Battering RAM – Low-Cost Interposer Attacks on Confidential Computing

@inproceedings{batteringramsp26, title = {{Battering RAM}: Low-Cost Interposer Attacks on Confidential Computing via Dynamic Memory Aliasing}, author = {De Meulemeester, Jesse and Oswald, David and Verbauwhede, Ingrid and Van Bulck, Jo}, booktitle = {47th {IEEE} Symposium on Security and Privacy ({S\&P})}, month = May, year = 2026, } Modern computers use memory modules ( DRAM ) to store everything in use: from photos and passwords to credit card numbers. Public cloud providers increasingly deploy hardware-level memory encryption to protect this sensitive data. However, we previously showed that malicious memory modules, nicknamed “Bad RAM”, can bypass these protections by deliberately supplying false metadata during processor boot. In response, modern cloud systems now validate memory more strictly at startup. Breaking Memory Encryption with Two-Faced DRAM With Battering RAM, we show that even the latest defenses on Intel and AMD cloud processors can be bypassed. We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks. Later, with just a flip of a switch, our interposer turns malicious and silently redirects protected addresses to attacker-controlled locations, allowing corruption or replay of encrypted memory. Battering RAM fully breaks cutting-edge Intel SGX and AMD SEV-SNP confidential computing processor security technologies designed to protect sensitive workloads from compromised hosts, malicious cloud providers, or rogue employees. Our stealthy interposer bypasses both memory encryption and state-of-the-art boot-time defenses, invisible to the operating system. It enables arbitrary plaintext access to SGX-protected memory, and breaks SEV’s attestation feature on fully patched systems. Ultimately, Battering RAM exposes the limits of today’s scalable memory encryption. Intel and AMD have acknowledged our findings, but defending against Battering RAM would require a fundamental redesign of memory encryption itself. Building Battering RAM on a $50 Budget Unlike commercial passive interposers, which are exceedingly expensive and commonly cost over $100,000, we developed a custom-built interposer that uses simple analog switches to actively manipulate signals between the processor and memory, and can be built for less than $50. All schematics and board files for our custom interposer are available as open source in our GitHub repository. The PCB is a standard 4-layer design and can be fabricated at any major PCB fabricator such as JLCPCB, PCBWay, or Eurocircuits. Detailed bill of materials Component Part Number Cost Qty. PCB Custom $18.49 1 DDR4 Connector CONN-DDR4-288-SM $16.00 1 Microcontroller Raspberry Pi Pico 1/2 $4.00 1 Switches ADG902BRMZ $4.04 2 Voltage regulator LD1117S25TR $0.61 1 Resistor 0402, 1kOhm <$0.01 2 Capacitor 0603, 100nF $0.02 3 Capacitor 1206, 10μF $0.18 1 Total $47.62 Battering RAM in Action Attack 1/2: RAMming Intel SGX: Plaintext Access in 5 Steps The single-key domain of Intel TME technology, used in Intel Scalable SGX, enables arbitrary plaintext access through the interposer-induced aliases. With TME, the memory encryption depends only on the secret key and the physical address being accessed. By capturing victim ciphertext and replaying the captured contents into its own enclaves, the attacker gains read access to the victim plaintext. Similarly, the attacker can also write arbitrary plaintext into victim enclaves. Step / Install interposer Place the interposer between CPU and DIMM. Allocate aliasing buffer Allocate the attacker page to alias with the victim location and enable the interposer. Capture ciphertext Capture the victim ciphertext by reading the aliased attacker buffer. Now disable the interposer. Allocate second attacker enclave Evict the victim enclave and allocate a second, attacker-controlled enclave at the same physical address as the victim. Re-enable the interposer. Replay ciphertext Replay the previously captured ciphertext via the interposer, yielding the victim's decrypted plaintext. Attack 2/2: Battering Through AMD SEV-SNP Attestation To ensure the integrity of launched VMs, AMD SEV's SP takes a measurement of the initial memory contents and matches the hash with the expected value provided by the customer. With Battering RAM, we can capture and replay launch measurements, compromising SEV's attestation. This allows an attacker to introduce arbitrary backdoors into the VM, without detection. This vulnerability was first introduced by BadRAM and later patched by AMD by introducing boot-time alias checks. Battering RAM's dynamic memory aliases bypass these checks, re-enabling this vulnerability. Step / Install interposer Place the interposer between CPU and memory. Launch genuine VM image Start the genuine VM image A. The AMD Secure Processor (SP) measures a launch digest hash(A) , used during attestation. Allocate aliasing buffer and capture ciphertext Allocate an aliasing buffer and enable the interposer to capture the launch digest ciphertext. Launch backdoored VM image Launch a second, modified VM image B at the physical location of the original VM. The SP now measures a different launch digest hash(B) . Replay ciphertext Replay the previously captured ciphertext hash(A) , making SP attest the modified VM as genuine. Questions and Answers