

# How Secure Are Commercial RISC-V CPUs?

Lukas Gerlach, Fabian Thomas | PhD Students @ CISPA (Germany)



### Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are [software patches against Meltdown](#),



### Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.



## ZOMBIELOAD ATTACK

### RETURN OF THE LEAKING DEAD

Watch out! Your processor resurrects your private browsing-history and other sensitive data.

After Meltdown, Spectre, and Foreshadow, we discovered more critical vulnerabilities in modern processors. The ZombieLoad attack allows reading sensitive data and keys while the computer accesses them.



### Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.



### Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.



### FORESHADOW

Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution

[Read the paper](#) | [Cite](#) | [Watch a demo](#)



## ZOMBIELOAD ATTACK

### RETURN OF THE LEAKING DEAD

Watch out! Your processor resurrects your private browsing-history and other sensitive data.

After Meltdown, Spectre, and Foreshadow, we discovered more critical vulnerabilities in modern processors. The ZombieLoad attack allows reading sensitive data and keys while the computer accesses them.



### Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.



## LVI - Hijacking Transient Execution with Load Value Injection

LVI is a new class of transient execution attacks exploiting microarchitectural flaws in modern processors to inject attacker data into a victim program and steal sensitive data and keys from **DEKED**, a secure vault in Intel processors for your personal data.

## MDS: Microarchitectural Data Sampling

Attacks on the newly-discovered "MDS" hardware vulnerabilities in Intel CPUs



## APIC LEAK

Architecturally Leaking Uninitialized Data from the Microarchitecture



### Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.



## FORESHADOW

Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution

[Read the paper](#) | [Cite](#) | [Watch a demo](#)

## Downfall Attacks

Attack Demo FAQ Advisories Links



## MDS: Microarchitectural Data Sampling

Attacks on the newly-disclosed "MDS" hardware vulnerabilities in Intel CPUs



Transient attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified in [CVE-2018-12126](#), enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.



## Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.



## FORESHADOW

Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution

[Read the paper](#) [Cite](#) [Watch a demo](#)

## Cross-Process Information Leak

Bulletin ID: AMD-SB-7008

Potential Impact: Information disclosure

Severity: Medium

### Summary

Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.



## ZOMBIELOAD ATTACK RETURN OF THE LEAKING DEAD

Watch out! Your processor resurrects your private browsing-history and other sensitive data.

After Meltdown, Tyblet, and Foreshadow, we discovered more critical vulnerabilities in modern processors. The ZombieLoad attack allows reading sensitive data and keys while the computer accesses them.



## Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.

## Retbleed: Arbitrary Speculative Code Execution with Return Instructions

Retbleed ([CVE-2022-29990](#) and [CVE-2022-29991](#)) is the newest addition to the family of speculative execution attacks that exploit branch target injection to leak information, which we call Spectre-BTI. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions. This means a great deal, since it undermines some of our current Spectre-BTI defenses.

## Cross-Process Information Leak

Bulletin ID: AMD-SB-7008

Potential Impact: Information disclosure

Severity: Medium

### Summary

Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.



## ZOMBIELOAD ATTACK RETURN OF THE LEAKING DEAD

Watch out! Your processor resurrects your private browsing history and other sensitive data.

After Meltdown, Spectre, and Foreshadow, we discovered more critical vulnerabilities in modern processors. The Zombieload attack allows reading sensitive data and keys while the computer accesses them.



### SLAP

Data Speculation Attacks via Load Address Prediction on Apple Silicon

We present SLAP, a new speculative execution attack that abuses their unpredictable dependencies, as opposed to control flow dependencies. More specifically we show that Apple’s M1/M2 architecture is vulnerable to a new type of speculative execution attack, False Load Output Predictive (FLOP), which improves performance by guessing the next memory address the CPU will reference data from between prior memory accesses.



### FLOP

Breaking the Apple M3 CPU via False Load Output Predictions

We present FLOP, another speculative execution attack that results from recent Apple’s CPU predicting the outcome of data dependencies. Here, we demonstrate that Apple’s M1/M2 generation of chips is vulnerable to a new type of speculative execution attack, False Load Output Predictive (FLOP). The FLOP improves performance on data dependencies by guessing the data value that will be returned by the memory subsystem or the next access by the CPU’s core, before the value is actually available.

