$50 Battering RAM Attack Breaks Intel and AMD Cloud Security Protections

Date: September 30, 2025Category: Hardware Security / Encryption

A team of academics from KU Leuven and the University of Birmingham has revealed a low-cost hardware attack—called Battering RAM—that can bypass modern memory-encryption protections on Intel and AMD cloud processors. The attack relies on a tiny, inexpensive DDR4 interposer (the researchers say it can be built for about $50) that sits between CPU and memory and, when flipped into a malicious mode, stealthily manipulates physical memory addresses to read or corrupt protected memory.

What is Battering RAM?

Battering RAM uses a custom-built DDR4 interposer placed inline in the memory channel. During boot it behaves normally and passes trust checks; later it can be switched to a malicious state where it:

  • Redirects physical addresses to attacker-controlled locations,
  • Corrupts or replays encrypted memory contents, and
  • Circumvents boot-time alias checks used by platform protections.

Because the interposer operates at the memory signal level—with simple analog switches—it can be cheap, small, and hard to detect with software-only checks.

Targets and Impact

The attack impacts systems using DDR4 memory that rely on hardware-based memory encryption for confidential computing:

  • Intel SGX (Software Guard Extensions): Battering RAM can enable arbitrary reads of plaintext or writes into SGX enclaves.
  • AMD SEV-SNP (Secure Encrypted Virtualization with Secure Nested Paging): The interposer can bypass firmware mitigations and insert backdoors or tamper with guest memory without raising alarms.

In practical terms, a malicious cloud provider or an insider with limited physical access could use this technique to subvert remote attestation and compromise the confidentiality/integrity of protected workloads.

How the Attack Works (High Level)

  • A DDR4 interposer is inserted in the DIMM slot path (or otherwise placed in the memory signal path).
  • On startup it appears benign—passing checks and remaining unnoticed.
  • When activated, the interposer dynamically aliases physical addresses, redirecting memory reads/writes to attacker-controlled locations.

Because common scalable memory-encryption designs omit cryptographic freshness checks (to support large protected memory regions), attackers can replay or swap blocks without detection, enabling exfiltration or tampering of supposedly-encrypted memory.

Why Current Defenses Fall Short

The researchers argue that modern memory encryption schemes traded cryptographic freshness for scale. They typically focus on encrypting memory contents but do not cryptographically tie location or freshness to detect dynamic aliasing.

Battering RAM exploits this gap: by changing which physical addresses map to which encrypted blocks at runtime, it creates aliases that defeat boot-time checks and encryption-only protections.

Vendors (Intel, AMD, Arm) reportedly consider physical attacks as out-of-scope for current threat models, which means defending against Battering RAM would require substantial redesigns of memory-encryption architectures—potentially including cryptographic freshness or integrity mechanisms that protect address-to-data bindings.

Related Research & Context

Battering RAM arrives amid a spate of high-impact hardware and virtualization disclosures:

  • Heracles & Relocate-Vote (AMD): Previously disclosed techniques that allow malicious hypervisors to leak data from SEV-SNP guests.
  • Stack engine side channels (ETH Zürich): Abuse of CPU optimizations to leak data from AMD Zen 5 and possibly other models.
  • L1TF Reloaded (Vrije Universiteit Amsterdam): New combinations of L1 Terminal Fault and Spectre-like gadgets yielding arbitrary RAM reads from VMs.
  • VMScape (ETH Zürich): Spectre-BTI variant that breaks virtualization boundaries and leaks memory across host/guest (CVE-2025-40300).

These disclosures emphasize that CPU and platform microarchitectural features plus cloud memory-management practices repeatedly open avenues for cross-VM and host-guest data exposure.

Vendor Response & Responsible Disclosure

The research was reported to vendors earlier in the year. According to the researchers, Intel, AMD, and Arm indicated that physical attacks are currently considered out of scope, and that robust mitigation against Battering RAM would likely require changes to core memory-encryption designs.

Separately, Google supplied a sole-tenant node to the researchers for safe experiments and applied fixes to affected infrastructure, while also awarding a bug bounty for related disclosure work.

Practical Implications for Cloud Customers

Confidential computing customers relying solely on SGX or SEV-SNP for protection against malicious cloud operators should be aware that physical-layer attacks remain a practical risk in shared or untrusted infrastructure.

The attack highlights the need for defense-in-depth: combine hardware protections with attestation, application-level encryption, strict supply-chain controls, and physical security guarantees.

For the highest assurance workloads, consider using single-tenant or physically controlled infrastructure, or augment encryption with methods that bind data integrity to physical location/freshness where possible.

Technical and Research Takeaways

  • Battering RAM shows that very low-cost hardware insertions can subvert high-profile platform security features.
  • Memory-encryption schemes that omit freshness/integrity checks are fundamentally limited against active physical manipulation.
  • Addressing these weaknesses is non-trivial and may require rethinking memory encryption architecture, adding integrity/freshness checks, or changing how remote attestation treats physical-layer threats.