Return-Oriented Programming in RISC-V
Garrett Gu, Hovav Shacham
TL;DR
This paper demonstrates that RISC-V architecture is vulnerable to return-oriented programming attacks, capable of Turing-complete computation and arbitrary function calls, using gadgets from standard libraries and novel chain generation techniques.
Contribution
It is the first to evaluate the feasibility of RISC-V ROP attacks and introduces a compiler that converts complex code into ROP chains, showcasing practical attack methods.
Findings
RISC-V ROP can perform Turing-complete calculations
Gadgets from GNU libc enable arbitrary function calls
A compiler was developed to generate ROP chains from high-level code
Abstract
RISC-V is an open-source hardware ISA based on the RISC design principles, and has been the subject of some novel ROP mitigation technique proposals due to its open-source nature. However, very little work has actually evaluated whether such an attack is feasible assuming a typical RISC-V implementation. We show that RISC-V ROP can be used to perform Turing complete calculation and arbitrary function calls by leveraging gadgets found in a version of the GNU libc library. Using techniques such as self-modifying ROP chains and algorithmic ROP chain generation, we demonstrate the power of RISC-V ROP by creating a compiler that converts code of arbitrary complexity written in a popular Turing-complete language into RISC-V ROP chains.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Physical Unclonable Functions (PUFs) and Hardware Security · Advanced Memory and Neural Computing