dram on a motherboard

Security Highlight: DRAM Interposer Attacks on Confidential Computing

For nearly a decade, confidential computing has promised to protect sensitive cloud workloads—even from the underlying infrastructure. Trusted execution environments (TEEs), such as Intel SGX and AMD SEV-SNP, provide a layer of security by encrypting memory. This encryption prevents unauthorized access, even from a malicious hypervisor or administrator. Yet the threat models for confidential computing have always excluded physical attacks.

Two recent research efforts—WireTap (Georgia Tech and Purdue) and Battering RAM (KU Leuven and Birmingham)—show that low-cost physical attacks can compromise confidential computing. Using interposers costing $50–$1,000, the teams tapped or tampered with the DDR4 memory bus to defeat both confidentiality and attestation. These attacks do not rely on software bugs or exotic lab setups; they exploit assumptions baked into modern memory encryption.

Two Attacks, One Problem

With WireTap, researchers insert a passive DDR4 interposer between the CPU and DRAM on an Intel Scalable SGX system and capture encrypted traffic using a logic analyzer throttled to 1,333 MT/s. Because SGX memory encryption is deterministic—the same plaintext at the same address always yields the same ciphertext—they build a ciphertext–plaintext dictionary by writing known values and observing their bus representations. From that mapping, they extract the platform’s Quoting Enclave (QE) ECDSA key—the key that signs attestation quotes—and then forge valid quotes indistinguishable from those of a genuine enclave. The entire setup costs about $1,000.

Battering RAM takes a more hands-on approach. Built for under $50, its interposer not only observes but also rewires the memory bus. Controlled by a microcontroller, the board grounds a pair of DDR4 row-address lines (A11 and A13) at runtime, creating dynamic aliasing so two different physical addresses point to the same DRAM cell. This trick lets an attacker replay or inject ciphertext between memory regions after boot, when normal alias checks have stopped. The result: arbitrary plaintext reads and writes of SGX enclave memory, and falsified attestation in AMD SEV-SNP virtual machines.

How the Bus Betrays the Chip

Both attacks exploit the same blind spot: memory encryption without integrity or freshness protection. In scalable TEEs, encryption must keep pace with hundreds of gigabytes per second of traffic, so vendors choose deterministic AES-XTS keyed only by physical address. That choice means no per-block randomization and no MAC tag to detect replays.

In WireTap, this determinism turns encryption into a predictable codebook. The attacker writes controlled plaintext, captures the resulting ciphertext on the interposer, and reuses that mapping to decrypt arbitrary data later—specifically, the QE key. Once the QE key is exposed, remote attestation collapses because signatures can be forged for any enclave on that platform.

Battering RAM exploits the other half of the problem: no integrity or freshness. By flipping address lines on the DRAM bus, the interposer silently changes where ciphertext is stored or retrieved. Because the encryption engine never checks whether the ciphertext was moved, the processor decrypts and executes it. The researchers used this to replay previously captured ciphertext from a trusted enclave into a new enclave they controlled, recovering the victim’s plaintext. They also broke SEV-SNP attestation by capturing the encrypted launch digest of a legitimate VM and replaying it during a malicious VM’s launch. The secure processor, seeing a valid decrypted hash, attested the backdoored VM as genuine.

In both cases, the encryption hardware does exactly what designers intended—while assuming the physical wires between CPU and RAM were honest.

Who’s at Risk and What Can Be Done

These weaknesses affect Intel Scalable SGX and AMD SEV-SNP on DDR4 systems. They do not directly apply to DDR5 hardware or to Intel TDX, which uses the newer TME-MK (Total Memory Encryption–Multi-Key) framework with optional integrity protection. The researchers behind both attacks noted they could not test TDX—TDX systems use DDR5, and their interposers support only DDR4—but Intel states that integrity mode mitigates the underlying flaw.

A leaked QE key has a broad impact, even though the key is diversified. Each SGX platform holds a unique ECDSA/DCAP key, so a single leak compromises only that CPU’s attestation identity. However, during remote attestation, a verifier cannot know whether a compromised signing key produced a quote. As a result, this becomes a BORE attack (Break Once, Run Everywhere): one physical attack outside of the threat model can undermine all scalable SGX 00

The Assumption That Broke the Model

WireTap and Battering RAM force the acknowledgment: confidential computing has long excluded physical attacks from its threat model. That boundary made sense when bus snooping required million-dollar equipment; it fails when graduate students can build a working interposer on a small budget, and the result is a BORE attack. The lesson for engineers is simple: encryption without integrity is not protection.

Related Posts

limit
3