In recent years, CPU vulnerabilities such as transient-execution attacks and architectural CPU bugs have threatened computing security. Most of these bugs impact x86 CPUs due to their complex and legacy features. RISC-V, as a new and open CPU architecture, has the potential to address these vulnerabilities through its design. RISC-V is already gaining popularity across various domains, including embedded devices, single-board computers, laptops, phones, and cloud deployments. In this talk, we unveil multiple architectural CPU vulnerabilities in off-the-shelf RISC-V CPUs. For this, we introduce a highly effective automated approach for identifying such vulnerabilities. Our automated approach discovers the most severe architectural vulnerability to date and 2 unprivileged "halt-and-catch-fire" instruction sequences. Our most severe finding, GhostWrite, allows an unprivileged attacker to arbitrarily modify the content of physical memory. GhostWrite can be exploited from within containerized and virtualized environments. Notably, it is also present in a cloud-deployed RISC-V CPU. We demonstrate how to use the primitive to exploit the on-site chip, interacting with peripherals, gaining root and executing code in the highest RISC-V privilege mode (machine-mode). We conclude by discussing mitigations and concrete proposals on how to make future CPUs more secure.
Arbitrary Data Manipulation and Leakage with CPU Zero-Day Bugs on RISC-V
Black Hat USA · Mandalay Bay, Las Vegas, USA · August 7 2024