Abstract
Microarchitectural attacks threaten the security of computer systems even in the absence of software vulnerabilities. While x86 and ARM CPUs have been extensively studied, the rising popularity of RISC-V CPUs demands a thorough examination of their microarchitectural attack surface. With the standardization of the RISC-V instruction set architecture and the announcement of support for the architecture by major processor vendors, RISC-V CPUs are on the verge of becoming ubiquitous. In this talk, we will show a systematic investigation of the microarchitectural attack surface on the first commercially-available 64-bit hardware RISC-V CPUs. These CPUs run a full Linux operating system and can be used for general tasks, such as using the web. Hence, it is vital to consider the security of these CPUs to guarantee the confidentiality of processed data on such devices. However, our analysis resulted in new microarchitectural attack techniques that are specific to these RISC-V CPUs. Our techniques improve cache attacks and introduce an entirely new source of side-channel leakage based on RISC-V-specific instructions for obtaining instruction states. To demonstrate the dangers of our newly-discovered techniques, we will present multiple attacks, including the first RISC-V-specific microarchitectural KASLR break and a method for detecting kernel and machine mode activity. In a live demo, we will show that such attacks are extremely reliable and easy to mount. Finally, we will outline challenges for secure designs of CPUs, and discuss the short-term and long-term implications of microarchitectural attacks for RISC-V vendors, software vendors, and users.