Scientists Find Security Risk in RISC-V Open-Source Chip Architecture That China Hopes Can Help Sidestep US Sanctions

An anonymous reader shares a report: A Chinese research team says it has uncovered a significant security flaw in processor design that could have a wide impact on China's booming domestic chip industry. China was relying on the structure of the world's largest open-source CPU architecture to build their own CPUs and bypass the US chip ban, and was paying attention to any weaknesses, they said. The issue was found in RISC-V, an open-source standard used in advanced chips and semiconductors. Compared with mainstream CPU structures -- such as X86 used by Intel and AMD --RISC-V offers free access and can be modified without restriction.

The flaw allows attackers to bypass the security protections of modern processors and operating systems without administrative rights, leading to the potential theft of protected sensitive information and breaches of personal privacy. The vulnerability was confirmed by the team of Professor Hu Wei at Northwestern Polytechnical University (NPU), a major defence research institute in Shaanxi province. The researchers are experienced in hardware design security, vulnerability detection and cryptographic application safety. It was first reported by the National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT) on April 24, and NPU gave further details in an official announcement on May 24.

Pessimal headline

[Mononymous]

The natural reading of the headline is that this flaw is good for China--but it's not.
Write better.

Re:Pessimal headline

[narcc]

Did you read the article? It's somehow worse. Reading it will likely leave you less informed.

Re:

[LazarusQLong]

Burn. Nice.

Re:

[Gleenie]

Yeah zero detail in the article. Is this one of the same class of speculative execution issues that are widely present in the hundreds of billions of x86 (and probably every other spec. ex.) processors already out there? Or an issue somehow absolutely unique to RISC-V? And given the miniscule adoption at the present time by comparison, presumably it can be fixed and everyone can move on (until the next time).

From this article, we will never know.

Re:

[jmccue]

You are suppose to read the articles here ? Learn something new every day!

Re:

[Pascoea]

I don't claim to be the smartest person in most rooms, nor a master of the English language, but I've sat here for 5 minutes trying to figure out just what the hell you are talking about. I read the title exactly as OP does: This architecture flaw is somehow good for China. (I'd RTFA for more "insight", but it's paywalled.)

Re:Pessimal headline

[znrt]

really, it doesn't say neither one way nor the other.

- Scientists Find Security Risk in RISC-V Open-Source Chip Architecture
- That (architecture) is something China Hopes Can Help Sidestep US Sanctions

not really good nor bad. it's somewhat bad because there is a flaw, it's somewhat good because now they know and can fix it. that's just ... normal progress?

Re:

[Anonymous Coward]

The title can be read in two ways:

Scientists Find Security Risk in ((RISC-V Open-Source Chip Architecture) That China Hopes Can Help Sidestep US Sanctions)

and

Scientists Find ((Security Risk in RISC-V Open-Source Chip Architecture) That China Hopes Can Help Sidestep US Sanctions).

Anonymous GP argues that the correct interpretation is

Scientists Find Security Risk in RISC-V Open-Source Chip ((Architecture) That China Hopes Can Help Sidestep US Sanctions).

The first interpretation is probably what was intended, but like you and Mononymous, I also read it at first the second way.

I think that the anonymous GP unsuccessfully tried to defend the first interpretation which he would consider to be equivalent to the weird third interpretation.

Anyway, the original author should take a class in LISP to avoid further confusion. (I should put a smiley here, but then I would m

Re:

[penguinoid]

Well we could have had the title as China Finds Security Risk in RISC-V Open-Source Chip Architecture. But then people wouldn't confuse it as "China failing", so of course have to delete China from the "found a bug" side, and add China to the "impacted by bug".

Re:

[misnohmer]

Why bad for China? It's open source, they can fix it in their next chip (or first chip for some of Chinese chips), unlike closed design chips like Intel which also have vulnerabilities discovered all the time, which China cannot fix, at the mercy of the manufacturer and potentially cannot buy replacements due to trade restrictions. With proprietary CPU they may not even be even able to find vulnerabilities what are kept secret by adversaries who do have access to the proprietary source. At least with open s

Re:

[HiThere]

Fixing bugs in hardware is a bit harder than fixing bugs in software, but yeah. basically. It's bad for China because the bug needs to be fixed, and they're one of the main users of that hardware. (OTOH, as others have pointed out, it's not as if that's the only architecture with a bug.)

I've no idea how serious the bug is, or how hard it is to fix, but hardware bugs are always more difficult to fix. Sometimes you can use firmware to route around them, but there's usually a performance penalty.

So as one o

Pointless article.

[willy_me]

The first question I have - is this an issue with the RISC-V ISA or an issue with an implementation? If it is an issue with the ISA then it really is a big deal. It would require a new design and definitely sucks for any currently deployed hardware. If this is an issue with an implementation then this has little to do with RISC-V. Well, perhaps the ISA could evolve is such a way to make implementations naturally avoid such mistakes in the future. It is good that RISC-V designers are aware of these issues.

