GhostWrite Flaw: Hackers Can Access and Control Your Computer’s Memory

Researchers developed RISCVuzz, a differential fuzzing framework, to identify architectural vulnerabilities in RISC-V CPUs without requiring source code. 

By comparing instruction execution across multiple CPUs, the tool discovered critical flaws like GhostWrite, a vulnerability that allows unprivileged users to read and write arbitrary memory, bypassing memory protection mechanisms. 

RISCVuzz found numerous bugs in both hardware and software implementations, highlighting the need for rigorous testing of RISC-V CPUs and exposing the challenges of mitigating such vulnerabilities due to the architecture’s limitations. 

The proposed approach leverages the assumption of consistent architectural behavior across different CPUs to detect instruction anomalies, potential bugs, or security vulnerabilities. 

By comparing the architectural effects of individual instructions and instruction sequences on multiple CPUs, this method identifies deviations from expected behavior without requiring source code or reference models. 

It enables the discovery of vulnerabilities in closed-source CPUs like the T-Head C908 more efficiently than previous techniques, while also facilitating the detection of both documented and undocumented ISA extensions. 

Overview of RISCVuzz

Differential CPU testing, while conceptually simple, faces significant challenges. Generating effective instruction sequences is difficult due to the vast search space and the need to balance coverage with efficiency. 

Non-deterministic factors like performance counters and memory reads can introduce false positives, requiring careful handling, while preserving the architectural state during complex instruction execution is crucial for accurate test results. 

To address these issues, the authors employ a bottom-up approach for sequence generation, minimize non-determinism, and meticulously manage the architectural state within the test framework. 

RISCVuzz employs a centralized server-client architecture to efficiently test RISC-V CPUs. Clients execute server-generated test cases and report results, while the server orchestrates testing, analyzes data, and handles resource-intensive tasks. 

Overview of the RISC-V instruction space

To mitigate challenges like non-deterministic behavior and client integrity, RISCVuzz uses static compilation, noise removal techniques, and a sandboxed execution environment. 

The sandbox protects register, memory, and control flow states through careful memory management and instruction placement, ensuring reliable test execution and accurate result reporting. 

Code of GhostWrite

It demonstrates superior performance compared to emulated fuzzers, achieving orders of magnitude higher throughput on hardware cores. Multi-core scaling effectively boosts performance, with diminishing returns after adding more than two cores.

Increasing sequence length initially improves performance but plateaus after five instructions due to overhead and diminishing returns on additional instructions. RISCVuzz achieves optimal throughput with a sequence length of three, balancing performance gains and network congestion. 

The GhostWrite vulnerability is a hardware-level flaw in the T-Head XuanTie C910 RISC-V CPU, allowing unprivileged attackers to bypass memory protections, read and write arbitrary physical memory, and execute code in kernel and machine modes.

By manipulating page tables and exploiting ineffective fault attacks, attackers can recover cryptographic keys and elevate privileges, which poses a significant threat to system security as it cannot be mitigated without disabling critical CPU functionality. 

RISCVuzz is a differential CPU fuzzing framework that detects architectural bugs in RISC-V hardware CPUs by comparing instruction sequence outputs without using source code or emulators. 

It efficiently discovered severe security vulnerabilities, including GhostWrite, a privilege escalation exploit, on multiple CPUs and outperformed RTL-based fuzzers in instruction execution speed, making it a valuable addition to the bug-finding arsenal. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here