A vulnerability called 'GhostWrite' that allows RISC-V CPUs to freely manipulate memory contents has been discovered, and countermeasures to this vulnerability significantly reduce CPU performance



It has been discovered that one of the RISC-V CPUs has a vulnerability called 'GhostWrite' that allows the device's memory to be freely read and rewritten. Because this is a hardware design issue, it is not possible to take software measures such as patching, and it has been pointed out that a significant sacrifice in performance would be required to address the issue.

GhostWrite

https://ghostwriteattack.com/

The newly discovered vulnerability, GhostWrite, is a bug in the T-Head XuanTie C910, a CPU developed by Chinese manufacturer T-Head, a subsidiary of Alibaba, and is currently the fastest RISC-V chip.



According to the research team at the Helmholtz Center for Information Security (CISPA), who discovered GhostWrite, instructions affected by GhostWrite operate directly in physical memory rather than virtual memory, circumventing the process isolation that is normally prevented by the operating system and hardware.

By interfering with processes that are supposed to be isolated, an unprivileged attacker could read or write arbitrary memory locations, or send arbitrary commands and gain complete control over the targeted device.

'This attack is 100% reliable, deterministic, and takes only microseconds to execute. It is also impossible to thwart this attack using security measures such as Docker containerization or sandboxing,' the research team said.



Although the bug has only been found in the T-Head XuanTie C910, this CPU is used in a wide range of devices, so a wide range of devices, from laptops to gaming consoles, are susceptible to the GhostWrite risk.

The research team specifically listed the following devices as being at risk of GhostWrite attacks:
・Scaleway Elastic Metal RV1 (cloud instance)
・Lichee Cluster 4A (computing cluster)
・Lichee Book 4A (notebook PC)
・Lichee Console 4A (small notebook PC)
・Lichee Pocket 4A (handheld game console)
・Sipeed Lichee Pi 4A (single board computer)
・Milk-V Meles (same as above)
・BeagleV-Ahead (same as above)

GhostWrite is a hardware defect and cannot be prevented by patching or software updates, but the problematic instructions are part of the RISC-V add-on 'vector extension,' so GhostWrite can be avoided by disabling the vector extension.

However, this disables about 50% of the instruction set, which has a significant impact on the performance and functionality of the CPU. According to the research team, when benchmarking the affected CPU with vector extensions disabled, it caused up to 77% overhead, which means that performance is reduced by that amount.



The research team reported the issue to the manufacturer, T-Head, but the company has not commented publicly or said whether it has taken any action. Alibaba, the parent company of the device, has not responded to media inquiries.

The CISPA research team announced the discovery of GhostWrite at the security conference Black Hat 2024, which begins on August 3, 2024.

in Hardware,   Security, Posted by log1l_ks