(2023) A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs.
Text
security_risc.pdf Download (367kB) |
Abstract
Microarchitectural attacks threaten the security of computer systems even in the absence of software vulnerabilities. Such attacks are well explored on x86 and ARM CPUs, with a wide range of proposed but not-yet deployed hardware countermeasures. With the standardization of the RISC-V instruction set architecture and the announcement of support for the architecture by major processor vendors, RISC-V CPUs are on the verge of becoming ubiquitous. However, the microarchitectural attack surface of the first commercially available RISC-V hardware CPUs is not yet explored. This paper analyzes the two commercially-available off-the-shelf 64-bit RISC-V (hardware) CPUs used in most RISC-V systems running a full-fledged commodity Linux system. We evaluate the microarchitectural attack surface, which leads to the introduction of 3 new microarchitectural attack techniques: Cache+Time, a novel cache-line-granular cache attack without shared memory, Flush+Fault exploiting the Harvard cache architecture for Flush+Reload, and CycleDrift exploiting unprivileged access to instruction-retirement information. Additionally, we show that many known attacks are applicable to these RISC-V CPUs, mainly due to non-existing hardware countermeasures and instruction-set subtleties that do not consider the microarchitectural attack surface. We demonstrate our attacks in 6 case studies, including the first RISC-V-specific microarchitectural KASLR break and a CycleDrift-based method for detecting kernel activity. Based on our analysis, we stress the need to consider the microarchitectural attack surface during every step of a CPU design, including custom instruction-set extensions.
Item Type: | Conference or Workshop Item (A Paper) (Paper) |
---|---|
Divisions: | Michael Schwarz (MS) |
Conference: | SP IEEE Symposium on Security and Privacy |
Depositing User: | Michael Schwarz |
Date Deposited: | 05 Apr 2023 08:31 |
Last Modified: | 22 May 2023 23:10 |
Primary Research Area: | NRA3: Threat Detection and Defenses |
URI: | https://publications.cispa.saarland/id/eprint/3924 |
Actions
Actions (login required)
View Item |