Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Researchers at the Helmholtz Center for Information Security (CISPA) published the results of a study on the security of processors based on the RISC-V architecture and disclosed information about the vulnerability, codenamed GhostWrite. The vulnerability affects XuanTie C910 RISC-V processors manufactured by the Chinese company T-Head (a division of Alibaba) and developed in the form of open projects. The vulnerability allows an attacker with unprivileged restricted access to the system to read and write to any area of physical memory, as well as gain access to control peripheral devices, such as network cards that use MMIO (Memory-Mapped Input/Output).
The vulnerability is caused by flaws in the processor architecture related to the isolation of processor instructions added by the manufacturer, which extend the architecture of the RISC-V instruction set and allow direct access to DRAM, bypassing virtual memory mechanisms. Some extended instructions work directly with physical memory instead of virtual memory to bypass memory isolation between processes.
The prepared attack technique is 100% reproducible and requires executing your code in just a few microseconds. Software isolation methods, such as containers and sandbox environments, do not interfere with exploiting the vulnerability. To block the vulnerability, only complete disabling of support for vector extensions helps, which leads to a 33% decrease in performance in rvv-bench tests (77% is indicated in the report annotation, and 33% on the summary page, while the details mention a 33% decrease in memcpy and 8% decrease in memset performance). it also reduces the number of processor instructions available to applications by about half.
The XuanTie C910 CPUs are among the most high-performance RISC-V chips available on the market and are already actively used in cloud servers and laptops. For example, the problem appears in Scaleway Elastic Metal RV1 servers, Lichee Cluster 4A clusters, Lichee Book 4A Laptop, Lichee Console 4A game console, Lichee Pocket 4A laptop, Sipeed Lichee Pi 4A single-board PCs, Milk-V Meles, and BeagleV-Ahead.
As an example, researchers have prepared an exploit that allows an unprivileged user to gain root rights in Linux. The exploit changes the contents of the page table in memory used for translating virtual addresses to physical addresses to get virtual addresses associated with any physical addresses. An example of an exploit has also been prepared for reading the contents of the kernel memory and other processes, which allows you to extract encryption keys and passwords stored in memory.
Additionally, the researchers identified two less dangerous architectural vulnerabilities - one affecting T-Head XuanTie C906 processors, and the other T-Head XuanTie C908. Both vulnerabilities are limited to causing denial of service due to CPU shutdown. Vulnerabilities can pose a threat to cloud platforms built on T-Head XuanTie chips, so if you have access to code execution in a cloud environment, you can also stop other users served on the same server.
The problems were identified using the RISCVuzz framework, created for fuzzing CPU testing. The framework detects differences in the implementation of identical extended instructions on different CPUs, based on the assumption that due to the lack of a single register of RISC-V instruction set extensions, equally encoded instructions on chips from different manufacturers can lead to different actions. The test was limited to comparing the behavior when processing processor instructions on different RISC-V CPUs and analyzing possible vulnerabilities in situations where there was a discrepancy in behavior.
• Video: https://ghostwriteattack.com/kernel-getuid-sudo-attack.mp4
The vulnerability is caused by flaws in the processor architecture related to the isolation of processor instructions added by the manufacturer, which extend the architecture of the RISC-V instruction set and allow direct access to DRAM, bypassing virtual memory mechanisms. Some extended instructions work directly with physical memory instead of virtual memory to bypass memory isolation between processes.
The prepared attack technique is 100% reproducible and requires executing your code in just a few microseconds. Software isolation methods, such as containers and sandbox environments, do not interfere with exploiting the vulnerability. To block the vulnerability, only complete disabling of support for vector extensions helps, which leads to a 33% decrease in performance in rvv-bench tests (77% is indicated in the report annotation, and 33% on the summary page, while the details mention a 33% decrease in memcpy and 8% decrease in memset performance). it also reduces the number of processor instructions available to applications by about half.
The XuanTie C910 CPUs are among the most high-performance RISC-V chips available on the market and are already actively used in cloud servers and laptops. For example, the problem appears in Scaleway Elastic Metal RV1 servers, Lichee Cluster 4A clusters, Lichee Book 4A Laptop, Lichee Console 4A game console, Lichee Pocket 4A laptop, Sipeed Lichee Pi 4A single-board PCs, Milk-V Meles, and BeagleV-Ahead.
As an example, researchers have prepared an exploit that allows an unprivileged user to gain root rights in Linux. The exploit changes the contents of the page table in memory used for translating virtual addresses to physical addresses to get virtual addresses associated with any physical addresses. An example of an exploit has also been prepared for reading the contents of the kernel memory and other processes, which allows you to extract encryption keys and passwords stored in memory.
Additionally, the researchers identified two less dangerous architectural vulnerabilities - one affecting T-Head XuanTie C906 processors, and the other T-Head XuanTie C908. Both vulnerabilities are limited to causing denial of service due to CPU shutdown. Vulnerabilities can pose a threat to cloud platforms built on T-Head XuanTie chips, so if you have access to code execution in a cloud environment, you can also stop other users served on the same server.
The problems were identified using the RISCVuzz framework, created for fuzzing CPU testing. The framework detects differences in the implementation of identical extended instructions on different CPUs, based on the assumption that due to the lack of a single register of RISC-V instruction set extensions, equally encoded instructions on chips from different manufacturers can lead to different actions. The test was limited to comparing the behavior when processing processor instructions on different RISC-V CPUs and analyzing possible vulnerabilities in situations where there was a discrepancy in behavior.
• Video: https://ghostwriteattack.com/kernel-getuid-sudo-attack.mp4
