GhostWrite: A New CPU Vulnerability Uncovered
A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has discovered a significant architectural bug in Chinese chip company T-Head's XuanTie C910 and C920 RISC-V CPUs. This vulnerability, named GhostWrite, provides attackers with the potential to gain unrestricted access to affected devices.
What is GhostWrite?
Unlike typical bugs that exploit side-channel or transient execution attacks, GhostWrite is a direct CPU bug, embedded within the hardware itself. This makes it especially concerning because it bypasses many of the usual security features.
The researchers explain that this vulnerability "allows unprivileged attackers, even those with limited access, to read and write any part of the computer's memory and to control peripheral devices like network cards." Essentially, GhostWrite nullifies the CPU's security features and cannot be patched without disabling a significant portion of the CPU's functionality.
How GhostWrite Works
CISPA found that the vector extension of the RISC-V ISA is faulty. This vector extension is an add-on designed to handle larger data values than the base Instruction Set Architecture (ISA). The flaw involves instructions that operate directly on physical memory, bypassing the usual process isolation enforced by the operating system and hardware.
An attacker could exploit this loophole to write to any memory location, evading security measures to obtain full, unrestricted access to the device. This includes potentially leaking sensitive data, such as passwords.
Implications and Countermeasures
The attack is reported to be "100% reliable, deterministic, and takes only microseconds to execute." Notably, security features such as Docker containerization or sandboxing cannot prevent this attack. Moreover, the attacker could commandeer hardware devices using memory-mapped input/output (MMIO).
The recommended countermeasure is to disable the entire vector functionality, which unfortunately diminishes the CPU's performance by approximately 50%. Disabling these features significantly impacts tasks that benefit from parallel processing and handling large datasets.
Broader Context
This discovery comes amid revelations of other significant vulnerabilities. For instance, Google's Android Red Team recently detected over nine flaws in Qualcomm's Adreno GPU, which allowed attackers to escalate privileges and execute code at the kernel level. These have since been patched.
Similarly, a security flaw in AMD processors, called Sinkclose, has been identified. This flaw could potentially allow attackers to elevate privileges and modify system configurations, affecting System Management Mode (SMM). It's noteworthy that this vulnerability remained undetected for nearly two decades.
AMD has advised that the only way to address such an issue is by using a hardware-based tool called an SPI Flash programmer to scan and remediate malware.
Conclusion
The GhostWrite vulnerability highlights the ongoing challenges in hardware security. As technology continues to evolve, ensuring robust security measures is critical to protecting sensitive information and maintaining the overall performance of computing devices.
