

# **Transient Execution Attacks and Countermeasures** on **RISC-V** Implementations



Suzaki Laboratory, Institute of Information Security (情報セキュリティ大学院大学 須崎研究室) Tuo Chen (陳 拓, M1, mgs234502@iisec.ac.jp) and Kunihiro Suzaki (須崎 有康, suzaki@iisec.ac.jp)

### I. Introduction

Transient execution attacks, symbolized by Spectre variants and categorized as cache timing SCA (Side Channel Attack), have been growing for a few years. This situation will be further extended by the open architecture "RISC-V ecosystem" because many implementations will appear. In this presentation, we present the research history of transient execution attacks at first. Then, we explain Spectre variants and several countermeasures on current CPUs. We also want to discuss the countermeasure ideas for the next stage.

### **II. Transient execution attack (TEA)**

It is a broad category of microprocessor hardware security issues introduced by implementing speculative execution. The adversary conducts general cache timing SCAs like Flush/Evict+Reload/Time, **Prime+Probe**, etc. at the last stage. Until now, most of them target mainstream processors of Intel, AMD, ARM, Apple. Case studies of them are of significance for RISC-V ISA. Some of them can be directly validated on existing RISC-V A. instances. -- We are investigating and counting these. **B**. The remainders temporarily can not be replicated due to proprietary designs, but mechanisms behind them may get transplanted to or have their equivalences on RISC-V platforms in the future.

### **III. Spectre vulnerabilities**

Spectre is a typical group of TEAs, exploiting branch prediction. We have confirmed the following 3 dyed rows on RISC-V boards.

| Spectre-* | CVE                                  | Public name                             | Citation                         |
|-----------|--------------------------------------|-----------------------------------------|----------------------------------|
| v1        | 2017-5753                            | BCB: Bounds Check Bypass                | Kocher et al,<br>IEEE S&P 19     |
| v1.1      | 2018-3693                            | BCBS: Bounds Check Bypass Store         | V. Kiriansky et al,<br>arXiv 18  |
| v1.2      | (Unindexed)                          | RPB: Read-only protection bypass        | V. Kiriansky et al,<br>arXiv 18  |
| v2        | 2017-5715                            | BTI: Branch Target Injection            | Kocher et al,<br>IEEE S&P 19     |
| v3        | 2017-5754                            | Meltdown or RDCL: Rogue Data Cache Load | M. Lipp et al,<br>USENIX Sec 18  |
| v3a       | 2018-3640                            | RSRR: Rogue System Register Read        | INTEL-SA-00115<br>18             |
| v4        | 2018-3639                            | SSB: Speculative Store Bypass           | Kocher et al,<br>IEEE S&P 19     |
| v5        | (Unindexed)                          | ret2spec: Return Mispredict             | Koruyeh et al,<br>USENIX Sec 18  |
| Lazy FP   | 2018-3665                            | Lazy FP State Restore                   | Stecklina et al,<br>arXiv 18     |
| BHI       | 2022-0001<br>2022-0002<br>2022-23960 | BHI: Branch History Injection           | Barberis et al,<br>USENIX Sec 22 |
| vб        | (Unindexed)                          | SRV: Speculative Vectorization Exploit  | S. Karuppanan et al,<br>arXiv 23 |

CROSSTalk (>Intel) Retbleed (>AMD) CTRAP (>AMD) Zenbleed (>AMD) **INCEPTION** (>AMD)





Spectre

Timing SCA (Flush/Evict+Reload/Time, Prime+Probe, etc)

Downfall (>Intel) LVI (>Intel) MDS (>Intel) Meltdown

### **IV. Present mitigations against Spectre**

### Some of the following proposals are already based on RISC-V.

| Proposal                               | Description                                                                                                                                                                                                                               | Type(s)    | against           | Citation                                                  |
|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-------------------|-----------------------------------------------------------|
| (General remarks)                      | <ol> <li>Prevent speculative execution</li> <li>Prevent access to secret data</li> <li>Prevent data from entering covert<br/>channel</li> <li>Limit data extraction from covert<br/>channels</li> <li>Prevent branch poisoning</li> </ol> | All        | v1, v2,<br>v4     | P. Kocher et al<br>IEEE S&P 19<br>("Spectre white paper") |
| Retpoline                              | Include lfence/pause instruction and<br>utilization of user-controllable RSB<br>(Return Stack Buffer), instead of solely<br>relying on indirect branch predictor that is<br>vulnerable.                                                   | SW         | v2                | Google Project Zero                                       |
| Indirect branch<br>instructions        | Porting of Retpoline from Intel x86 into<br>RISC-V and some improvements. Use<br>modified indirect "jump" and "call"<br>similarly.                                                                                                        | SW         | v2. v5            | R. Bălucea and P. Irofti<br>arXiv, Jun. 09, 2022          |
| Condition branch<br>conversion, others | <ol> <li>Remove dependencies on branch<br/>output in secret data.</li> <li>Convert conditional branch into<br/>equivalent unconditional instructions</li> <li>Other HW-assisted SW defenses.</li> </ol>                                   | SW +<br>HW | v1, v2,<br>v4, v5 | D. Evtyushkin et al<br>ACM, Mar. 2018                     |
| SpecBuf                                | Propose certain forms of "dedicated<br>speculation buffer". Their common feature<br>is holding data for speculative executions.                                                                                                           | HW         | v1, v2,<br>v5     | Gonzalez et al<br>U. C. Berkeley, 2018                    |
| SafeSpec                               | For InvisiSpec, secret data will be invisible<br>even from the covert channel, until it is<br>confirmed secure and is then released open.<br>Data that breaks memory consistency will                                                     |            |                   | Khasawneh et al<br>arXiv, Jun. 15, 2018                   |
| InvisiSpec                             | also be detected. For SpecBuf, data from<br>failed speculation will be eliminated in the<br>buffer, avoiding influence on caches for<br>general purpose.                                                                                  |            |                   | M. Yan, J. Choi et al<br>IEEE, Oct. 2018                  |
| SSE-RV                                 | Along with loaded data for speculative<br>execution, mark the destination registers<br>with "taints". If next speculation accesses<br>addresses of tainted registers again, it will<br>be blocked by the LSU with fence instr.            | HW         | v1, v2,<br>v5     | M. Sabbagh et al<br>CARRV 2021                            |

