Threat Research

Alibaba’s T-Head C910 RISC-V chips blow away all security

Cyware

Researchers from the CISPA Helmholtz Center have uncovered serious vulnerabilities in Alibaba’s T-Head RISCV-C910 cores, notably GhostWrite, which can let unprivileged apps bypass memory protections and take control of devices. The strongest flaw permits reading and writing physical memory and executing code with kernel-level privileges, with the only viable mitigation being to disable the vector extension, at a heavy performance cost. #GhostWrite #C910 #TH1520 #THead #RISCVuzz #RISC-V #Scaleway #Alibaba

Keypoints

  • The GhostWrite vulnerability affects the C910 CPU cores in the TH1520 SoC, enabling unprivileged code to read/write physical memory and run with kernel/supervisor privileges.
  • The only mitigation proposed is disabling the faulty vector extension, which breaks vector-dependent applications and incurs about 77% performance overhead.
  • Other flaws in T-Head designs include halt-and-catch-fire style CPU crashes (C906/C908) that would require a restart to recover.
  • Researchers used a fuzzing framework called RISCVuzz on five RISC-V core designs and found three architectural CPU vulnerabilities in T-Head chips plus QEMU-related segmentation faults.
  • The TH1520-based C910 is used by the French cloud Scaleway, and Shandong University reportedly operates a RISCV cluster with a C910 variant (vulnerability status uncertain).
  • The openness of RISC-V (with vendor extensions) creates security risks; authors urge a microcode layer for mitigations, similar to firmware updates on x86.

MITRE Techniques

  • [T1068] Exploitation for Privilege Escalation – GhostWrite allows unprivileged users to read/write physical memory and execute arbitrary code with kernel/supervisor and machine-mode privileges. [‘The attack is 100 percent reliable, deterministic, and takes only microseconds to execute.’, ‘Even security measures like Docker containerization or sandboxing cannot stop this attack.’]

Indicators of Compromise

  • [Domain] google.com – referenced in multiple links to searches and general information (e.g., threat context and source navigation).
  • [Domain] cse.google.com – used as a search/threat actor reference in the article.
  • [Domain] riscv.org – cited for RISC-V specifications and related content.
  • [Domain] ghostwriteattack.com – the vulnerability site and project page for GhostWrite.
  • [Domain] github.com – linked for the RISCVuzz-related specification/documentation.
  • [Domain] theregister.com – primary source article hosting the report and analysis.
  • [Domain] regmedia.co.uk – image hosting referenced in the content.

Read more: https://www.theregister.com/2024/08/07/riscv_business_thead_c910_vulnerable