Security News > 2024 > August > Faulty instructions in Alibaba's T-Head C910 RISC-V CPUs blow away all security

Black Hat Computer security researchers at the CISPA Helmholtz Center for Information Security in Germany have found serious security flaws in some of Alibaba subsidiary T-Head Semiconductor's RISC-V processors.

Thus the security issues here with the C910 lie with T-Head's own implementation of the ISA, specifically its non-standard implementation of the vector extension, and not the specs themselves nor other RISC-V chips.

They found three architectural CPU vulnerabilities within the T-Head chips, not to mention other bugs that cause segmentation faults in the two latest major versions of QEMU. The most severe vulnerability, GhostWrite, affects the C910 in the TH1520 SoC and lets unprivileged users write anything to memory without concern for security and isolation features.

V instruction is broken in that it doesn't treat the address as a virtual one, and instead goes straight to physical memory, allowing any application, including malware, to scribble over the OS kernel, or machine-level hypervisor or firmware, and take over the device.

Sipeed Lichee Pi 4A, single-board computer Milk-V Meles, SBC. BeagleV-Ahead, SBC. The boffins in their paper observe that Shandong University in China has a RISC-V cluster with a C910 variant, though they've been unable to determine whether that variant is affected.

"Given the increasing complexity of RISC-V CPUs, we advocate such a microcode layer on RISC- V to have the possibility of mitigating CPU vulnerabilities," the paper concludes.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/08/07/riscv_business_thead_c910_vulnerable/