#### Hertogh et al, IEEE S&P 24

### **V. Experiment environment for RISC-V TEAs**

We tested Spectre-v1, v2, v5 on several LicheePi 4A SBCs. A 64-bit SonicBOOM Linux-capable single RISC-V core is also running on an AMD Xilinx Virtex 7 FPGA VC707 evaluation kit but still needs tuning. Now we are looking for more solutions with high flexibility like Chipyard, VMs, etc.







## VI. Spectre attack on RISC-V test results

We analyzed and modified Spectre codes from previous studies and successfully logged Spectre-v2.

### **Reference complements:**

[1] L. Gerlach, D. Weber, R. Zhang, and M. Schwarz, "A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs," in 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.

[2] Le Anh-Tien, "Research of RISC-V Out-of-order Processor Cache-Based Side-Channel Attacks - Systematic Analysis, Security Models and Countermeasures -," PhD Thesis, University of Electro-Communications, 2023.

[3] C. Canella et al., "A Systematic Evaluation of Transient Execution Attacks and Defenses," presented at the 28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 249– 266.



#### [0x0x1cd90] = want(!) =?= guess(hits,dec,char) 1.(260, 33, !) 2.(258, 146, 🗉 [0x0x1cd91] = want(") =?= guess(hits,dec,char) 1.(260, 34, ") 2.(258, 111, o [0x0x1cd92] = want(#) =?= guess(hits,dec,char) 1.(260, 35, #) 2.(256, 216, 🗉 0x0x1cd93] = want(S) ?= guess(hits,dec,char) 1.(260, 83, S) 2.(253, 74, want(e) ?= guess(hits,dec,char) 1.(259, 101, e) 2.(258, 91, [0x0x1cd95] = want(c) =?= guess(hits,dec,char) 1.(260, 99, c) 2.(257, 76, want(r) =?= guess(hits,dec,char) 1.(260, 114, r) 2.(260, 145) want(e) = guess(hits,dec,char) 1.(260, 101, e) 2.(259, 76, want(t) = ?= guess(hits,dec,char) 1.(260, 116, t) 2.(255, 84 want(I) = guess(hits,dec,char) 1.(260, 73, I) 2.(257, 147, want(n) =?= guess(hits,dec,char) 1.(260, 110, n) 2.(259, 76, want(T) we guess(hits\_dec\_char) 1.(260, 84, T) 2.(259, 30, want(h) =?= guess(hits,dec,char) 1.(260, 84, T) 2.(260, 86, V want(e) =?= guess(hits,dec,char) 1.(260, 101, e) 2.(252, 77, want(S) =?= guess(hits,dec,char) 1.(260, 83, S) 2.(259, 84, = want(o) =?= guess(hits,dec,char) 1.(260, 88, X) 2.(260, 111, o want(n) = guess(hits,dec,char) 1.(260, 77, M) 2.(260, 78, N want(i) = guess(hits, dec, char) 1. (260, 105, i) 2. (258, 84, want(c) = guess(hits,dec,char) 1.(260, 99, c) 2.(257, 75, K) want(B) - = guess(hits,dec,char) 1.(260, 66, B) 2.(256, 78, N [0x0x1cda4] - want(0) -?= guess(hits,dec,char) 1.(260, 79, 0) 2.(259, 146, 0x0x1cda5] want(0) ?= guess(hits,dec,char) 1.(260, 79, 0) 2.(259, 76, L) 0x0x1cda6] = want(M) =?= guess(hits,dec,char) 1.(260, 77, M) 2.(259, 33,

### VII. Our ideas on RISC-V TEA countermeasures

1. Eliminate or disable CPU cache covert channel.

2. Detect potential TEA attempts and turn off speculation temporarily. 3. Switch flow dependency between control and data on demand.