Detecting Architectural Vulnerabilities in Closed-Source RISC-V CPUs (CISPA)

Researchers at CISPA Helmholtz Center for Information Security have published a paper titled "RISCover," which introduces a framework for detecting architectural vulnerabilities in closed-source RISC-V CPUs. This framework, unlike previous methods, can identify vulnerabilities without access to source code, hardware changes, or models, running user code on Linux directly on real hardware. By comparing instruction-sequence behavior across CPUs, RISCover uncovered 4 previously unknown vulnerabilities in off-the-shelf CPUs from 3 different vendors. The vulnerabilities include exploits like GhostWrite, enabling arbitrary data leakage, and "halt-and-catch-fire" bugs that silently corrupt data. The paper emphasizes the need for post-silicon fuzzing techniques and complements existing RTL-level fuzzers for security analysis of closed-source CPUs.