You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I found a new transient execution attack on risc-v boom.
The attack relies on the bug #558, which is a performance bug originally.
But the same bug can also be used to transiently poison the BIM table using a transiently accessed secret.
The attached PoC attack is a Meltdown type of attack where a supervisor-mode software transiently leaks
a secret from the machine-mode software (i.e., either a firmware or an enclave).
The attack is based on two vulnerabilities: 1) boom transiently executes load instruction before checking
PMP violation, and 2) BIM table can be transiently updated using the accessed value.
The attack is quite slow than using D-cache as a side channel, but it still works and almost correctly retrieves
the secret value (i.e., 0xdeadbeef).
Type of issue: bug report
Impact: rtl refactoring
Development Phase: proposal
Hi,
I found a new transient execution attack on risc-v boom.
The attack relies on the bug #558, which is a performance bug originally.
But the same bug can also be used to transiently poison the BIM table using a transiently accessed secret.
The attached PoC attack is a Meltdown type of attack where a supervisor-mode software transiently leaks
a secret from the machine-mode software (i.e., either a firmware or an enclave).
The attack is based on two vulnerabilities: 1) boom transiently executes load instruction before checking
PMP violation, and 2) BIM table can be transiently updated using the accessed value.
The attack is quite slow than using D-cache as a side channel, but it still works and almost correctly retrieves
the secret value (i.e., 0xdeadbeef).
This can be mitigated by fixing either one of two bugs above.
Template.zip
The text was updated successfully, but these errors were encountered: