CPU Silicon Security Research and Fuzzing (RISC-V)

CPU Silicon Security Research and Fuzzing (RISC-V)

Table of Contents

I’ve embarked on a brief journey to learn RISC-V and I ended up finding a niche of interesting material on security research on fuzzing, so I pivoted my attention to that. Here’s a brief summary of what I found.

So far, I’ve been reading the following books.

  • The RISC-V Reader: An Open Architecture Atlas (2017) by David Patterson (RISC-V Foundation, Google, Berkeley), Andrew Waterman (SiFive). This is a relatively brief but dense introduction to the ISA, with a nicely organized visual representation of all instructions in just half a page! You’ll learn the details of how instructions are encoded and admire the beauty of such a well-thought design.
  • RISC-V Assembly Language Programming: using ESP32-C3 and QEMU (2022) by Warren Gay is a hands-on, slow-paced, journey of the RV32/64 instructions through examples that you can run immediately on your computer (QEMU) or on real RICV-V silicon (ESP32-C3).

Many hardware peripheral manufacturers use RISC-V blocks to make custom, powerful, and flexible management co-processors to run control firmware to manage the peripheral (e.g., GPUs). NVIDIA is integrating the open-standard RISC-V architecture into its products, initially using it for internal microcontrollers and more recently extending it to be a primary application processor by making its CUDA platform compatible with RISC-V CPUs.

RISC-V Cloud Offerings

However, RISC-V hasn’t yet reached a point where it may be a viable aleternative to, say, Intel, AMD, or ARM-based platform CPUs. However, we see some products and services at the horizon. To date, the following cloud providers offer RISC-V computing services.

ISAProviderLocationProcessorManufacturerCore PlatformSources
RV64GC+VScalewayFranceAlibaba T-Head TH1520XuanTieXuanTie C910C910
RV64IMACCloud-VUnited StatesFU540 discontinuedSiFivenanFreedom
RV64GCCloud-VUnited StatesJH7100StarFiveSiFive U74Rocket + BOOM
RV64GCCloud-VUnited StatesJH7110StarFiveSiFive U74Rocket + BOOM
MixedCloud-VUnited Statesmicrochip-icicle-kit, shakti_{c,e,u}, spike, virtQEMUcpu.h-

RISC-V Implementations

Needless to say, there are countless RISC-V boards. I stopped listing them when I realized there are quite some comprehensive lists around. Anyway, here’s my summary table based on the most comprehensive and maintained lists of RISC-V implementations:

The list does not contain boards where the RISC-V block is not the main core (e.g., coprocessors).

ISACustom ExtensionsProcessorManufacturerCore PlatformSourcesDie PhotoExample Board
RV32IMACFE310SiFiveSiFive E31RocketHiFive 1 Rev B
RV32IMACGD32VF103GigaDeviceNuclei Bumblebee N200NucleiSipeed Longan Nano
RV32IMCyGAP8GreenWavesPULPWikiGAPuino
RV32IMCyGAP9GreenWavesPULPWikiGAP9 EVK
RV32I+VRH850/U2BRenesasDENSO DR1000CClosed
RV32IMCyR9A02G020RenesasAndesCore N22ClosedR9A02G020-EVK
RV32IMCESP32-C3EspressifUnknownClosed1, 2, 3, …
RV32IMCESP32-C2EspressifUnknownClosedpic
RV32IMACESP32-C6EspressifUnknownClosed
RV32IMnanHi3861 (discontinued)HiSiliconUnknownClosedHi3861
RV32GC+PyBL616/BL618 (discontinued?)Bouffalo LabUnknownClosedSipeed M0S
RV32IMAFCnanBL602/BL604Bouffalo LabSiFive E24ClosedPinecone
RV32?nanAB32VG1BluetrumUnknownClosedAB32VG1nan
RV32IMAC+FnanCH583/CH582/CH581WCHUnknownClosedCH583Mnan
RV64GCJH7100StarFiveSiFive U74Rocket + BOOMVisionFive
RV64GC?JH7110StarFiveSiFive U74Rocket + BOOMPine64 Star64
RV64GC+VAlibaba T-Head TH1520XuanTieXuanTie C910C910BeagleVยฎ-Ahead

Fuzzing Hardware Like Software

From a security standpoint, what makes RISC-V interesting is that the hardware definition of some IP cores is open source, which means that it can be formally verified and, best of all, fuzzed. Like software! The idea is “simple”:

  • compile the core into an executable format,
  • shovel it into a simulator,
  • randomize inputs (i.e., instructions and data),
  • observe execution,
  • measure coverage,
  • repeat,
  • …wait, what now?

The design and implementation of such a fuzzer are quite challenging, mainly because, unlike with a traditional software program, it’s difficult to define an oracle that tells us when a bug in a CPU design has been found, because a CPU just…interprets instructions based on state and data. It can’t “crash”. And if we observe a crash, most likely it’s the simulator crashing. We don’t yet have a precise way to tell whether the CPU being simulated and fuzzed is behaving according to the specs, or maybe according to the best golden model we have so far. Even in this case, is the golden model representative? What are we trying to compare against? We don’t (yet!) have the choice of memory or address sanitizers like we have for fuzzers. In other words, there’s a huge body of research, development, and hacking waiting to be unfolded. There exist the notion of coverage, which is good news.

RISC-V Fuzzing Experiments and Tools

RISCVuzzCascade (2024)ProcessorFuzz (2023)hw-fuzzing (2022)DifuzzRTL (2021)RFUZZ (2018)
C910๐ŸŸข
VexRiscv๐ŸŸข (7 CVEs)
PicoRV32๐ŸŸข (6 CVEs)
Kronos๐ŸŸข (6 CVEs)
CVA6๐ŸŸข (8 CVEs)
BOOM๐ŸŸข (2 CVEs)๐ŸŸข๐ŸŸข (2 CVEs)
Rocket๐ŸŸข๐ŸŸข๐ŸŸข
mor1kx๐ŸŸข (3 CVEs)
BlackParrot๐ŸŸข
Sodor๐ŸŸข
OpenTitan๐ŸŸข

Papers with Tools

I selected the following papers because (1) the evaluation is done on RISC-V cores or a full processor, and (2) they come with code, so the results are reproducible. In some cases, they’re used to continuously fuzz the RTL of the cores, like in the case of the work by Trippel et al., which, according to the authors (and this repository), their tool is used to fuzz Google’s OpenTitan.

Known Vulnerabilities in RISC-V Designs

DesignIdBug DescriptionCWECVEResearcher
VexRiscvV1Non-deterministic conversion from single-precision float to int6812023-34885Solt et al.
VexRiscvV2fmin with one NaN does not always return the other operand1932023-34895Solt et al.
VexRiscvV3Conversion from double to float may pollute the mantissa6812023-34895Solt et al.
VexRiscvV4Dependent arithmetic/muldiv FPU operations may yield incorrect results1932023-34887Solt et al.
VexRiscvV5Equal registers may be considered distinct by fle.s and feq.s6972023-34883Solt et al.
VexRiscvV6flt.s may return 1 when operands are equal6972023-34883Solt et al.
VexRiscvV7Under some microarchitectural conditions, square root may be imprecise13392023-34891Solt et al.
VexRiscvV8Single-precision muldiv followed by conversion may pollute the mantissa6812023-34895Solt et al.
VexRiscvV9Dependent arithmetic/muldiv operations may cause largely wrong output6822023-34891Solt et al.
VexRiscvV10Operations on floating-point registers are authorized when FPU is disabled11892023-34885Solt et al.
VexRiscvV11Wrong access control to the FPU flags leaks information11892023-34885Solt et al.
VexRiscvV12Hang on speculatively executed compressed FPU instructions13422023-34896Solt et al.
VexRiscvV13Inaccurate instruction count when minstret is written by software6842023-40063Solt et al.
VexRiscvV14Some register comparisons are still incorrect despite a partial fix6972023-34883Solt et al.
PicoRV32P1Accessing a non-implemented CSR causes the CPU to hang12812023-34898Solt et al.
PicoRV32P2Spurious exceptions when reading mandatory CSRs12812023-34898Solt et al.
PicoRV32P3Performance counters are not writable2842023-34900Solt et al.
PicoRV32P4Performance counters can only be read using some opcodes2842023-34900Solt et al.
PicoRV32P5Performance counter addresses are incorrect6842023-34913Solt et al.
PicoRV32P6Spurious exception when decoding fence instructions7052023-34899Solt et al.
KronosK1RaWaW double-hazard may cause a wrong register value to be forwarded2262023-34906Solt et al.
KronosK2Reading existing CSRs causes the CPU to hang in some uarch conditions12812023-34901Solt et al.
KronosK3In some uarch conditions, no exception when writing inexistent CSRs12812023-41210Solt et al.
KronosK4Inaccurate instruction count when minstret is written by software6842023-40066Solt et al.
KronosK5Incorrect decode logic for fence and fence.i6842023-34903Solt et al.
CVA6C1Double-precision multiplications yield wrong sign when rounding down6822023-34904Solt et al.
CVA6C2Single-precision floating-point operations may treat NaNs as zeros6842023-34906Solt et al.
CVA6C3Division by NaN incorrectly sets NX and NV flags6822023-34905Solt et al.
CVA6C4The inexact (NX) flag not set in case of overflow or underflow6842023-34905Solt et al.
CVA6C5Division of zero by zero incorrectly sets the DZ flag6842023-34905Solt et al.
CVA6C6Plus and Minus infinity microarchitectural structures are inverted12212023-34910Solt et al.
CVA6C7Infinities are not rounded properly and stick to infinity13392023-34910Solt et al.
CVA6C8Spurious exceptions when reading some performance counters6822023-34911Solt et al.
CVA6C9Wrong supervisor performance counter access control6842023-42311Solt et al.
CVA6C10Under some microarchitectural circumstances, wrong NaN conversion6822023-34908Solt et al.
BOOMB1Static rounding is ignored for fdiv.s and fsqrt.s13392023-34882Solt et al.
BOOMB2Inaccurate instruction count when minstret is written by software6842023-40063Solt et al.
BOOM-Misaligned lr instruction on a cached line set the reservation7552020-29561Hur et al.
BOOM-Source field in ProbeAckData does not match the sink field of ProbeRequest-2020-13251Hur et al.
mor1kx-Reservation is not cancelled when there is snooping hit between lwa and swa-2020-13455Hur et al.
mor1kx-Misaligned swa raise exception when reservation is not set-2020-13453Hur et al.

Credits

Photo of the ESP32-C2 die: ESP32-C2 and Why It Matter-s

Tags :
Share :