Fuzz Testing Uncovers GhostWrite RISC-V Vulnerability

Researchers in Germany have made a groundbreaking discovery by identifying a critical vulnerability in a chip utilizing the RISC-V architecture for the first time. This significant finding was achieved through the application of a technique known as differential fuzz testing.

The team at the Helmholtz Centre for Information Security uncovered the vulnerability, dubbed GhostWrite, within the T-Head XuanTie C910 and C920 RISC-V CPUs, which are commonly found in various single board computers. Notable boards housing these processors include the Beagle V-Ahead and Milk-V Pioneer 64bit cloud cluster.

GhostWrite exploits a flaw in the RSIC-V vector extensions, enabling unprivileged attackers, even those with restricted access, to manipulate the computer's memory and control peripheral devices like network cards. This vulnerability undermines the CPU's security mechanisms and is not easily remedied without sacrificing a significant portion of the CPU's functionality.

Unlike other types of attacks such as side-channel or transient-execution attacks, GhostWrite represents a direct CPU bug that leverages faulty instructions within its vector extension. These flawed instructions interact directly with physical memory rather than virtual memory, circumventing the typical process isolation enforced by the operating system and hardware.

The GhostWrite vulnerability was uncovered through an analysis of both documented and undocumented instructions using a method called differential fuzz-testing for CPUs. By running small programs on different CPUs and comparing the outcomes, the researchers were able to pinpoint discrepancies that indicated a potential issue with the T-Head XuanTie C910 CPU.