## MDS: Microarchitectural Data Sampling

Attacks on the newly-disclosed “MDS” hardware vulnerabilities in Intel CPUs



### Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.



### LVI - Hijacking Transient with Load Value Injekti

LVI is a new class of transient microarchitectural flaws in modern processors to inject attacker causal sensitive data and keys from DRAM SRAM, i.e. for your personal data.



Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified in [CVE-2022-36154](#), enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.



### Spectre

[Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution](#)

[Read the paper](#) [Cite](#) [Watch a demo](#)



### PACMAN Attacking ARM Pointer Authentication with Speculative Execution

THE PAC MAN ATTACK

60 July 2022



### FORESHADOW

## Retbleed: Arbitrary Speculative Code Execution with Return Instructions

Retbleed ([CVE-2022-29990](#) and [CVE-2022-29991](#)) is the newest addition to the family of speculative execution attacks that exploit branch target injection to leak information, which we call Spectre-BTI. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions. This means a great deal, since it undermines some of our current Spectre-BTI defenses.

## Cross-Process Information Leak

Bulletin ID: AMD-SB-7008

Potential Impact: Information disclosure

Severity: Medium

### Summary

Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

**ZOMBIELOAD ATTACK  
RETURN OF THE LEAKING DEAD**

Watch out! Your processor resurrects your private browsing history and other sensitive data.

After Meltdown, Spectre, and Foreshadow, we discovered more critical vulnerabilities in modern processors. The Zombieload attack allows reading sensitive data and keys while the computer accesses them.



**SLAP**  
Data Speculation Attacks via Load Address Prediction on Apple Silicon



**FLOP**  
Breaking the Apple M3 CPU via False Load Output Predictions

We present SLAP, a new speculative execution attack that bypasses hyperthreaded dependencies, as opposed to control flow dependencies. More specifically, we show that Apple M3 CPU suffers from a serious vulnerability in its False Load Output Predictor (FLOP), which improves performance by guessing the next memory address the CPU will reference data from between prior memory accesses.

## MDS: Microarchitectural Data Sampling

Attacks on the newly-discovered “MDS” hardware vulnerabilities in Intel CPUs



### LVI - Hijacking Transis with Load Value Injec

LVI is a new class of transient microarchitectural flaws in modern processors to inject attacker-caused sensitive data and keys from DRAM SRAM, or for your personal data.

## Downfall Attacks

Attack Demo FAQ Advisories Links



Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified in [CVE-2022-36154](#), enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.



## Google researchers discover ‘Reptar,’ a new CPU vulnerability

November 15, 2021

Meltdown break between user ap  
This attack allow  
thus also the set operating system

This year, Google has seen an increase in the number of vulnerabilities impacting central processing units (CPUs) across hardware systems. One of the most notable of these submissions was discovered in August, when Google researchers discovered [Intel CVE-2021-34423](#) and [Dell EMC CVE-2021-26051](#), affecting Intel and AMD CPUs.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown,

applications must  
Spectre is harder to mitigate  
specific known-vulnerabilities  
software patches

**WARP**  
WARP is a new software fault attack on DDR3 memory and DRAM. It allows attackers to hijack control flow inside encrypted VMs and perform privilege escalation inside the VM.

**CACHE WARP**  
CacheWarp is a new software fault attack on DDR3 memory and DRAM. It allows attackers to hijack control flow inside encrypted VMs and perform privilege escalation inside the VM.

Read the paper ▾ Cite ↗ Watch a demo ▾

**THE PAC MAN ATTACK**

Retbleed: Arbitrary Speculative Code Execution with Return Instructions

Retbleed ([CVE-2022-29990](#) and [CVE-2022-29991](#)) is the newest addition to the family of speculative execution attacks that exploit branch target injection to leak information, which we call Spectre-BTI. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions. This means a great deal, since it undermines some of our current Spectre-BTI defenses.

READ  
CITE ↗ TRY

Retbleed: Arbitrary Speculative Code Execution with Return Instructions

60 July 2022

## Downfall Attacks

[Attack](#) [Demo](#) [FAQ](#) [Advisories](#) [Links](#)



### LVI - Hijacking Transis with Load Value Injec

LVI is a new class of transient evens that allow an attacker to inject attacker-controlled data and keys from DRAM into modern processors to inject attacker-controlled data and keys from DRAM into modern processors.



Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified in [CVE-2022-35592](#), enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.

## Cross-Process Information Leak

Bulletin ID: AMD-SB-7008  
Potential Impact: Information disclosure  
Severity: Medium

### Summary

Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.



## MDS: Microarchitectural Data Sampling

Attacks on the newly-discovered "MDS" hardware vulnerabilities in Intel CPUs



### Branch Privilege Injection: Exploiting Branch Predictor Race Conditions

Branch Privilege Injection ([CVE-2022-45332](#)) brings back the full might of branch target injection attacks (Spectre-BT) on Intel. Intel's hardware mitigations against these types of attacks have held their ground for at least 6 years. In our work, we demonstrate how these mitigations can be broken due to a race condition in Intel CPUs.

### Google researchers discover 'Reptar,' a new CPU vulnerability

November 15, 2021



### APIC

APIC Leaks is a low-O(N) attack that can be used to steal data from the processor itself or read DRAM and DRAM pages from Intel CPUs via the APIC-MIO interface, originally introduced in a Intel chip about 10 years ago.

### ectre

ectre is between different tactics to trick error-free. It practices, into leaking their hecks of said best practices

### Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution

[Read the paper](#) [Cite](#) [Watch a demo](#)



### FORESHADOW

## CACHE WARP

CacheWarp is a new software fault attack on DDR3 memory and DRAM. CacheWarp is able to leak data to an adversary to hijack control flow attacks into encrypted VMs and perform privilege escalation inside the VM.



### SLAP

Data Speculation Attacks via Load Address Prediction on Apple Silicon

We present SLAP, a new speculative execution attack that abuses hyper-threaded dependencies, as opposed to control-flow dependencies. More specifically, we show that Apple's M1X processor is vulnerable to a new type of speculative execution attack, called False Load Output Predictions (FLOP). The FLOP improves performance over data dependencies by guaranteeing the data value that will be returned by the memory subsystem or the next access by the CPU cores, before the value is actually available.

### READ

[READ](#)

[WRITE](#)

[TRY](#)

[CITE](#)

[TRY](#)

[CITE](#)

[READ](#)

### FLOP

Breaking the Apple M3 CPU via False Load Output Predictions

We present FLOP, another speculative execution attack that abuses hyper-threaded dependencies, as opposed to control-flow dependencies. More specifically, we show that Apple's M3 processor is vulnerable to a new type of speculative execution attack, called False Load Output Predictions (FLOP). The FLOP improves performance over data dependencies by guaranteeing the data value that will be returned by the memory subsystem or the next access by the CPU cores, before the value is actually available.



# RISC-V: A Clean Slate?



**Can we design a secure  
architecture from the start or will  
we repeat the same mistakes?**



# CPU Vulnerability Classes



**Side Channels**



**CPU Bugs**



**Transient  
Execution**



# CPU Vulnerability Classes



**Side Channels**



**CPU Bugs**



**Transient  
Execution**



# Side Channels: RSA Square-and-Multiply

```
func exp_mod(C, d, n): /* M=C^d mod n */
    x = C
    for bit in d: /* MSB-first */
        x = x * x /* Square */
        if bit == 1:
            x = x * C /* Multiply */
    return x % n
```



# Side Channels: RSA Square-and-Multiply

- $d$  is secret

```
func exp_mod(C, d, n): /* M=C^d mod n */  
    x = C  
    for bit in d: /* MSB-first */  
        x = x * x /* Square */  
        if bit == 1:  
            x = x * C /* Multiply */  
    return x % n
```



# Side Channels: RSA Square-and-Multiply

- $d$  is secret
- Multiplication  $\iff \text{bit}=1$

```
func exp_mod(C, d, n): /* M=C^d mod n */  
    x = C  
    for bit in d: /* MSB-first */  
        x = x * x /* Square */  
        if bit == 1:  
            x = x * C /* Multiply */  
    return x % n
```



# Side Channels: RSA Square-and-Multiply

- $d$  is secret
- Multiplication  $\iff \text{bit}=1$
- How to leak?

```
func exp_mod(C, d, n): /* M=C^d mod n */  
    x = C  
    for bit in d: /* MSB-first */  
        x = x * x /* Square */  
        if bit == 1:  
            x = x * C /* Multiply */  
    return x % n
```



