With the flick of a switch, a $50 device that sits silently in the memory path between a processor and its DRAM hijacks encrypted memory, redirecting protected addresses to attacker-controlled regions.
The latest research, conducted by KU Leuven and the University of Birmingham, known as Battering RAM, breaks one of the most fundamental promises of cloud computing: that your memory is yours alone (KU Leuven, 2025). The implications are both immediate and structural, as it works against Intel’s SGX and AMD’s SEV-SNP, the very hardware technologies underpinning confidential computing.
Battering RAM exposes the limits of today’s scalable memory encryption, specifically, the absence of cryptographic freshness checks. These were sacrificed for performance and larger memory protection ranges. That trade-off now looks dangerously short-sighted.
“Our attack shows that even the most advanced confidential computing technologies are still vulnerable if an attacker has limited physical access to a server’s motherboard,” said Professor Jo Van Bulck, DistriNet, Department of Computer Science, said in a release.
For Intel, the attack allows plaintext reads and writes within secure enclaves. For AMD, it breaks attestation, allowing an attacker to inject arbitrary code into what should be tamper-proof VMs. And all of this happens post-boot, invisibly.
More worryingly, this isn’t just a theory: the tool utilizes analog switches, a standard four-layer PCB design, and off-the-shelf components. Anyone with moderate hardware skills could replicate it. For cloud infrastructure, this opens the door to insider threats, supply chain tampering, and compromised hardware in transit, threats that no EDR agent, firewall, or SIEM is equipped to detect.
Right now, most cloud threat models implicitly trust the silicon. But that’s no longer tenable. Battering RAM joins a growing list of low-level attacks (VMScape, L1TF Reloaded, Heracles) that bypass hypervisor controls, escape isolation, or leak cryptographic secrets. Hardware-layer assumptions are being tested and increasingly, they’re failing.
Intel and AMD have both responded by saying physical attacks fall outside their product threat models. While that may be technically correct, strategically, it’s tone deaf. Physical access is a realistic risk in cloud-scale environments. Especially when hardware moves through global supply chains, multi-tenant racks, and third-party operators.
Cloud providers must start treating hardware provenance, physical access, and tamper detection as core components of their security posture. That means attestation systems that go beyond software hashes. It means redesigning memory encryption to withstand dynamic aliasing. It means bringing hardware security modules (HSMs), secure boot chains, and integrity verification closer to the silicon. For enterprise customers, it’s time to ask harder questions. Who has had physical access to your data? How is that risk managed? What hardware guarantees are being made, and what happens when those guarantees break?
Confidential computing promised a clean break from the old model of trust. But as Battering RAM proves, that promise is only as strong as the pins soldered onto the board.