BadAML exploits host-supplied ACPI tables to get arbitrary code execution inside confidential VMs. We reproduced the attack end-to-end against our stack and built an AML sandbox to stop it. I did a writeup on the original paper that published the attack, our reproducer, and our journey to fix it.
Reproducing and mitigating BadAML
BadAML is an attack that exploits host-supplied ACPI tables to gain arbitrary code execution inside confidential VMs, bypassing their memory isolation guarantees. Working on Contrast, we reproduced the attack end-to-end against our stack and mitigated it with an AML sandbox that restricts bytecode execution to shared memory pages. On untrusted ground: Protecting guests with confidential computing Confidential Computing (CC) is a paradigm that aims to protect trusted workloads on an untrusted, remote platform. Using Trusted Execution Environments (TEEs) and their two basic primitives, memory isolation and remote attestation, it can secure a confidential workload in a hostile environment, protecting against a potentially malicious infrastructure provider1 or platform operator. Today, TEEs most commonly come in the form of confidential virtual machines (CVMs), which are isolated from the host and other VMs through a set of ISA extensions and chip properties provided by the CPU vendor (AMD SEV-SNP, Intel TDX, ..).
blog katexochen (katexochen.aro.bz)