# Flush+Reload





# Flush+Reload





# Flush+Reload





# Flush+Reload





# Flush+Reload





# Flush+Reload





# Flush+Reload





# Flush+Reload





# Accurate Timers?

## Architectural timers

`rdcycle` hardware cycles

`rdtime` platform time

`rdinstret` retired instructions

High resolution, available in `user space` on many cores



## Cache Maintenance?

- No cache maintenance in base ISA  
→ Only fences



# Cache Maintenance?

- No cache maintenance in base ISA  
→ Only fences

## Vendor-specific cache operations

T-Head Cores:

- Unprivileged D-Cache flush by virtual address (like clflush)
- fence.i flushes entire I-Cache



# AES T-Table (x86)





# AES T-Table (RISC-V, C906)



## rdcycle **vs** rdinstret

CPU cycles and retired instructions can differ

rdcycle **vs** rdinstret

CPU cycles and retired instructions can differ



Drift between `rdcycle` and `rdinstruct` leaks information about executed instructions (including from the [kernel](#))





# Takeaways

## ■ Accurate Timers

- ISA exposes `rdcycle`, `rdinstret` to user space
- Enables CycleDrift, precise cache timing
- ✓ Linux now disables user-space access on RISC-V



# Takeaways

## Accurate Timers

- ISA exposes `rdcycle`, `rdinstret` to user space
- Enables CycleDrift, precise cache timing
- ✓ Linux now disables user-space access on RISC-V

## Cache Maintenance

- `fence.i` is **unprivileged** and flushes the **entire I-Cache**
- T-Head adds unprivileged D-Cache flush by virtual address (like `clflush`)
- Enables Flush+Reload on I-Cache and D-Cache.



# CPU Vulnerability Classes



**Side Channels**



**CPU Bugs**



**Transient  
Execution**



# CPU Vulnerability Classes



**Side Channels**



**CPU Bugs**



**Transient  
Execution**



# Differential CPU Fuzzing





# Differential CPU Fuzzing





# Differential CPU Fuzzing





# Differential CPU Fuzzing





# Differential CPU Fuzzing





# Differential CPU Fuzzing





# Intel F00F Bug



A single (invalid) instruction deadlocked the CPU



# Halt and Catch Fire (C906)

```
th.lbib t0, (t0), 0, 0  
frcsr t0  
li t0, 0
```



# Halt and Catch Fire (C906)

```
th.lbib t0, (t0), 0, 0  
frcsr t0  
li t0, 0
```

**CPU just hangs**



# Halt and Catch Fire (C906)

```
th.lbib t0, (t0), 0, 0  
frcsr t0  
li t0, 0
```

## Synopsis

Load indexed byte, increment address before loading.

## Mnemonic

th.lbib rd, (rs1), imm5, imm2

## Description

This instruction increments the value in `rs1` by  $(\text{sign\_extend}(\text{imm5}) \ll \text{imm2})$  and writes the result back to `rs1`. After the increment of `rs1`, this instruction loads a sign extended 8-bit value into the GP register `rd` from the (incremented) address `rs1`.

*The encoding of this instruction with equal `rd` and `rs1` is reserved.*



# Halt and Catch Fire (C906)

```
th.lbib t0, (t0), 0, 0  
frcsr t0  
li t0, 0
```

## Synopsis

Load indexed byte, increment address before loading.

## Mnemonic

th.lbib **rd**, (**rs1**), imm5, imm2

## Description

This instruction increments the value in **rs1** by  $(\text{sign\_extend}(\text{imm5}) \ll \text{imm2})$  and writes the result back to **rs1**. After the increment of **rs1**, this instruction loads a sign extended 8-bit value into the GP register **rd** from the (incremented) address **rs1**.

*The encoding of this instruction with equal rd and rs1 is reserved.*



# Simulator Verification





# Simulator Verification



\*\*\*\*\*

\* Error: There is no instructions retired in the last 50000 cycles! \*

\* Simulation Fail and Finished! \*

\*\*\*\*\*



# Other Cores?

```
.fill 1, 4, 0x20b00087
```

**T-Head C908**



## Other Cores?

```
.fill 1, 4, 0x20b00087
```

**T-Head C908**

```
.fill 1, 4, 0xe0815407
```

**SpacemiT X60**



# Mitigation Options

## 🚫 C908/X60 DoS

- Disable V extension in kernel
  - Prevents denial-of-service on C908/X60
- 
- 👎 Performance loss
  - 👎 Breaks vector-dependent software



# Mitigation Options

## 🚫 C908/X60 DoS

- Disable V extension in kernel
- Prevents denial-of-service on C908/X60

👎 Performance loss  
👎 Breaks vector-dependent software

## ⚠️ C906 DoS

- T-Head vendor extension cannot be disabled
- “The th.sxstatus.THEADISAE bit is not expected to be cleared. The behavior of clearing this bit is undefined”.

