https://github.com/cispa/ghostwrite

Proof-of-concept for the GhostWrite CPU bug.

https://github.com/cispa/ghostwrite

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.4%) to scientific vocabulary

Keywords

cpu microarchitectural-attack
Last synced: 5 months ago · JSON representation

Repository

Proof-of-concept for the GhostWrite CPU bug.

Basic Info
Statistics
  • Stars: 116
  • Watchers: 5
  • Forks: 17
  • Open Issues: 0
  • Releases: 0
Topics
cpu microarchitectural-attack
Created over 1 year ago · Last pushed over 1 year ago
Metadata Files
Readme License

README.md

Logo of GhostWrite

GhostWrite is a security vulnerability that affects the T-Head XuanTie C910, one of the fastest RISC-V chips to date. GhostWrite breaks all security isolations on affected RISC-V hardware. Refer to the GhostWrite website for details and the research paper.

Cite

Please find the most up to date citation directly at the top of our website.

Details & Building

At it's core, GhostWrite exploits a single ill-behaving store instruction on the C910, which illegally uses a physical instead of a virtual address as target. This PoC uses the vse128.v, though other encodings are available as well. The instruction is embedded in it's assembled form into the code since the instruction is not (yet) supported by compilers. Instructions preceding the vulnerable instruction set up the vector extension and set up registers correctly.

The PoC tests if GhostWrite works on the machine by resolving the physical address of a virtual one and then writing to that physical address. Afterwards the caches need to be flushed so that the new value is visible in virtual memory.

Building

The following should work on the machine itself: sh gcc -march="rv64gvzve64x" ghostwrite.c -o ghostwrite

The Makefile is configured to produce a statically linked binary (using a cross-compiler). Simply execute make.

Running

Run the PoC with root privileges, so that it can setup a mapping to physical memory for observing a write with GhostWrite: sh sudo ./ghostwrite

Expected output: ``` Virtual address: 3fbd3e8000 Physical address: 89f46000

Value before: caaa Value after: cafe ```

The output should contain valid virtual and physical addresses. Further, the value after executing GhostWrite with the physical address as target should change. If the values stay the same, i.e., you see "caaa" twice, or the application crashes, the CPU is not affected.

Nix-based building environment

We further ship a Nix flakes based building environment. Install Nix on your system and enable flakes. Then just get a development shell and build the PoC:

sh nix develop make

Owner

  • Name: CISPA
  • Login: cispa
  • Kind: organization
  • Email: front-office@cispa.de
  • Location: Saarbrücken, Saarland, Germany

GitHub Events

Total
  • Watch event: 12
  • Fork event: 2
Last Year
  • Watch event: 12
  • Fork event: 2