But the article is useless and provides no real information. They do not make it clear that there is an issue with RISC-V. They just try to drive clicks by mentioning politics.

Re:

[gweihir]

Yep, same here. The article is really useless.

I guess a problem with the ISA is relatively unlikely and a problem with the implementation is relatively likely. Maybe the ISA is making the implementation flaw relatively likely if you do not know.

Re:

[Seven Spirals]

Yeah, it looks like another one of those sneaky cache side-channel attacks has popped up, this time potentially affecting some RISC-V CPU implementations. It's a tricky situation because chip designers are always looking for ways to boost performance, and techniques like speculative execution and cache prefetching are like legal performance-enhancing drugs for CPUs.

The idea is to keep the CPU pipeline nice and full by speculatively executing instructions and preloading data into the caches before it's act

Re:

[gweihir]

Well. I think in the end this needs to be solved on the software-side. Probably some compiler-flags to be put in when crossing protection domains or something like that. Makes writing secure code harder, but what else is new.

LNBS

[hawk]

>If it is an issue with the ISA then it really is a big deal

As it turns out, the LNBS opcode actually stands for, "Let NSA Bypass Security."

(It also seems to unmask HCF . . .)

Completely lacking in substance

[radoni]

There is no content in the article here. This is somehow even dumber than "and then this happened" headlines for clicks.

Holy bananas

[bill_mcgonigle]

Maybe this bug is what's going on:
https://github.com/riscv-boom/... [github.com]

Re:

[haruchai]

a week later & no one's even commented on it?

Re: Holy bananas

[st0nerhat]

Remember this is a bug in an experimental academic RISC V core. While itâ(TM)s possible production cores have been synthesized from this, itâ(TM)s not a bug in the RISC V architecture.

Re: Holy bananas

[st0nerhat]

It looks like it. The vulnerability is associated with a div instruction.

Re:

[ras]

Unlikely.

The bug report is about a floating point div (fdiv), not integer div. The bug mentions mentions a flag in "boom" is different to "strike". Boom is this implementation which calls itself the "Berkeley Out-of-Order Machine". Berkley University isn't based in China. I have in idea what "strike" is but given the bug report says fflags.NV is set to 1 in Spike. I guess it too must be a RISC-V implementation. fflags.nv is the likely what the RISC-V architecture manual calls fcsr.nv, which is the floa

Think Different

[stolidobserver]

I like to think of them not as security risks, but pathways to upgrades.

Re:

[iAmWaySmarterThanYou]

If Intel hadn't held back the industry for years by suppressing superior architectures then this never would have happened. We'd be years ahead of where we are now all using free open source cpus that run much faster and very low power. We could even have full real AGI AI on our phones by now.

How was that?

Re:

[organgtool]

I blame it on Hunter's laptop...which probably had an Intel inside.

Proposed alternate headline

[mnemotronic]

Chinese Hopes to Sidestep US Chip Sanctions Forestalled when Security Risk Discovered in Open-Source RISC-V Architecture

All the details are on Chinese language sites

[st0nerhat]

Here is the most primary source I have been able to find so far: https://mp.weixin.qq.com/s/ke8... [qq.com] Search on Baidu and use your favorite Translation tools. Happy hunting.

Re: All the details are on Chinese language sites

[st0nerhat]

Translated excerpt: âoeIn the SonicBOOM processor, ALU (including addition), multiplication and division units use the same write port to access register files. In the case of write port contention, there is a fixed priority arbitration, where ALU has the highest priority and the division unit has the lowest priority. This means that due to port competition, the division instruction may be delayed by the younger multiplication or addition instruction, resulting in a difference in the execution time of the division instruction, resulting in a time-side channel.â

Processors don't know about "admin Rights"

[aldousd666]

This is a garbage FUD piece. Processors don't do things like admin Rights. That's up to the operating system. RISC-V is a small device controller processor.

Re:

[Admiral Krunch]

RISC-V is a small device controller processor.

Unless it isn't.

Re:

[F.Ultra]

RISC-V have multiple privilege levels similar to the ring modes of x86.

Flaw in an implentation, not the ISA

[GoRK]

This article strikes me as incredibly dangerous.

It suggests that this flaw (reportedly an issue with the ALU implemetation in the SonicBOOM CPU) is somehow associated with the RISC-V ISA (it is absolutely not) and that because of this, the US should consider curtailing RISC-V devices more generally. Such a reaction would be dangerous and utterly nonsensical. It is idiotic to even suggest it.

What in the fuck are the editors of slashdot even doing?

I don't believe them.

[McFortner]

There is one big problem with this story. If they found an exploit in China over this chip, they would never have let the new get out. What they would have done is use it as a backdoor into Western computer systems that use RISC-V chips. I think this is more likely FUD to shake confidence of the chips in the West and slow their development down because of designers looking for a problem that isn't there.

I'll believe in it once it's been independently verified by US computer experts.