idw – Informationsdienst Wissenschaft

Nachrichten, Termine, Experten

Grafik: idw-Logo
Grafik: idw-Logo

idw - Informationsdienst
Wissenschaft

Science Video Project
idw-Abo

idw-News App:

AppStore

Google Play Store



Instanz:
Teilen: 
07.08.2024 19:05

CPU Security: GhostWrite vulnerability breaks integrity of T-Head RISC-V CPU

Eva Michely Unternehmenskommunikation
CISPA Helmholtz Center for Information Security

    A new vulnerability named GhostWrite fully compromises the integrity of the high-end RISC-V CPU XuanTie C910 manufactured by T-Head. GhostWrite not only grants attackers full read-and-write access to physical memory on the C910. It entirely bypasses virtual memory and caches and is invisible in performance counters. GhostWrite also concerns cloud services that rely on C910-based machines and can only be mitigated by disabling the vector extension. Two further architectural CPU vulnerabilities have been found, one affecting the T-Head XuanTie C906 and one affecting the C908. The vulnerabilities have been discovered by researchers at the CISPA Helmholtz Center for Information Security.

    Using a new CPU fuzzing method for RISC-V implementations, CISPA-researcher Fabian Thomas from the research group of Dr. Michael Schwarz has discovered three architectural vulnerabilities affecting the T-Head CPUs XuanTie C906, C908 and C910. GhostWrite, the most impactful of these three vulnerabilities, concerns the XuanTie C910. Not only can it create direct access to the DRAM, allowing unprivileged users to modify data directly in the physical memory. It can also interact with the hard drive and peripheral devices such as network cards and graphic cards. Thomas has also detected two “halt-and-catch-fire” CPU vulnerabilities, one concerning the XuanTie C906 and one concerning the XuanTie C908, which can be exploited for unprivileged denial-of-service attacks.

    RISC-V: Young, open, flexible and potentially problematic

    The starting point for Thomas and Schwarz’s discovery was the rise of RISC-V CPUs. RISC-V is a relatively young, open standard instruction set architecture (ISA) that has allowed new CPU manufacturers to emerge. In general terms, an ISA determines how software interacts with the CPU, specifying the instructions to which the CPU may respond. “Being very flexible, RISC-V enables manufacturers to implement their own customized ISA extensions. Problematically, there is no central registry for these custom extensions, so that different CPUs might use the same encoding for different instructions”, Fabian Thomas explains. “As a result, software developed to suit one manufacturer’s RISC-V CPU might elicit different behavior when used on another RISC-V CPU. This variance in CPU behaviors can prove problematic.” To date, RISC-V CPUs have found application in a small number of hardware cores that are used, for example, in laptops, smart phones, and servers. Currently available are five consumer-grade RISC-V CPUs.

    Enter RISCVuzz: A differential fuzzing framework for RISC-V CPUs

    Thomas and Schwarz hypothesized that the heterogeneity of RISC-V CPUs and their custom extensions might be used to detect architectural vulnerabilities across RISC-V implementations. To this end, they developed a differential CPU fuzzing method named RISCVuzz and ran it against all five consumer-grade RISC-V CPUs. Michael Schwarz explains the logic underpinning their fuzzing approach: “Basically, we assumed that if we feed all our CPUs the same supported instruction, their responses should be the same, too. Every time a CPU came up with a response that deviated from the others CPUs’, we examined it more closely for vulnerabilities. In other words, if four out of five hotel safes remain locked when you enter ‘0000’ but the fifth one springs open, you have reason to assume that something is awry with that one.”

    Disclosure and mitigation

    In February 2024, Thomas and Schwarz disclosed their findings to T-Head, an Alibaba subsidiary, and in April 2024 to Scaleway, a cloud service provider that had just begun using the C910 CPU in the cloud. To date, there are no updates to mitigate either of the three architectural vulnerabilities. GhostWrite as well as the vulnerability affecting the C908 can be mitigated by disabling the vector extension, which also renders core functionalities of the CPUs unusable. No viable mitigation has been identified for the vulnerability affecting the C906. “CPUs are written in code. It is important that we disclose the vulnerabilities we find to prevent these bugs from proliferating in other CPU developments”, Michael Schwarz says. The CISPA research on RISCVuzz will be presented at the Black Hat USA conference in Las Vegas on August 7, 2024.

    Link:
    Further information on GhostWrite is available at https://ghostwriteattack.com/


    Wissenschaftliche Ansprechpartner:

    Fabian Thomas and Dr. Michael Schwarz
    CISPA Helmholtz Center for Information Security
    Stuhlsatzenhaus 5
    66123 Saarbrücken, Germany
    fabian.thomas@cispa.de / michael.schwarz@cispa.de


    Originalpublikation:

    Thomas, Fabian; Hetterich, Lorenz; Zhang, Ruiyi; Weber, Daniel; Gerlach, Lukas; Schwarz, Michael (2024) “Arbitrary Data Manipulation and Leakage with CPU Zero-Day Bugs on RISC-V” In: Black Hat USA 2024, 3-8 Aug 2024, Las Vegas, NV, USA.


    Bilder

    "GhostWrite" CPU vulnerability
    "GhostWrite" CPU vulnerability

    CISPA


    Merkmale dieser Pressemitteilung:
    Journalisten, Wissenschaftler
    Informationstechnik
    überregional
    Forschungsergebnisse
    Englisch


     

    Hilfe

    Die Suche / Erweiterte Suche im idw-Archiv
    Verknüpfungen

    Sie können Suchbegriffe mit und, oder und / oder nicht verknüpfen, z. B. Philo nicht logie.

    Klammern

    Verknüpfungen können Sie mit Klammern voneinander trennen, z. B. (Philo nicht logie) oder (Psycho und logie).

    Wortgruppen

    Zusammenhängende Worte werden als Wortgruppe gesucht, wenn Sie sie in Anführungsstriche setzen, z. B. „Bundesrepublik Deutschland“.

    Auswahlkriterien

    Die Erweiterte Suche können Sie auch nutzen, ohne Suchbegriffe einzugeben. Sie orientiert sich dann an den Kriterien, die Sie ausgewählt haben (z. B. nach dem Land oder dem Sachgebiet).

    Haben Sie in einer Kategorie kein Kriterium ausgewählt, wird die gesamte Kategorie durchsucht (z.B. alle Sachgebiete oder alle Länder).