This repository contains the scripts and tools to perform BadRAM attacks on RISC-V, as well as the proof-of-concept and end-to-end attacks presented in our paper under keystone-milkv/examples.
common-codecontains a static library with helper functions that are used throughout this project.alias-reversingcontains kernel modules and userspace tools for reversing the alias memory mapping.alias-reversing/modules/read_aliasoffers a generic read/write to physical memory API and builds a static library used by other code parts.alias-reversing/apps/find-alias-individualis a smart tool to reverse the aliasing. Checks each memory region individually, as they do not always have the same aliasing function. Results are exported as csv and and be read/written with the tools incommon-code.alias-reversing/apps/test-aliastakes the aliases exported byfind-alias-individualand checks that they apply for each address of the corresponding memory range. May lead to crashes if the aliased memory is used by the system.
scriptsprovides the Raspberry Pi Pico scripts to read, unlock, and overwrite the SPD data for DDR4 (ee1004) and DDR5 (spd5118).keystone-milkvprovides a fork of the keystone framework that contains the changes for running keystone on the milkv-v Pioneer board and the PoC and attacks presented in the PMPlease paper.milkv-zsblprovides a fork of the SG2042 zero-stage bootloader used in our experiments, with the BadRAM boot-time mitigations and secure boot implementationsg2042-bootloaderprovides the automatic build scripts for building the firmware needed to run keystone on the milkv board and also the zsbl mitigations- Flashing sdcard.img is sufficient for recreating our experiments on real-hardware
- If you make changes to the keystone code, just provide the new fw_dynamic.bin blob found under the build directory of keystone framework
sev-attackscontains the PoC and end-to-end attacks on AMD SEV-SNP.sev-attacks/simple-replayshows a basic POC in a cooperative scenario.sev-attacks/rw_pa: tool to perform basic capture and replay attackssev-attacks/replay_vmsa: basic PoC that replays the VM's VMSA with a modified register statesev-attacks/read_rmp: PoC for swapping the PFNs of two GFNssev-atacks/guest_context_replay: PoC for replaying the attestation reportsev-attacks/gpa2hpa-kernel-patches: Patches for host kernel that add an ioctl to translate GPAs to HPAs
sgx-attacksprovides the PoC attack on "classic" Intel SGX.
To interface with the SPD chip and overwrite its data, a microcontroller, like the Raspberry Pi Pico, and DDR4 or DDR5 sockets are required.
| Component | Cost | Link |
|---|---|---|
| Raspberry Pi Pico | $5 | Link |
| DDR Socket | $1-5 | DDR4 [1] [2]/DDR5 [1] [2] |
| 9V source | $2 | 9V battery / Boost convertor |
To create aliases, modify the SPD contents to report one more row bit than the DIMM originally has. The relevant SPD bytes that need to be modified are shown below.
DDR4
-
Byte
0x4, bits 3-0: Total SDRAM capacity per die, in megabits
This capacity has to be doubled to reflect the additional row address bit.Bits Mapping 0000 256 Mb 0001 512 Mb 0010 1 Gb 0011 2 Gb 0100 4 Gb 0101 8 Gb 0110 16 Gb 0111 32 Gb 1000 12 Gb 1000 24 Gb other Reserved -
Byte
0x5, bits 5-3: Row address bits
The number of row address bits has to be incremented.Bits Row bits 000 12 001 13 010 14 011 15 100 16 101 17 110 18 other Reserved -
Bytes
0x7e-0x7f: CRC checksum
This must be updated since the data changed. This can also be calculated by the scripts in./scripts/ee1004. -
Bytes
0x145-0x148: Module serial number (optional)
Might need to be changed since the motherboard may cache the SPD data based on the serial number
DDR5
-
Byte
0x4, bits 4-0: Total SDRAM density per die This capacity has to be doubled to reflect the additional row address bit.Bits Mapping 00000 No memory; not defined 00001 4 Gb 00010 8 Gb 00011 12 Gb 00100 16 Gb 00101 24 Gb 00110 32 Gb 00111 48 Gb 01000 64 Gb other Reserved -
Byte 5, bits 4-0: Row address bits
The number of row address bits has to be incremented.Bits Row bits 00000 16 00001 17 00010 18 other Reserved -
Bytes
0x1fe-0x1ff: CRC checksum
This must be updated since the data changed. This can also be calculated by the scripts in./scripts/spd5118. -
Bytes
0x205-0x208: Module serial number (optional)
Might need to be changed since the motherboard may cache the SPD data based on the serial number
You can use find-alias-individual to find the aliases for each memory region on your system. This tool will produce an aliases.csv file, which can be later used to find the alias of any address on your machine.