Inside RISC-V: Analysis and Exploitation

4 DAY U_LONG 32 CPE HOUR TRAINING: AUGUST 2021 * WEEK 2: SEP 7-12

Don Andrew Bailey
CLASS RESCHEDULED TO SEPTEMBER 7, 2021

Abstract

This training is designed to give students the knowledge and skills required to analyze, identify, target, and exploit flaws in both RISC-V processors, and applications and kernels written for the architecture. Not only will RISC-V application level exploitation be a focus of the training session, processor exploitation will also be a focus, providing students with insights into architectural design choices that make RISC-V more resilient to side channel attacks, “trustzone” escapes, and privilege “ring” escalation attacks.

Students will complete the class with a full understanding of the RISC-V architecture and its variants, how to identify/analyze a RISC-V processor, and how to target and exploit an application or kernel running on a RISC-V CPU. Students will learn how the architecture's formal definition differs from implementations of the processor specification, and will learn how to target subtleties in the specification that grant implementors the flexibility to introduce potential architecture flaws that can be exploited in order to cross privilege boundaries or leak/exfil privileged data.

Variations of RISC-V technology will be discussed, such as the “unhackable” Morpheus microarchitecture, production variants such as SiFive's product line, and security focused chips such as HexFive and LowRISC.

Agenda

Cluster 1

  • RISC-V Architecture Specification
  • RISC-V Architecture Variants and Extensions
  • RISC-V Peripheral Integration Model (Bus Architecture)
  • RISC-V Debugging and Testing

Cluster 2

  • Application Development Environment
  • Toolchains and Soft Debugging
  • Privilege Layers from a Kernel and App Perspective
  • Exploiting Kernels
  • Exploiting Applications

Cluster 3

  • Tagged Memory
  • Side channel attacks
  • Privilege escalation
  • Privileged data leakage
  • TrustZone Analogs
  • Exploiting Privilege Boundary Flaws

Cluster 4

  • Secure Core Implementations and their Weaknesses
  • Errata: Hacking Implementations versus Specifications
  • Exploiting Secure Cores

Tools Used

  • QEMU
  • Linux
  • gdb / llvm / gcc
  • Python
  • JTAG / SWD

Required Skills

  • Basic assembly knowledge with any RISC architecture CPU
  • Basic low-level programming (C, assembly)
  • Basic Python
  • Familiarity with the Linux command line and its common tools

System Requirements:

  • A working computer
  • Virtual machine(s) running Linux
  • The ability for your Linux system to run virtual machines (QEMU)
  • Python installed (2 and 3)
  • Basic development toolchain installed: gcc/llvm, gdb, vim, make/automake/autoconf, OpenOCD, telnet/nc