Execution at RISC: Stealth JOP Attacks on RISC-V Applications
Lo\"ic Buckwell, Olivier Gilles, Daniel Gracia P\'erez and, Nikolai Kosmatov
TL;DR
This paper reveals that RISC-V architectures are vulnerable to stealthy Jump-Oriented Programming attacks, demonstrating a proof-of-concept exploit that can bypass protections and remotely access files on embedded systems.
Contribution
It uncovers RISC-V's susceptibility to JOP attacks, introduces new dispatcher gadgets, and demonstrates a practical attack on an embedded web server.
Findings
RISC-V is vulnerable to JOP attacks.
New dispatcher gadgets enable stealthy code-reuse attacks.
A remote file read vulnerability was demonstrated.
Abstract
RISC-V is a recently developed open instruction set architecture gaining a lot of attention. To achieve a lasting security on these systems and design efficient countermeasures, a better understanding of vulnerabilities to novel and potential future attacks is mandatory. This paper demonstrates that RISC-V is sensible to Jump-Oriented Programming, a class of complex code-reuse attacks. We provide an analysis of new dispatcher gadgets we discovered, and show how they can be used together in order to build a stealth attack, bypassing existing protections. A proof-of-concept attack is implemented on an embedded web server compiled for RISC-V, in which we introduced a vulnerability, allowing an attacker to remotely read an arbitrary file from the host machine.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Cryptographic Implementations and Security