⚠️ No known mitigation



# GhostWrite



# RISC-V Vector Instructions

vse128.v v0, 0(t0)





# RISC-V Vector Instructions

vse128.v v0, 0(t0)





# RISC-V Vector Instructions

vse128.v v0, 0(t0)





# RISC-V Vector Instructions

vse128.v v0, 0(t0)





# RISC-V Flawed Vector Instruction (C910)



| t0     | v0 | v1 | v2 | v3 | v4 | v5 |
|--------|----|----|----|----|----|----|
| 0x1000 | R  | I  | S  | C  | -  | V  |





# RISC-V Flawed Vector Instruction (C910)

vse128.v v0, 0(t0)



| t0     | v0 | v1 | v2 | v3 | v4 | v5 |
|--------|----|----|----|----|----|----|
| 0x1000 | R  | I  | S  | C  | -  | V  |





# RISC-V Flawed Vector Instruction (C910)

vse128.v v0, 0(t0)





# RISC-V Flawed Vector Instruction (C910)

vse128.v v0, 0(t0)





# RISC-V Flawed Vector Instruction (C910)

vse128.v v0, 0(t0)



| t0     | v0 | v1 | v2 | v3 | v4 | v5 |
|--------|----|----|----|----|----|----|
| 0x1000 | R  | I  | S  | C  | -  | V  |





# RISC-V Flawed Vector Instruction (C910)

vse128.v v0, 0(t0)



| t0     | v0 | v1 | v2 | v3 | v4 | v5 |
|--------|----|----|----|----|----|----|
| 0x1000 | R  | I  | S  | C  | -  | V  |





# RISC-V Flawed Vector Instruction (C910)

vse128.v v0, 0(t0)





# RISC-V Flawed Vector Instruction (C910)

vse128.v v0, 0(t0)



| t0     | v0 | v1 | v2 | v3 | v4 | v5 |
|--------|----|----|----|----|----|----|
| 0x1000 | R  | I  | S  | C  | -  | V  |





# GhostWrite: Circumventing Virtual Memory

## Normal Memory Write





# GhostWrite: Circumventing Virtual Memory

Normal Memory Write



GhostWrite



*Permissions  
Checked*



# GhostWrite Exploitation



Rewrite [page tables](#)



Overwrite [kernel](#)



# GhostWrite Exploitation



Rewrite **page tables**



Overwrite **kernel**



Modify **M-mode** firmware



Break **trusted execution**

unprivileged@c910:~\$ █

Home / RISC-V

# Elastic Metal RV1

The world's first RISC-V servers available in the cloud.

Taste the new open processor architecture now.

Will you take the risk?

[Order Now →](#)[Read the press release →](#)

An open RISC  
architecture



Compact and  
economical



Designed and  
assembled in Paris

```
.=oooooooooooo=.  
oooooooooooooooooooo  
oooooooooooooooooooo  
oooooooooooooooooooo  
oooo ooooooooooooo ooooo / -- / - - - / -- / - - - / -- / - - - / -- / - - -  
oooo ooooooooooooo ooooo \ \ / - / - \ / - ) | / / / - \ / / / / / - / - \ - <  
oooo ooooooooooooo ooooo / -- \ \ / \ , / - \ / | - , - \ \ , / \ / - \ \ , / - . - / - /  
oooo ooooo ooooo ooooo / -- /----- The world's first on-demand RISC-V server by Scaleway.  
oooo ooooo ooooo ooooo /-----  
oooo ooooo ooooo ooooo Arch : riscv64  
oooo ooooooooooooo ooooo CPU : 4 cores @ 1.848Ghz - isa rv64imafdcvsu  
oooo ooooooooooooo ooooo Memory : 16GiB  
oooo ooooo ooooo ooooo Storage : 128GB  
oooo ooooo ooooo ooooo Network : 100Mb/s  
-----  
oooooooooooooooooooo More details: https://labs.scaleway.com/en/em-rv1/  
oooooooooooooooooooo -----
```

Welcome to Ubuntu 23.10 (GNU/Linux 5.10.113+ riscv64)

- \* Documentation: <https://help.ubuntu.com>
- \* Management: <https://landscape.canonical.com>
- \* Support: <https://ubuntu.com/advantage>

0 updates can be applied immediately.

