A group of cybersecurity researchers at CISPA Helmholtz Center for Information Security recently identified three major security vulnerabilities in five commercial RISC-V CPUs, including GhostWrite, which allows an attacker to write arbitrary data from unprivileged states into any physical memory location.
GhostWrite is an unprivileged instruction sequence that allows attackers to write to chosen physical memory locations, including attached devices.
Researchers demonstrate how GhostWrite can read physical memory and enable arbitrary machine-mode code execution, even in cloud environments, through three end-to-end attacks. Additionally, RISCVuzz reveals two unprivileged “halt-and-catch-fire” instruction sequences that cause an irrecoverable CPU halt.
It has gained a lot of traction through Linux kernel support and has been adopted by consumer devices and cloud platforms. However, RISC-V’s flexible nature has led to various hardware implementations with different features and security practices.
However, this can be achieved without knowledge of source codes or emulators. Models are chosen from various vendors using differential CPU fuzzing to compare their architectural behaviors.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Technical Analysis
The GhostWrite vulnerability, found in the RISC-V CPU, T-Head XuanTie C910, is a hardware design flaw that poses a major security risk.
This makes reading physical memory and executing arbitrary machine-mode code possible even when operating within cloud environments.
Two privileged instruction sequences that could cause unrecoverable CPU halts were also found by RISCVuzz, consequently exposing major security concerns in the implementation of RISC-V systems.
Even attackers with minimal system privilege can read and write any memory and tamper with peripherals like network cards.
Ghostwrite eliminates all of the inbuilt security controls of the CPU consequently allowing attackers absolute control over the entire system.
However, this vulnerability is made worse by the fact that fixing it would involve disabling about 50% of its functions consequently making it an inappropriate measure.
In addition to RISC-V ISA, which helps deal with huge information values, these broken instructions deal with physical memory by ignoring the virtual memory protections and process isolation imposed by the OS and hardware.
In contrast to side-channel or transient-execution attacks, GhostWrite is a direct CPU bug caused by faulty vector extension instructions.
GhostWrite is a flaw embedded in hardware that cannot be fixed using software updates. This allows unprivileged attackers to write to any memory location, bypassing security features completely and gaining uncontrolled device access.
Furthermore, it enables hackers to hijack hardware devices through memory-mapped I/O (MMIO), allowing them to execute arbitrary commands on those devices.
The second exploit demonstrates how the GhostWrite-based read function can leak any memory content. When an administrator enters a secret password into a trusted prompt (left), the exploit (right) fills the physical memory with page tables.
This takes a few seconds on a system with 8GB of memory. The exploit then uses GhostWrite to modify one of these page tables, allowing it to read the secret password directly from physical memory.
Here below, we have mentioned all the vulnerable devices:-
- Scaleway Elastic Metal RV1, bare-metal C910 cloud instances
- Lichee Cluster 4A, compute cluster
- Lichee Book 4A, laptop
- Lichee Console 4A, tiny laptop
- Lichee Pocket 4A, gaming console
- Sipeed Lichee Pi 4A, single-board computer (SBC)
- Milk-V Meles, SBC
- BeagleV-Ahead, SBC
According to the report, Differential fuzz testing of RISC-V CPUs revealed GhostWrite by comparing the results of small programs on different processors.
However, the T-Head XuanTie C910 acted differently, as its execution did not raise an exception as expected but rather it just executed the vector store instruction illegitimately encoded into it.
This implies a direct severe physical memory write error that can bypass the virtual memory protection systems.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download