Control-Flow Integrity at RISC: Attacking RISC-V by Jump-Oriented Programming

TL;DR

This paper analyzes the vulnerability of RISC-V to Jump-Oriented Programming attacks, demonstrating how such complex code-reuse exploits can bypass protections and compromise sensitive data like AES256 secrets.

Contribution

It provides the first analysis of RISC-V's susceptibility to JOP attacks and demonstrates a practical attack exploiting this vulnerability.

Findings

RISC-V is vulnerable to Jump-Oriented Programming attacks

JOP can bypass existing protections on RISC-V

Successful attack exposed AES256 secret

Abstract

RISC-V is an open instruction set architecture recently developed for embedded real-time systems. To achieve a lasting security on these systems and design efficient countermeasures, a better understanding of vulnerabilities to novel and potential future attacks is mandatory. This paper demonstrates that RISC-V is sensible to Jump-Oriented Programming, a class of complex code-reuse attacks, able to bypass existing protections. We provide a first analysis of RISC-V systems' attack surface exploitable by such attacks, and show how they can be chained together in order to build a full-fledged attack. We use a conservative hypothesis on exploited registers and instruction patterns, in an approach we called reserved registers. This approach is implemented on a vulnerable RISC-V application, and successfully applied to expose an AES256 secret.