Inside RISC-V: Analysis and Exploitation

4 Day u_long 32 CPE Hour Training: February 2022

## Video Preview Don's 90 minute introduction to RISC-V gives you a sneak peek into the attack surface of RISC-V architecture CPUs and what it would take to craft exploits on it. Don covers the width and depth of RISC-V attacks in his Inside RISC-V: Analysis and Exploitation training offered at CATCH2022.

## Abstract This training is designed to give students the knowledge and skills required to analyze, identify, target, and exploit flaws in both RISC-V processors, and applications and kernels written for the architecture. Not only will RISC-V application level exploitation be a focus of the training session, processor exploitation will also be a focus, providing students with insights into architectural design choices that make RISC-V more resilient to side channel attacks, "trustzone" escapes, and privilege "ring" escalation attacks. Students will complete the class with a full understanding of the RISC-V architecture and its variants, how to identify/analyze a RISC-V processor, and how to target and exploit an application or kernel running on a RISC-V CPU. Students will learn how the architecture's formal definition differs from implementations of the processor specification, and will learn how to target subtleties in the specification that grant implementors the flexibility to introduce potential architecture flaws that can be exploited in order to cross privilege boundaries or leak/exfil privileged data. Variations of RISC-V technology will be discussed, such as the "unhackable" Morpheus microarchitecture, production variants such as SiFive's product line, and security focused chips such as HexFive and LowRISC. ## Agenda #### Cluster 1 - RISC-V Architecture Specification - RISC-V Architecture Variants and Extensions - RISC-V Peripheral Integration Model (Bus Architecture) - RISC-V Debugging and Testing #### Cluster 2 - Application Development Environment - Toolchains and Soft Debugging - Privilege Layers from a Kernel and App Perspective - Exploiting Kernels - Exploiting Applications #### Cluster 3 - Tagged Memory - Side channel attacks - Privilege escalation - Privileged data leakage - TrustZone Analogs - Exploiting Privilege Boundary Flaws #### Cluster 4 - Secure Core Implementations and their Weaknesses - Errata: Hacking Implementations versus Specifications - Exploiting Secure Cores ## Tools Used - QEMU - Linux - gdb / llvm / gcc - Python - JTAG / SWD ## Required Skills - Basic assembly knowledge with any RISC architecture CPU - Basic low-level programming (C, assembly) - Basic Python - Familiarity with the Linux command line and its common tools ## System Requirements: - A working computer - Virtual machine(s) running Linux - The ability for your Linux system to run virtual machines (QEMU) - Python installed (2 and 3) - Basic development toolchain installed: gcc/llvm, gdb, vim, make/automake/autoconf, OpenOCD, telnet/nc
Don Andrew Bailey

Don Andrew Bailey

Register Now

Don A. Bailey is an 18 year veteran of the information security space. His groundbreaking research has shaped information security and has been featured in news agencies from NPR and Reuters, to Fox News and CNN. Don was the first to break Apple's MFi security architecture, demonstrate car hacking, to remotely compromise GPS systems, "broke the Internet" with a critical and wide-spread compression algorithm exploit, and the first to find and develop a working exploit for the RISC-V privilege model security flaw, among other firsts. Previously the Director of Research at the prestigious iSEC Partners think tank, Don founded his own consulting firm in 2012 with a research grant from DARPA. Don went on to help shape the vulnerability, exploit acquisitions, and response ecosystem, becoming a "top 10 hacker" at HackerOne and a Bugcrowd affiliate. During this time, Mr. Bailey consulted with startups on building secure technology from the ground up, and assisted corporations on integrating vulnerability response programs into their engineering process. Don currently leads a startup, Lab Mouse Inc., focused on using secure RISC-V technology to solve social problems in underfunded communities. Mr. Bailey is currently the Chair of the RISC-V Security Response Team, which coordinates vulnerability disclosure between researchers and the RISC-V Foundation.