Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs

Fabian Thomas, Eric García Arribas, Lorenz Hetterich, Daniel Weber, Lukas Gerlach, Ruiyi Zhang, Michael Schwarz
July 2025
Cite

Abstract

The open and extensible RISC-V instruction set architecture has enabled a wide range of new CPU vendors and implementations. However, most commercially available RISC-V CPUs are closed-source, making it challenging to analyze them for security vulnerabilities—particularly those that can be triggered from unprivileged user space. Currently, no framework can uncover architectural vulnerabilities on real-world closed-source RISC-V CPUs from unprivileged user space without relying on RTL. In this paper, we present RISCover, the first user-space framework for automatically detecting architectural security vulnerabilities in closed-source RISC-V CPUs. RISCover systematically compares the architectural behavior of instruction sequences across multiple RISC-V CPUs, identifying deviations without requiring source code, hardware modifications, or reference models. These limited assumptions leads to a speedup of orders of magnitude compared to RTL-based approaches. Unlike prior work, RISCover focuses on user-triggerable security issues, including privilege escalation and denial-of-service. We evaluate RISCover on 8 off-the-shelf RISC-V CPUs from 3 vendors, discovering 4 previously unknown vulnerabilities. RISCover’s efficiency leads to vulnerability discovery within seconds to minutes of fuzzing. Notably, RISCover discovers GhostWrite, an unprivileged instruction sequence to write controlled bytes to chosen physical memory locations, including attached devices. We demonstrate in an end-to-end attack how GhostWrite can be exploited to read physical memory and achieve arbitrary machine-mode code execution from user space, even in cloud environments. Additionally, RISCover identifies 3 unprivileged “halt-and-catch-fire” instruction sequences that irrecoverably crash the CPU from user space and that non-aligned zero stores can lead to data corruption. Our results highlight the need for robust post-silicon fuzzing techniques. RISCover complements existing RTL-level fuzzers by enabling rapid and automated security analysis of real-world, closed-source CPUs..

Type
Conference paper
Publication
In *ACM Conference on Computer and Communications Security *
Ruiyi Zhang
Ruiyi Zhang
PhD Student

My research interests include software-based architectural attacks, side channels, and the security of Trusted Execution Environments.