Using a new CPU fuzzing method for RISC-V implementations, CISPA-researcher Fabian Thomas from the research group of Dr. Michael Schwarz has discovered three architectural vulnerabilities affecting the T-Head CPUs XuanTie C906, C908 and C910. GhostWrite, the most impactful of these three vulnerabilities, concerns the XuanTie C910. Not only can it create direct access to the DRAM, allowing unprivileged users to modify data directly in the physical memory. It can also interact with the hard drive and peripheral devices such as network cards and graphic cards. Thomas has further detected two “halt-and-catch-fire” CPU vulnerabilities, one concerning the XuanTie C906 and one concerning the XuanTie C908, which can be exploited for unprivileged denial-of-service attacks.
RISC-V: Young, open, flexible and potentially problematic
The starting point for Thomas and Schwarz’s discovery was the rise of RISC-V CPUs. RISC-V is a relatively young, open standard instruction set architecture (ISA) that has allowed new CPU manufacturers to emerge. In general terms, an ISA determines how software interacts with the CPU, specifying the instructions to which the CPU may respond. “Being very flexible, RISC-V enables manufacturers to implement their own customized ISA extensions. Problematically, there is no central registry for these custom extensions, so that different CPUs might use the same encoding for different instructions”, Fabian Thomas explains. “As a result, software developed to suit one manufacturer’s RISC-V CPU might elicit different behavior when used on another RISC-V CPU. This variance in CPU behaviors can prove problematic.” To date, RISC-V CPUs have found application in a small number of hardware cores that are used, for example, in laptops, smart phones, and servers. Currently available are five consumer-grade RISC-V CPUs.
Enter RISCVuzz: A differential fuzzing framework for RISC-V CPUs
Thomas and Schwarz hypothesized that the heterogeneity of RISC-V CPUs and their custom extensions might be used to detect architectural vulnerabilities across RISC-V implementations. To this end, they developed a differential CPU fuzzing method named RISCVuzz and ran it against all five consumer-grade RISC-V CPUs. Michael Schwarz explains the logic underpinning their fuzzing approach: “Basically, we assumed that if we feed all our CPUs the same supported instruction, their responses should be the same, too. Every time a CPU came up with a response that deviated from the others CPUs’, we examined it more closely for vulnerabilities. In other words, if four out of five hotel safes remain locked when you enter ‘0000’ but the fifth one springs open, you have reason to assume that something is awry with that one.”
Disclosure and mitigation
In February 2024, Thomas and Schwarz disclosed their findings to T-Head, an Alibaba subsidiary, and in April 2024 to Scaleway, a cloud service provider that had just begun using the C910 CPU in the cloud. To date, there are no updates to mitigate either of the three architectural vulnerabilities. GhostWrite as well as the vulnerability affecting the C908 can be mitigated by disabling the vector extension, which also renders core functionalities of the CPUs unusable. No viable mitigation has been identified for the vulnerability affecting the C906. “CPUs are written in code. It is important that we disclose the vulnerabilities we find to prevent these bugs from proliferating in other CPU developments”, Michael Schwarz says. The CISPA research on RISCVuzz will be presented at the Black Hat USA conference in Las Vegas on August 7, 2024.
Academic Publication:
Thomas, Fabian; Hetterich, Lorenz; Zhang, Ruiyi; Weber, Daniel; Gerlach, Lukas; Schwarz, Michael (2024) “Arbitrary Data Manipulation and Leakage with CPU Zero-Day Bugs on RISC-V” In: Black Hat USA 2024, 3-8 Aug 2024, Las Vegas, NV, USA.
