LAS VEGAS — The RISC-V platform has found itself presented with a new security flaw based within the hardware of some CPUs.
Speaking at the 2024 Black Hat USA security conference in Las Vegas, a pair of researchers representing Germany’s CISPA Helmholtz Center for Information Security told conferencegoers how they uncovered a vulnerability dubbed "GhostWrite," capable of allowing an attacker to pull memory contents.
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
While not yet as ubiquitous as the proprietary x86 and ARM architectures, RISC-V has been making inroads into the CPU market thanks to the largely open nature of the architecture and a design model that allows for community input and collaboration.
In addition to the embedded and microcomputer markets, RISC-V chips have more recently been seen in laptops and cloud servers.
“RISC-V is open and community driven, everyone can contribute and propose features,” explained CISPA researcher Fabian Thomas.
“It is free to use and everyone can produce CPUs.”
With that extra attention, however, has come even more sets of eyes on the architecture, including those of security researchers and hackers intent on uncovering ways to exploit the chip’s shortcomings.
The CISPA team said that earlier this year it uncovered one such vulnerability in a series of CPUs produced by Chinese chipmaker T-Head for both laptop and bare metal cloud servers.
If targeted, the bug could be exploited to extract memory content from the CPUs, putting private keys and login credentials at risk.
The GhostWrite vulnerability lies in the way certain RISC-V processors, in this case the T-Head C910, manage access to memory from the CPU. Under normal circumstances, security checks and extensions would step in and prevent a process from accessing parts of the physical memory that were not essential to its operation.
With GhostWrite, however, a malicious process (such as a malware app) could manipulate the virtual memory table to then toggle access to specific physical memory addresses without being detected.
This, in turn, allows the attacker to pull memory contents almost at will.
The team said that unlike previous attacks such as the Rowhammer flaw, GhostWrite does not require physical access to the chip itself and a full exploit can be carried out in a short enough time frame to make real-world exploitation practical.
What’s worse, fixing the hardware bug will come at a serious performance cost. The researchers estimate that disabling the specific extensions needed to block an attack could result in the loss of as much as 50% of the chip’s instruction set, significantly limiting performance and access to features.
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
