Black Hat USA 2024: Critical RISC-V CPU vulnerability discovered. Dubbed GhostWrite; attackers can exploit this flaw to steal sensitive data from memory. Learn how this hardware bug threatens security and the potential performance impact of a fix.
A newly discovered hardware vulnerability, dubbed “GhostWrite,” has put a spotlight on the security of RISC-V processors. Researchers from CISPA Helmholtz Center for Information Security unveiled the flaw at the Black Hat USA 2024 conference, revealing how it could allow attackers to extract sensitive data from the CPU’s memory.
Researchers Fabian Thomas and Michael Schwarz discovered three architectural vulnerabilities in Alibaba subsidiary T-Head’s CPUs XuanTie C906, C908, and C910. GhostWrite (PDF), impacting C910 is most impactful as it allows unprivileged users to modify data directly in physical memory and interact with hard drives and peripheral devices whereas C906 and C908-related flaws can be exploited for denial-of-service attacks and causing system crashes.
GhostWrite exploits a weakness in the processor’s memory management system, granting attackers unrestricted access to a device’s physical memory, bypassing critical security measures and potentially compromising sensitive data. Unlike previous attacks like Rowhammer, GhostWrite doesn’t require physical access to the chip.
Instead, it leverages a malicious process to manipulate the virtual memory table, granting unauthorized access to specific physical memory addresses. GhostWrite can grant full read-write access to physical memory on the XuanTie C910. This allows attackers to steal sensitive data such as private keys and login credentials.
The most concerning aspect of this vulnerability is the potential performance impact of a fix. Disabling the specific extensions required to block GhostWrite attacks could result in a drastic 50% performance reduction, significantly limiting the chip’s capabilities.
The root of these issues lies in the open-source nature of RISC-V, which allows for customization and innovation but also introduces challenges in maintaining consistent security standards. The lack of a central registry for custom extensions exacerbates the problem, as different manufacturers may implement the same instruction with varying results.
To uncover these vulnerabilities, researchers developed a novel fuzzing technique called RISCVuzz, which systematically tested multiple RISC-V CPUs for unexpected behaviour. This approach proved successful in identifying the critical flaws in T-Head’s processors.
GhostWrite and C908 vulnerabilities can be mitigated by disabling the vector extension, rendering core CPUs unusable. However, no viable mitigation has been identified for C906. The flaws were disclosed to T-Head and cloud service provider Scaleway in April 2024, but no updates have been made to mitigate these issues.
While the discovery of GhostWrite and the other vulnerabilities is alarming, it is essential to note that the RISC-V ecosystem is still relatively young. The industry must collaborate to establish robust security standards and testing methodologies to prevent similar incidents in the future.
