Exploring GhostWrite: Security Risks for RISC-V Architecture

 



GhostWrite Vulnerability: New Threat to RISC-V Devices

LAS VEGAS — BLACK HAT USA 2024 — A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has disclosed a new vulnerability affecting a popular CPU based on the RISC-V architecture.


Understanding RISC-V and the XuanTie C910

RISC-V is an open-source instruction set architecture (ISA) designed for developing custom processors for various applications, including embedded systems, microcontrollers, data centers, and high-performance computers. The XuanTie C910 CPU, developed by Chinese chip company T-Head, is among the fastest RISC-V CPUs available.

The GhostWrite Vulnerability

The CISPA researchers have identified a critical flaw in the XuanTie C910 CPU, dubbed GhostWrite. This vulnerability allows attackers with limited privileges to read and write to physical memory, potentially granting them full and unrestricted access to the targeted device.

Impacted Systems

Although the GhostWrite vulnerability is specific to the XuanTie C910 CPU, it affects a broad range of systems, including:

  • PCs
  • Laptops
  • Containers
  • Virtual Machines (VMs) in cloud servers

The researchers have confirmed the following devices as vulnerable:

  • Scaleway Elastic Metal RV bare-metal cloud instances
  • Sipeed Lichee Pi 4A
  • Milk-V Meles
  • BeagleV-Ahead single-board computers (SBCs)
  • Lichee compute clusters
  • Various laptops and gaming consoles

Exploitation and Demonstration

“To exploit the vulnerability, an attacker needs to execute unprivileged code on the vulnerable CPU. This poses a significant threat in multi-user and cloud systems or when untrusted code is executed, even in containers or virtual machines,” explained the researchers.

The team demonstrated how an attacker could leverage GhostWrite to gain root privileges or retrieve an administrator password from memory. Unlike many previously disclosed CPU attacks, GhostWrite is neither a side-channel nor a transient execution attack but an architectural bug.

Vendor and Mitigation Responses

The CISPA researchers have reported their findings to T-Head. However, it remains unclear if any corrective measures are being taken by the vendor. SecurityWeek reached out to T-Head’s parent company Alibaba for comment, but no response was received before the publication of this article.

Cloud computing and web hosting company Scaleway has also been notified. According to the researchers, Scaleway is actively providing mitigations to its customers.

It is important to note that this vulnerability is a hardware bug that cannot be resolved through software updates or patches. Disabling the vector extension in the CPU can mitigate attacks but may also degrade performance.

Detection and Prevention

As of now, a CVE identifier has not been assigned to the GhostWrite vulnerability. Additionally, there are no specific tools or methods for detecting attacks, and there is no evidence that the vulnerability has been exploited in the wild.

Research and Open-Source Contributions

The researchers have published a detailed paper with additional technical information about GhostWrite. They are also releasing an open-source framework named RISCVuzz, which was used to discover GhostWrite and other RISC-V CPU vulnerabilities.

Source securityweek

No comments:

Canada Bans TikTok: Exploring the National Security Risks Behind the Shutdown

Canada’s Decision to Dissolve TikTok Technology Canada In a landmark decision, the Canadian government has ordered the shutdown of TikTok Te...