cispa_all_3924.pdf (358.64 kB)

A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs

Download (358.64 kB)
conference contribution
posted on 2023-11-29, 18:24 authored by Lukas GerlachLukas Gerlach, Daniel WeberDaniel Weber, Ruiyi ZhangRuiyi Zhang, Michael SchwarzMichael Schwarz
Microarchitectural attacks threaten the security of computer systems even in the absence of software vulnerabilities. Such attacks are well explored on x86 and ARM CPUs, with a wide range of proposed but not-yet deployed hardware countermeasures. With the standardization of the RISC-V instruction set architecture and the announcement of support for the architecture by major processor vendors, RISC-V CPUs are on the verge of becoming ubiquitous. However, the microarchitectural attack surface of the first commercially available RISC-V hardware CPUs is not yet explored. This paper analyzes the two commercially-available off-the-shelf 64-bit RISC-V (hardware) CPUs used in most RISC-V systems running a full-fledged commodity Linux system. We evaluate the microarchitectural attack surface, which leads to the introduction of 3 new microarchitectural attack techniques: Cache+Time, a novel cache-line-granular cache attack without shared memory, Flush+Fault exploiting the Harvard cache architecture for Flush+Reload, and CycleDrift exploiting unprivileged access to instruction-retirement information. Additionally, we show that many known attacks are applicable to these RISC-V CPUs, mainly due to non-existing hardware countermeasures and instruction-set subtleties that do not consider the microarchitectural attack surface. We demonstrate our attacks in 6 case studies, including the first RISC-V-specific microarchitectural KASLR break and a CycleDrift-based method for detecting kernel activity. Based on our analysis, we stress the need to consider the microarchitectural attack surface during every step of a CPU design, including custom instruction-set extensions.


Preferred Citation

Lukas Gerlach, Daniel Weber, Ruiyi Zhang and Michael Schwarz. A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs. In: IEEE Symposium on Security and Privacy (S&P). 2023.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date


Open Access Type

  • Green


@inproceedings{cispa_all_3924, title = "A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs", author = "Gerlach, Lukas and Weber, Daniel and Zhang, Ruiyi and Schwarz, Michael", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2023", }

Usage metrics


    No categories selected


    Ref. manager