A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs

Gerlach, Lukas and Weber, Daniel and Zhang, Ruiyi and Schwarz, Michael
(2023) A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs.
In: 44th IEEE Symposium on Security and Privacy.
Conference: SP IEEE Symposium on Security and Privacy

[img] Text
security_risc.pdf
Download (367kB)

Abstract

Microarchitectural attacks threaten the security of computer systems even in the absence of software vulnerabilities. Such attacks are well explored on x86 and ARM CPUs, with a wide range of proposed but not-yet deployed hardware countermeasures. With the standardization of the RISC-V instruction set architecture and the announcement of support for the architecture by major processor vendors, RISC-V CPUs are on the verge of becoming ubiquitous. However, the microarchitectural attack surface of the first commercially available RISC-V hardware CPUs is not yet explored. This paper analyzes the two commercially-available off-the-shelf 64-bit RISC-V (hardware) CPUs used in most RISC-V systems running a full-fledged commodity Linux system. We evaluate the microarchitectural attack surface, which leads to the introduction of 3 new microarchitectural attack techniques: Cache+Time, a novel cache-line-granular cache attack without shared memory, Flush+Fault exploiting the Harvard cache architecture for Flush+Reload, and CycleDrift exploiting unprivileged access to instruction-retirement information. Additionally, we show that many known attacks are applicable to these RISC-V CPUs, mainly due to non-existing hardware countermeasures and instruction-set subtleties that do not consider the microarchitectural attack surface. We demonstrate our attacks in 6 case studies, including the first RISC-V-specific microarchitectural KASLR break and a CycleDrift-based method for detecting kernel activity. Based on our analysis, we stress the need to consider the microarchitectural attack surface during every step of a CPU design, including custom instruction-set extensions.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Michael Schwarz (MS)
Conference: SP IEEE Symposium on Security and Privacy
Depositing User: Michael Schwarz
Date Deposited: 05 Apr 2023 08:31
Last Modified: 22 May 2023 23:10
Primary Research Area: NRA3: Threat Detection and Defenses
URI: https://publications.cispa.saarland/id/eprint/3924

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.