Last login: Sat Mar 9 14:16:33 2024 from 87.145.163.240

```
ubuntu@risc:~$ sudo ./a.out  
Virtual address: 3feab9f000  
Physical address: 3efc9b000
```

```
Value before: caaa  
Value after: cafe
```

```
ubuntu@risc:~$ █
```



# GhostWrite Mitigation Options

## 🚫 Disable Vector Extension

- Disable V extension in kernel
- Blocks GhostWrite

👎 Performance loss

👎 No software relying on V

👎 Requires trusted kernel



# GhostWrite Mitigation Options

## 🚫 Disable Vector Extension

- Disable V extension in kernel
  - Blocks GhostWrite
- 👎 Performance loss
- 👎 No software relying on V
- 👎 Requires trusted kernel

### Vulnerabilities:

|                            |                                   |
|----------------------------|-----------------------------------|
| Gather data sampling:      | Not affected                      |
| Ghostwrite:                | Mitigation; xtheadvector disabled |
| Indirect target selection: | Not affected                      |
| Itlb multihit:             | Not affected                      |
| L1tf:                      | Not affected                      |
| Mds:                       | Not affected                      |
| Meltdown:                  | Not affected                      |
| Mmio stale data:           | Not affected                      |
| Reg file data sampling:    | Not affected                      |
| Retbleed:                  | Not affected                      |



# GhostWrite Mitigation Options

## 🚫 Disable Vector Extension

- Disable V extension in kernel
- Blocks GhostWrite

👎 Performance loss

👎 No software relying on V

👎 Requires trusted kernel

## 💻 Replace CPU

- Fix the bug in a new CPU revision
- Fixes GhostWrite

👎 Expensive and slow to deploy

👎 Requires hardware replacement

👍 Only real fix



# GhostWrite Mitigation Options

## 🚫 Disable Vector Extension

- Disable V extension in kernel
- Blocks GhostWrite

👎 Performance loss

👎 No software relying on V

👎 Requires trusted kernel

## 💻 Replace CPU

- Fix the bug in a new CPU revision
- Fixes GhostWrite

👎 Expensive and slow to deploy

👎 Requires hardware replacement

👍 Only real fix

**Trade off:** short-term software band aid (disable V) versus long-term architectural fix (new CPU revision).



# Patterns From our Findings

## Limited DV Scrutiny

- Hardware ≠ Software → DV is critical
- Differential testing across vendors



# Patterns From our Findings

## Limited DV Scrutiny

- Hardware ≠ Software → DV is critical
- Differential testing across vendors

## High Diversity

- Implement only ratified extensions
- Use vendor extensions carefully
- Mandate specific behavior in ISA



# Patterns From our Findings

## Limited DV Scrutiny

- Hardware ≠ Software → DV is critical
- Differential testing across vendors

## Unconfigurable Hardware

- Features should have kill switches
- Instruction hooking mechanism

## High Diversity

- Implement only ratified extensions
- Use vendor extensions carefully
- Mandate specific behavior in ISA



# Patterns From our Findings

## Limited DV Scrutiny

- Hardware ≠ Software → DV is critical
- Differential testing across vendors

## Unconfigurable Hardware

- Features should have kill switches
- Instruction hooking mechanism

## High Diversity

- Implement only ratified extensions
- Use vendor extensions carefully
- Mandate specific behavior in ISA

## No Update Path

- Microcode or similar mechanism
- Even if microcode adds complexity
- We argue: Increases security



# CPU Vulnerability Classes



**Side Channels**



**CPU Bugs**



**Transient  
Execution**



# CPU Vulnerability Classes



**Side Channels**



**CPU Bugs**



**Transient  
Execution**

```
lgerlach@lab53 ..eculate/experiments/pocs/e2e/userspace % CENSOR_HASHES=1 sudo -E ./hash_lookup_bpf /etc/shadow
```



