AML Injection Attacks on Confidential VMs
Abstract
Confidential virtual machines (VMs) are an emerging technology that allows cloud users to securely compute their confidential data on VMs hosted by untrusted clouds. By using encryption and attestation that leverage CPU hardware as a root of trust, such as those supported by AMD SEV and Intel TDX, confidential VMs can protect the confidentiality and integrity of guest code and data from malicious hosts. Confidential VMs have already been commercially deployed in services such as AWS, Google Compute Cloud, and Microsoft Azure. However, can we really trust these confidential VMs? Actually, no.
In this talk, we reveal a previously unrecognized attack vector that allows a malicious host to execute arbitrary code in confidential VMs without being detected, thereby compromising the guest’s confidential data. This attack exploits the ACPI framework to inject ACPI Machine Language (AML) code into confidential VMs, allowing the host to access guest OS memory from inside the VMs. This attack vector not only leads to vulnerabilities in current confidential VMs, but also poses the inherent challenge of trusting proprietary firmware provided by untrusted clouds, which requires a long-term effort to resolve.
