory, then read them back. If it is getting the pattern for one region back for another (because SPD is lying about the DIMM size) it would halt with an error.

    1. druck Silver badge

      Re: Seems like that would be easy to detect

      There is a lot of memory these days, especially in servers hosting virtual machines. It would be back to the days of the POST check taking an hour.

      1. DS999 Silver badge

        Re: Seems like that would be easy to detect

        It doesn't need to check every address. Checking one word every GB or so would be just fine with the size of modern DIMMs, especially in servers. Write 0x00000001 in the first GB, x...2 in the second and so on then go back and read those values back. If someone is using this SPD attack then you will see the wrong number written in some of those slots. This would take no more than a millisecond for even the most memory dense servers out there.

  3. phuzz Silver badge

    Not to belittle the research here, but if someone has enough access to a computer to be probing the RAM, then there's a lot of other, easier, ways of gaining access.

    Doing it remotely is a different matter, I do wonder if the two Corsair modules they found with an unlocked SPD were from their gaming line, because afaik they don't make RAM for servers.

    1. captain veg Silver badge

      From the article:

      commonly used by cloud service providers to ensure that those with access to datacenter hardware cannot siphon secrets from tenant virtual machines

      The answer, to state the bleedin' obvious, is simply not putting sensitive stuff in the cloud, also known as someone else's servers.

      -A.

  4. Anonymous Coward
    Anonymous Coward

    The other way could potentially work too.

    I'm not sure how RAS and CAS based addressing would affect this, or whether that's a thing on the DIMM bus, but maybe...

    If you grounded the highest address line to a DIMM, it would report it's real size, but data written to one half would also be duplicated to addresses in the other half. Maybe you'd only need to cut the address line and let it float up or down, as long as it stayed either high or low the same thing would happen. If it varied, things would go horribly wrong quite quickly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like