RISC-V is an emerging technology, with applications ranging from embedded devices to high-performance servers. Therefore, more and more security-critical workloads will be conducted with code that is compiled for RISC-V. Well-known microarchitectural side-channel attacks against established platforms like x86 apply to RISC-V CPUs as well. As RISC-V does not mandate any hardware-based side-channel countermeasures, a piece of code compiled for a generic RISC-V CPU in a cloud server cannot make safe assumptions about the microarchitecture on which it is running. Existing tools for aiding software-level precautions by checking side-channel vulnerabilities on source code or x86 binaries are not compatible with RISC-V machine code. In this work, we study the requirements and goals of architecture-specific leakage analysis for RISC-V and illustrate how to achieve these goals with the help of fast and precise dynamic binary analysis. We implement all necessary building blocks for finding side-channel leakages on RISC-V, while relying on existing mature solutions when possible. Our leakage analysis builds upon the modular side-channel analysis framework Microwalk, that examines execution traces for leakage through secret-dependent memory accesses or branches. To provide suitable traces, we port the ARM dynamic binary instrumentation tool MAMBO to RISC-V. Our port named MAMBO-V can instrument arbitrary binaries which use the 64-bit general purpose instruction set. We evaluate our toolchain on several cryptographic libraries with RISC-V support and identify multiple exploitable leakages.

翻译：摘要：RISC-V是一项新兴技术，其应用涵盖从嵌入式设备到高性能服务器的广泛领域。因此，越来越多的安全关键型工作负载将通过编译为RISC-V的代码来执行。针对x86等成熟平台的著名微架构侧信道攻击同样适用于RISC-V CPU。由于RISC-V未强制要求任何基于硬件的侧信道防御措施，在云服务器上为通用RISC-V CPU编译的代码无法对其运行的微架构做出安全假设。现有的通过检查源代码或x86二进制文件的侧信道漏洞来辅助软件级防护的工具无法兼容RISC-V机器码。在本工作中，我们研究了RISC-V架构特异性泄漏分析的需求与目标，并阐述了如何借助快速精确的动态二进制分析实现这些目标。我们实现了在RISC-V上发现侧信道泄漏所需的所有功能模块，同时尽可能依赖现有成熟解决方案。我们的泄漏分析基于模块化侧信道分析框架Microwalk，该框架通过检查涉及秘密相关内存访问或分支的执行轨迹来检测泄漏。为生成合适的轨迹，我们将ARM动态二进制插桩工具MAMBO移植到RISC-V平台。移植后的工具命名为MAMBO-V，能够对使用64位通用指令集的任意二进制程序进行插桩。我们利用支持RISC-V的多个密码库对工具链进行了评估，并识别出多个可被利用的泄漏点。