# Spectre on RISC-V: Implications

Out-of-order RISC-V CPUs are vulnerable to Spectre

Kernel lacks mitigations that x86 and ARM have had since 2018



# No Speculation Barriers

## x86

LFENCE

Standardized

## ARM

CSDB / DSB

Standardized

## RISC-V

Nothing

No dedicated fence



# No Speculation Barriers

## x86

LFENCE

Standardized

## ARM

CSDB / DSB

Standardized

## RISC-V

Nothing

No dedicated fence

- BPF JIT has no instruction to emit → emits no-op
- Workaround: CSR reads (`rdtime`) empirically stop speculation
- But: **undocumented** behavior, not guaranteed



# Kernel Patches

## Unprotected kernel paths on RISC-V

- [Syscall dispatch](#) – no array\_index\_nospec
- [User memory access](#) – no pointer masking
- [BPF](#) – JIT does not emit speculation barrier
- [Futex operations](#)



# Kernel Patches

## Unprotected kernel paths on RISC-V

- [Syscall dispatch](#) – no array\_index\_nospec
- [User memory access](#) – no pointer masking
- [BPF](#) – JIT does not emit speculation barrier
- [Futex operations](#)

Patches submitted – some already merged into  
Linux mainline



## What we need to mitigate this



- Standardized **serializing fence** instruction needed
- Kernel needs **fine grained** settings for mitigations
- Compiler needs support for retpoline equivalent
- Vendors need to document speculative behavior of CPUs

## What goes wrong

- Unprivileged timers & cache maintenance
- Vendor extensions, non-ratified extensions
- Bugs: GhostWrite, DoS
- Missing kill switches, no update path
- Transient execution

## 🚫 What goes wrong

- Unprivileged timers & cache maintenance
- Vendor extensions, non-ratified extensions
- Bugs: GhostWrite, DoS
- Missing kill switches, no update path
- Transient execution

## 🌟 What we suggest

- Privileged cache maintenance
- Coarse user-space timers
- Ratified extensions only
- Kill switches
- Instruction hooking/ update mechanism
- Standardized serializing fence

## ⌚ What goes wrong

- Unprivileged timers & cache maintenance
- Vendor extensions, non-ratified extensions
- Bugs: GhostWrite, DoS
- Missing kill switches, no update path
- Transient execution

## ✖ What we suggest

- Privileged cache maintenance
- Coarse user-space timers
- Ratified extensions only
- Kill switches
- Instruction hooking/ update mechanism
- Standardized serializing fence

## ★ What we wish for

- Documentation/Source code
- Unified perf interface
- Reproducible builds/kernel headers
- `mvendorid/marchid` DB

## ✗ What goes wrong

- Unprivileged timers & cache maintenance
- Vendor extensions, non-ratified extensions
- Bugs: GhostWrite, DoS
- Missing kill switches, no update path
- Transient execution

## ❖ What we suggest

- Privileged cache maintenance
- Coarse user-space timers
- Ratified extensions only
- Kill switches
- Instruction hooking/ update mechanism
- Standardized serializing fence

## ★ What we wish for

- Documentation/Source code
- Unified perf interface
- Reproducible builds/kernel headers
- `mvendorid/marchid` DB

[github.com/cispa/Security-RISC](https://github.com/cispa/Security-RISC)





# Security Problem or Not?

## CVE-2025-20103 (DoS)

Insufficient resource pool in the core management mechanism for some Intel Processors may allow an authenticated user to potentially enable denial of service via local access.

**6.5 Medium**



# Security Problem or Not?

## CVE-2025-20103 (DoS)

Insufficient resource pool in the core management mechanism for some Intel Processors may allow an authenticated user to potentially enable denial of service via local access.

**6.5 Medium**

## CVE-2017-5754 (Meltdown)

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

**5.6 Medium**



# Simple, but Effective

## ⚡ Small tests. Big failures.

Real bugs found in seconds or minutes across diverse RISC-V cores.



### Privilege Escalation

C910, C920

<1 second



### Denial-of-Service

C906, C908, X60

2–50 minutes



### Architectural Bugs

U54, P550, C906, C908, C910

<2 minutes



### Simulator Breakage

QEMU segfaults

<30 seconds