August 7, 2024 at 01:08PM
Computer security researchers at CISPA Helmholtz Center in Germany have discovered security flaws in T-Head Semiconductor’s RISC-V processors, notably the GhostWrite vulnerability in the TH1520 SoC. The flaw allows unauthorized access to physical memory, posing a significant risk to affected devices. The vulnerability is inherently tied to the design of the C910’s vector extension, and its resolution requires disabling the extension, which affects application performance. The researchers will present their findings at the Black Hat security conference, emphasizing the need for a microcode layer in RISC-V CPUs to mitigate such vulnerabilities.
From the meeting notes, it is clear that the researchers at the CISPA Helmholtz Center for Information Security in Germany discovered serious security flaws in T-Head Semiconductor’s RISC-V processors. The most critical vulnerability, dubbed GhostWrite, allows a rogue application or user to read and write physical memory, and execute arbitrary code with kernel and machine-mode privileges. This vulnerability affects the T-Head C910 CPU cores in the TH1520 SoC.
The threat scenario is limited to the attacker being unprivileged but capable of executing native code on the affected hardware. Mitigating this issue requires the vector extension to be disabled, which will impact applications relying on those vector instructions and result in significant performance hits if emulated in software.
The research findings will be presented at the Black Hat security conference in Las Vegas, Nevada, by the researchers who discovered the vulnerabilities. The security issues are attributed to T-Head’s non-standard implementation of the RISC-V ISA, particularly its improper implementation of the vector extension.
The researchers developed a fuzzing framework called RISCVuzz to identify vulnerabilities in RISC-V CPUs, and they found three architectural CPU vulnerabilities within T-Head chips, as well as other bugs causing segmentation faults in QEMU. The most severe vulnerability, GhostWrite, affects the C910 in the TH1520 SoC and allows unprivileged users to write anything to memory without security and isolation concerns.
The vulnerabilities have practical implications, as it was observed that Scaleway notified users of their RISC-V instances and recommended a kernel update to address security vulnerabilities. Disabling the vector extension is currently the only proposed mitigation for GhostWrite, despite the significant impact on application performance.
It was noted that the RISC-V ISA’s open and extensible nature has led to a growing range of hardware implementations with varying security measures and their own security failings. Consequently, the authors recommend the addition of a microcode layer on RISC-V CPUs to mitigate future vulnerabilities, as the unregulated use of the RISC-V ISA and custom vendor extensions could potentially lead to more security issues.