Hackster is hosting Hackster Holidays, Ep. 7: Livestream & Giveaway Drawing. Watch previous episodes or stream live on Friday!Stream Hackster Holidays, Ep. 7 on Friday!

GhostWrite, a Serious Flaw in the T-Head XuanTie C910 and C920 Cores, Hits Popular RISC-V SBCs

An issue in T-Head's implementation of the RISC-V vector extension renders all security null and void, researchers warn.

Gareth Halfacree
5 months agoSecurity / HW101

Security researchers have warned of serious vulnerabilities in popular free and open source RISC-V core designs from Alibaba's T-Head division, providing attackers with a means of reading and writing any memory location — and say any fix would result in a major performance penalty.

"The GhostWrite vulnerability affects the T-Head XuanTie C910 and C920 RISC-V CPUs," the team of researchers from the CISPA Helmholtz Center for Information Security say. "This vulnerability allows unprivileged attackers, even those with limited access, to read and write any part of the computer’s memory and to control peripheral devices like network cards. GhostWrite renders the CPU’s security features ineffective and cannot be fixed without disabling around half of the CPU’s functionality."

A major security flaw in T-Head XuanTie RISC-V cores has been discovered, allowing for privilege escalation (above) and arbitrary memory access. (📹: Thomas et al)

The flaws were discovered during the development of RISCVuzz, a differential hardware fuzzer built to winkle out exactly these kind of issues in processor designs. While testing found evidence of a range of more minor bugs, the GhostWrite vulnerability is serious — allowing for unprivileged users to easily access arbitrary memory locations for both reading and writing, rendering any attempt at securing a system based on the vulnerable cores null and void.

"The attack is 100% reliable, deterministic, and takes only microseconds to execute," the team claims. "Even security measures like Docker containerization or sandboxing cannot stop this attack. Additionally, the attacker can hijack hardware devices that use memory-mapped input/output (MMIO), allowing them to send any commands to these devices."

The security flaws are, sadly, widespread: the XuanTie cores are already in the market across a range of products including all of Sipeed's LM4A-powered devices including the recently-unveiled Lichee Book 4A, the BeagleBoard.org BeagleV Ahead, Milk-V's 64-core Pioneer and the company's smaller Meles single-board computer. Alibaba's T-Head has confirmed the vulnerability, but has not yet issued a formal statement — and has yet to publicly reach out to affected users to warn them of the flaw.

A bigger headache for anyone with a device featuring the XuanTie C910 or C920: the flaw cannot easily be fixed. "The only way to mitigate this issue is to disable the entire vector functionality," the team says, "which disables roughly 50% of the instruction set, severely impacting the CPU's performance and capabilities."

More information, including the paper published on the topic, is available on the GhostWrite website.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles