MENU

Fuzz testing finds GhostWrite RISC-V vulnerability

Fuzz testing finds GhostWrite RISC-V vulnerability

Technology News |
By Nick Flaherty

Cette publication existe aussi en Français


Researchers in Germany have identified a vulnerability in a chip using the RISC-V architecture for the first time by using differential fuzz testing.

A team at the Helmholtz Centre for Information Security found the vulnerability, which they call GhostWrite, in the T-Head XuanTie C910 and C920 RISC-V CPUs used in a range of single board computers (see list below).

The vulnerability in the RSIC-V vector extensions allows unprivileged attackers, even those with limited access, to read and write any part of the computer’s memory and to control peripheral devices such as network cards. GhostWrite renders the CPU’s security features ineffective and cannot be fixed without disabling around half of the CPU’s functionality.

Boards with the T-Head XuanTie C910 and C920 processors include the Beagle V-Ahead and Milk-V Pioneer 64bit cloud cluster.

Keysight, ETAS team on fuzz testing

Unlike side-channel attacks or transient-execution attacks, GhostWrite is a direct CPU bug that uses faulty instructions in its vector extension. These faulty instructions work directly with physical memory instead of virtual memory, bypassing the process isolation normally enforced by the operating system and hardware. This bug is embedded in the hardware, meaning it cannot be fixed with software updates.

The team discovered the GhostWrite vulnerability by analyzing both documented and undocumented instructions using a method called differential fuzz-testing for CPUs. This uses small programs run on different CPUs to compare the results. As every RISC-V CPU should follow the RISC-V specification, they should produce the same results for the same inputs. When results differ between CPUs, it suggests that one of the CPUs might have an issue.

The T-Head XuanTie C910 CPU showed unusual behaviour with an illegally-encoded vector-store instruction. While other CPUs generated page fault exceptions or refused to execute the instruction, the C910 did execute it.

This illegally-encoded instruction allows a process to write directly to physical memory instead of virtual memory, revealing a severe security vulnerability where an unprivileged attacker, for example, a normal user, can use the instructions to write to any memory location. This completely bypasses security and isolation features, giving the attacker full, unrestricted access to the device.

The attack is 100% reliable, deterministic, and takes only microseconds to execute and even security measures like Docker containerization or sandboxing cannot stop the attack. Additionally, the attacker can hijack hardware devices that use memory-mapped input/output (MMIO), allowing them to send any commands to these devices. The only way to mitigate this issue is to disable the entire vector functionality, which disables roughly 50% of the instruction set.

How the GhostWrite RISC-V vulnerability works

On its own, GhostWrite can only write to memory. However, it can be used to create a read function by modifying the page tables in memory. These tables translate virtual memory addresses to physical ones. Consequently, modifying them allows an attacker to get an accessible virtual address for any physical address, allowing reading and writing.

A second exploit shows how the GhostWrite-based read function can leak any memory content from a machine. This starts by filling the physical memory with page tables. Given that the victim system has 8GB of memory, this process takes a few seconds. The exploit then attempts to modify one of these page tables using GhostWrite. Once successful, the exploit can read a secret password directly from physical memory.

The researchers believe only the T-Head XuanTie C910 CPU in the TH1520 SoC and the T-Head XuanTie C920 CPU in the SOPHON SG2042 are affected by the GhostWrite RISC-V vulnerability. However this still impacts a wide range of devices, including personal computers, laptops, containers, and virtual machines in cloud servers

Devices with the RISC-V vulnerability include:

The research paper is at ghostwriteattack.com/riscvuzz.pdf

 

If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :    eeNews on Google News

Share:

Linked Articles
10s