BadAML: Exploiting Legacy Firmware Interfaces to Compromise Confidential Virtual Machines

Confidential virtual machines (CVMs) are an emerging form of trusted execution environment that enable existing operating systems (OSs) to run securely without trusting cloud providers. To this end, CVMs employ hardware-based memory encryption for runtime confidentiality and cryptographic attestation to verify memory integrity at startup. However, we reveal a previously overlooked attack vector that allows malicious cloud providers to bypass CVM attestation and execute arbitrary code within users' CVMs regardless of specific CVM configurations. Our attack, BadAML, exploits the Advanced Configuration and Power Interface (ACPI), a legacy yet widely adopted firmware interface for machine configuration. Specifically, BadAML leverages ACPI Machine Language (AML) to inject arbitrary binary code into the guest OS kernel without affecting CVM attestation. Because ACPI remains an essential component even in virtualized environments, BadAML constitutes a powerful and portable attack vector independent of guest OS type and CVM technology. We demonstrate proof-of-concept exploits of BadAML in both Linux and Windows CVM environments. We then analyze possible mitigation measures, discussing their effectiveness and limitations. Finally, we introduce AML sandboxing, a practical defense that restricts memory access to safe regions under the CVM threat model; we present its design, implementation, and evaluation, demonstrating its effectiveness across 18 real-world cloud CVM instances.