Such is the industry, that RISC-V, an open and extensible instruction set architecture (ISA) has now invaded the CPU market, opening up many opportunities for new entrants.
It has gained a lot of traction through Linux kernel support as well as being adopted by consumer devices and cloud platforms.
However, RISC-V’s flexible nature has led to various kinds of hardware implementations with different features and security practices.
However, this can be achieved without any knowledge of source codes or using emulators. Models are chosen from various vendors using differential CPU fuzzing in order to compare their architectural behaviors.
A group of cybersecurity researchers at CISPA Helmholtz Center for Information Security recently identified that there were three major security vulnerabilities in five commercial RISC-V CPUs including GhostWrite where an attacker can write arbitrary data from unprivileged states into any physical memory locations.
Technical Analysis
This makes it possible to read physical memory and execute arbitrary machine-mode code even when operating within cloud environments.
Two privileged instruction sequences that could cause unrecoverable CPU halts were also found by RISCVuzz consequently exposing major security concerns in the implementation of RISC-V systems.
The GhostWrite bug, found in the RISC-V CPU, T-Head XuanTie C910, is a hardware design flaw that poses a major security risk.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Even attackers with minimal system privilege can read and write any memory and tamper with peripherals like network cards.
Ghostwrite eliminates all of the inbuilt security controls of the CPU consequently allowing attackers to have absolute control over the entire system.
However, this vulnerability is made worse by the fact that fixing it would involve disabling about 50% of its functions consequently making it an inappropriate measure.
As an addition to RISC-V ISA, which helps in dealing with huge information values, these broken instructions deal with the physical memory by ignoring the virtual memory protections and process isolation imposed by the OS and hardware.
In contrast to side-channel or transient-execution attacks, however, GhostWrite is a direct CPU bug caused by faulty vector extension instructions.
GhostWrite is a flaw embedded in hardware that cannot be fixed using software updates.
This allows unprivileged attackers to write to any memory location, bypassing security features completely and gaining uncontrolled access to devices.
Furthermore, it enables hackers to hijack hardware devices through memory-mapped I/O (MMIO), enabling them to execute arbitrary commands on those devices.
Here below we have mentioned all the vulnerable devices:-
- Scaleway Elastic Metal RV1, bare-metal C910 cloud instances
- Lichee Cluster 4A, compute cluster
- Lichee Book 4A, laptop
- Lichee Console 4A, tiny laptop
- Lichee Pocket 4A, gaming console
- Sipeed Lichee Pi 4A, single-board computer (SBC)
- Milk-V Meles, SBC
- BeagleV-Ahead, SBC
Differential fuzz testing of RISC-V CPUs revealed GhostWrite by comparing the results of small programs on different processors.
.webp)
However, the T-Head XuanTie C910 acted differently, as its execution did not raise an exception as expected but rather it just executed the vector store instruction illegitimately encoded into it.
This implies that there is a serious direct physical memory write error that can bypass the virtual memory protection systems.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download
