The entry of RISC-V, an open and expandable instruction set architecture (ISA), into the CPU market has created new opportunities for emerging players in the industry. This development has been facilitated by the increasing adoption of RISC-V through Linux kernel support and its integration into consumer devices and cloud platforms.
The flexible nature of RISC-V has led to the development of various hardware implementations with distinct features and security protocols. Interestingly, these implementations can be evaluated without the need for access to source codes or the use of emulators. Different models from various vendors can be compared by employing a technique known as differential CPU fuzzing to analyze their architectural behaviors.
Recently, a team of cybersecurity researchers at CISPA Helmholtz Center for Information Security uncovered three significant security vulnerabilities present in five commercial RISC-V CPUs. One of these vulnerabilities, known as GhostWrite, allows an attacker to write arbitrary data from unprivileged states into any physical memory locations. This flaw poses a severe threat as it enables attackers to read physical memory and execute unauthorized machine-mode code even within cloud environments.
The discovery of two privileged instruction sequences that could trigger irreparable CPU halts by RISCVuzz further highlights the security risks associated with the implementation of RISC-V systems. Specifically, the GhostWrite bug, which affects the RISC-V CPU T-Head XuanTie C910, represents a hardware design flaw that compromises the security controls of the CPU. Attackers with minimal system privileges can exploit this vulnerability to manipulate memory and interfere with peripherals such as network cards, potentially gaining complete control over the system.
Addressing the GhostWrite vulnerability poses a significant challenge, as rectifying the issue would involve disabling approximately half of the CPU’s functions. This flaw disregards the virtual memory protections and process isolation enforced by the operating system and hardware, allowing attackers to bypass security features and gain unauthorized access to devices. Unlike side-channel or transient-execution attacks, GhostWrite stems from a direct CPU bug caused by faulty vector extension instructions, making it a hardware-based flaw that cannot be resolved through software updates.
The implications of the GhostWrite vulnerability extend beyond memory manipulation, enabling attackers to exploit hardware devices through memory-mapped I/O (MMIO) and execute arbitrary commands on those devices. Several devices have been identified as vulnerable to GhostWrite, including Scaleway Elastic Metal RV1, Lichee Cluster 4A, Lichee Book 4A, Lichee Console 4A, Lichee Pocket 4A, Sipeed Lichee Pi 4A, Milk-V Meles, and BeagleV-Ahead.
The identification of the GhostWrite vulnerability through differential fuzz testing of RISC-V CPUs underscores the critical need for robust security measures in the development and deployment of hardware systems. The ability of the T-Head XuanTie C910 to execute vector store instructions illegitimately highlights the urgent need to address direct physical memory write errors that can circumvent virtual memory protection mechanisms.