BadAML: Exploiting Legacy Firmware Interfaces to Compromise Confidential Virtual Machines

Abstract

Confidential virtual machines (CVMs) are an emerging form of trusted execution environment that enable existing operating systems (OSs) to run securely without trusting cloud providers. To this end, CVMs employ hardware-based memory encryption for runtime confidentiality and cryptographic attestation for memory integrity at startup. However, we reveal a previously overlooked attack vector that allows malicious cloud providers to bypass CVM attestation and execute arbitrary code within users’ CVMs without relying on specific CVM configurations. Our attack, BadAML, exploits the Advanced Configuration and Power Interface (ACPI), a legacy yet widely adopted firmware interface for machine configuration. Specifically, BadAML leverages ACPI Machine Language (AML) to inject arbitrary binary code into guest OS kernel memory without affecting CVM attestation. Because ACPI remains an essential component even in virtualized environments, BadAML constitutes a powerful and portable attack vector independent of guest OS and CPU architecture. We demonstrate proof-of-concept exploits of BadAML in both Linux and Windows CVM environments. We then analyze possible mitigation measures, discussing effectiveness and limitations. Finally, we introduce AML sandboxing, a practical defense that restricts memory access to safe regions in the CVM threat model; we present its design, implementation, and evaluation, demonstrating its effectiveness across 18 real-world cloud CVM instances.

Reference

Satoru Takekoshi, Manami Mori, Takaaki Fukai, Takahiro Shinagawa. BadAML: Exploiting Legacy Firmware Interfaces to Compromise Confidential Virtual Machines. In Proceedings of the 32nd ACM Conference on Computer and Communications Security (ACM CCS 2025), Oct, 2025.