The researchers describe a simple interposer, which can be assembled for about $50, that sits between the processor and the DDR4 memory modules. During system start, the interposer remains transparent and passes all integrity and trust checks. At runtime, however, the device can be flipped into an active mode, where it stealthily remaps physical addresses and routes protected memory accesses to attacker-controlled locations. The device uses basic analog switching to alter signal paths, enabling reads of plaintext data or writes that corrupt protected memory regions.
Which hardware features are affected
Battering RAM undermines confidentiality guarantees offered by Intel Software Guard Extensions (SGX), and AMD Secure Encrypted Virtualization with Secure Nested Paging, (SEV-SNP). These features are designed to keep customer data encrypted in RAM and safe even when running on untrusted cloud infrastructure, but they assume the memory path itself is not tampered with physically. Because the interposer changes address mappings on the fly, it can bypass boot-time alias checks and other defenses that do not include runtime cryptographic freshness verification.
Practical impact in cloud settings
The attack is particularly relevant for confidential computing workloads that rely on memory encryption to protect data from the cloud provider or other tenants. A cloud operator or an insider with limited physical access could, in principle, install such hardware on a server, and then use it to:
- Read plaintext from protected enclaves on Intel systems.
- Inject arbitrary plaintext into protected enclaves, effectively inserting backdoors.
- Bypass AMD firmware mitigations that were designed to counter related attacks, such as BadRAM, enabling persistent, stealthy compromise of virtual machines.
The researchers warn that successful exploitation can undermine remote attestation, which means a compromised host could falsely convince a client that its workload is running in a secure environment, while in reality the attacker has introduced hidden modifications.
Why current designs are vulnerable
Modern scalable memory encryption schemes trade off certain protections for capacity and practicality. In particular, many designs omit strong cryptographic freshness checks at runtime, to allow larger protected memory regions and acceptable performance. Battering RAM exploits this design choice, by dynamically creating memory aliases and redirecting requests without triggering those limited checks, thereby defeating protections that only validate mappings during boot.
Related research and the broader context
The Battering RAM disclosure follows several recent hardware and microarchitectural findings that continue to demonstrate unexpected attack surfaces in CPUs and cloud platforms. Recent examples include:
- Heracles and Relocate-Vote, attacks targeting AMD SEV-SNP, which led AMD to issue mitigations.
- VMScape, a Spectre-style cross-virtualization attack that leaked guest data on some AMD and Intel platforms, prompting kernel-level fixes.
- L1TF Reloaded, a technique combining L1 Terminal Fault and speculative execution gadgets to extract data from virtual machines.
These and other disclosures highlight the persistence of hardware-based risks, and the difficulty of fully securing large shared infrastructures against physical or low-level analog attacks.
Vendor responses and mitigation outlook
According to the researchers, the issue was reported to vendors earlier in the year. Intel, AMD, and Arm responded that fully defending against physical, on-path memory tampering is currently considered out of scope for their threat models. The researchers argue that meaningful defense against Battering RAM would require rethinking memory encryption architectures to include cryptographic freshness and runtime integrity checks, which is a significant design change.
In the short term, mitigation options are limited and costly, because preventing this class of attack often implies restricting physical access to servers, deploying tamper-evident hardware, or redesigning memory controllers and encryption schemes. In cloud settings, tenants relying on confidential computing should be aware that a local, physical compromise of host memory channels could invalidate the guarantees they expect.
Final thoughts
Battering RAM serves as a reminder that hardware and physical-layer threats remain a critical part of the attack surface, especially in large, shared cloud deployments. While software patches and firmware updates can reduce many risks, this research indicates that some threats require architectural redesigns and stricter assumptions about physical protection. Confidential computing promises a lot, however it is not invulnerable, and when physical access is possible, trust assumptions must be revisited.
