GhostWrite: Recent T-Head CPU Glitches Expose Devices to Uncontrolled Attacks
A group of investigators from the CISPA Helmholtz Center for Information Security in Germany has revealed an underlying flaw affecting Chinese chip manufacturer T-Head’s XuanTie C910 and C920 RISC-V CPUs that could expose vulnerable devices to unauthorized access by malicious entities.
The issue, dubbed GhostWrite, has been characterized as an inherent CPU defect present in the hardware, rather than a secondary-channel or temporary execution breach.
“This issue allows unprivileged attackers, even those with limited access, to view and alter any part of the computer’s memory and manipulate peripheral devices like network cards,” mentioned the researchers stated. “GhostWrite renders the CPU’s security mechanisms ineffective and cannot be rectified without shutting down approximately half of the CPU’s functionalities.”
CISPA identified that the CPU contains inaccurate directives in its vector extension, an extension to the RISC-V ISA intended to manage larger data values than the base Instruction Set Architecture (ISA).
These flawed directives, which the researchers indicated operate directly on physical memory rather than virtual memory, could evade the usual process isolation enforced by the operating system and hardware.
Consequently, an unauthorized attacker could exploit this loophole to write to any memory location and bypass security and isolation features to acquire complete, unrestricted access to the device. It could also disclose any memory contents from a system, including passwords.
“The exploitation is 100% reliable, deterministic, and merely takes microseconds to execute,” the researchers mentioned. “Even security mechanisms like Docker containerization or sandboxing are powerless against this exploit. Besides, the attacker can seize control of hardware devices utilizing memory-mapped input/output (MMIO), enabling them to issue any commands to these devices.”
The most successful preventive measure for GhostWrite is to deactivate the entire vector functionality, which unfortunately severely affects the CPU’s performance and capabilities as it deactivates around 50% of the instruction set.
“Fortunately, the faulty directives reside in the vector extension, which can be disabled by the operating system,” the researchers pointed out. “This entirely neutralizes GhostWrite but also entirely disables vector instructions on the CPU.”
It also follows the finding of a new security vulnerability in AMD processors that could potentially be utilized by an attacker with kernel (also known as Ring-0) access to escalate privileges and modify the System Management Mode configuration (SMM or Ring-2) even with SMM Lock activated.
Named Sinkclose by IOActive (also known as CVE-2023-31315, CVSS score: 7.5), the vulnerability is reported to have been undetected for nearly twenty years. Attaining the highest privilege levels on a computer implies disabling security features and installing persistent malware that can remain virtually undetected.
In a conversation with WIRED, the company mentioned that the only way to rectify an infection would be to physically link to the CPUs using a hardware-based tool known as an SPI Flash programmer and scan the memory for malware installed using SinkClose.
“Improper verification in a model-specific register (MSR) could enable a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution,” AMD stated in an advisory, indicating its intent to provide updates to Original Equipment Manufacturers (OEM) to address the issue.
About Author
