RISC–V is an emerging technology, with applications ranging from embedded devices to high-performance servers. Therefore, more and more security-critical workloads will be conducted with code that is compiled for RISC–V. Well-known microarchitectural side-channel attacks against established platforms like x86 apply to RISC–V CPUs as well. As RISC–V does not mandate any hardware-based side-channel countermeasures, a piece of code compiled for a generic RISC–V CPU in a cloud server cannot make safe assumptions about the microarchitecture on which it is running. Existing tools for aiding software-level precautions by checking side-channel vulnerabilities on source code or x86 binaries are not compatible with RISC–V machine code. In this work, we study the requirements and goals of architecture-specific leakage analysis for RISC–V and illustrate how to achieve these goals with the help of fast and precise dynamic binary analysis. We implement all necessary building blocks for finding side-channel leakages on RISC–V, while relying on existing mature solutions when possible. Our leakage analysis builds upon the modular side-channel analysis framework Microwalk, that examines execution traces for leakage through secret-dependent memory accesses or branches. To provide suitable traces, we port the ARM dynamic binary instrumentation tool MAMBO to RISC–V. Our port named MAMBO–V can instrument arbitrary binaries which use the 64-bit general purpose instruction set. We evaluate our toolchain on several cryptographic libraries with RISC–V support and identify multiple leakages.
|Number of pages
|Published - 2023