Security experts at CISPA Helmholtz Center for Information Security have identified a severe flaw known as ‘GhostWrite‘ in T-Head’s RISC-V CPUs, specifically the XuanTie C910 and C920 models. This flaw emerges from defective vector extensions that fail to correctly translate virtual memory addresses to physical ones, potentially allowing malicious access to memory and connected devices. The defect was detected using the RISCVuzz ‘Differential Hardware Fuzzing’ method, detailed by CISPA researchers in their published paper. Additionally, they unearthed ‘Halt and Catch Fire’ vulnerabilities in the T-Head C906 and C908 CPUs that could be harnessed to initiate denial of service attacks.
The affected T-Head CPUs are commonly integrated into Systems on Chip (SoCs), which are core to numerous RISC-V development boards like the BeagleVĀ®-Ahead and the Sipeed LicheePi4A. These chips are also present in several RISC-V based laptops and devices, including Scaleway’s Elastic Metal RV1 RISC-V cloud servers. Despite the seriousness of the vulnerabilities, they may not represent a significant risk in single user systems like development boards and laptops. However, in environments like RV1 servers used continuously by teams, the flaw may pose a concern. In response, Scaleway confirmed their kernel’s immunity to GhostWrite post-fix and posted an update instruction for systems installed before June 6, 2024, at EM-RV1 Guidelines: Update the kernel.
For those systems where interaction with untrusted users or code is unavoidable, the researchers advise deactivating the RISC-V vector extension through the operating system settings. However, they caution that this solution compromises about half of the instruction set, significantly decreasing the CPU’s efficiency and capabilities.
The differential fuzzing method utilized by RISCVuzz enhances traditional fuzzing by comparing the outcomes of random instructions on different implementations. The team at CISPA discovered bugs in the QEMU RISC-V emulation and some hardware using this technique. As the RISC-V ecosystem grows, this method should ensure that implementations adhere closely to the ISA and extension specifications from RISC-V International.
The adoption of RISC-V is in its early stages, beset by a chicken and egg dilemma between hardware producers awaiting better software support and software developers waiting for more accessible test hardware. For example, Debian includes RISC-V support but only in its ‘Sid’ unstable release. Ubuntu is also supported on many RISC-V development boards, but it comes with numerous limitations concerning missing drivers and specific patches. This situation is reminiscent of early days for Arm, which saw improvement when Scaleway introduced Arm-based cloud instances, making hardware more accessible financially. Similar trends might have been expected for Scaleway’s RISC-V instances, but issues such as the performance impact of mitigating the GhostWrite in C910 systems might alter that trajectory. Systems using C910 SoCs generally perform between a Raspberry Pi 3 and Pi 4, indicating moderate performance even before mitigation efforts.
In their FAQ, the researchers from CISPA clarifies that GhostWrite specifically affects T-Head CPUs, not RISC-V in general. The RISCVuzz paper, while neutral, does not excessively criticize T-Head and notes that no bugs were found in competing SiFive U54 and U74 CPUs. However, it suggests that future designs should include a microcode layer to enable hardware patches:
With the growing complexity of RISC-V CPUs, implementing a microcode layer in RISC-V could help mitigate CPU vulnerabilities.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.