Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Systematic Assessment of Cache Timing Vulnerabilities on RISC-V Processors

Cédrick Austa, Jan Tobias Mühlberg, Jean-Michel Dricot

TL;DR

This paper addresses the lack of tools to assess microarchitectural side-channel leakage on open RISC-V processors by porting a cache-timing benchmark originally used for Intel x86-64 to RISC-V. The authors adapt the Deng2020a benchmark, enabling configurable cache hierarchies and eviction strategies, and evaluate three commercial RISC-V cores (C910,U54,U74), revealing divergent leakage profiles across cores. They find that 65.9% of the studied vulnerabilities are present across all processors while 6.8% are absent from all, with 37.5% observable under at least one shared test configuration, underscoring the importance of vendor-specific design choices and mitigation strategies. The work delivers an open-source benchmark to help chip designers identify leakage sources early and to guide countermeasure development, potentially influencing secure cache design and verification in RISC-V ecosystems.

Abstract

While interest in the open RISC-V instruction set architecture is growing, tools to assess the security of concrete processor implementations are lacking. There are dedicated tools and benchmarks for common microarchitectural side-channel vulnerabilities for popular processor families such as Intel x86-64 or ARM, but not for RISC-V. In this paper we describe our efforts in porting an Intel x86-64 benchmark suite for cache-based timing vulnerabilities to RISC-V. We then use this benchmark to evaluate the security of three commercially available RISC-V processors, the T-Head C910 and the SiFive U54 and U74 cores. We observe that the C910 processor exhibits more distinct timing types than the other processors, leading to the assumption that code running on the C910 would be exposed to more microarchitectural vulnerability sources. In addition, our evaluation reveals that $65.9\%$ of the vulnerabilities covered by the benchmark exist in all processors, while only $6.8\%$ are absent from all cores. Our work, in particular the ported benchmark, aims to support RISC-V processor designers to identify leakage sources early in their designs and to support the development of countermeasures.

Systematic Assessment of Cache Timing Vulnerabilities on RISC-V Processors

TL;DR

This paper addresses the lack of tools to assess microarchitectural side-channel leakage on open RISC-V processors by porting a cache-timing benchmark originally used for Intel x86-64 to RISC-V. The authors adapt the Deng2020a benchmark, enabling configurable cache hierarchies and eviction strategies, and evaluate three commercial RISC-V cores (C910,U54,U74), revealing divergent leakage profiles across cores. They find that 65.9% of the studied vulnerabilities are present across all processors while 6.8% are absent from all, with 37.5% observable under at least one shared test configuration, underscoring the importance of vendor-specific design choices and mitigation strategies. The work delivers an open-source benchmark to help chip designers identify leakage sources early and to guide countermeasure development, potentially influencing secure cache design and verification in RISC-V ecosystems.

Abstract

While interest in the open RISC-V instruction set architecture is growing, tools to assess the security of concrete processor implementations are lacking. There are dedicated tools and benchmarks for common microarchitectural side-channel vulnerabilities for popular processor families such as Intel x86-64 or ARM, but not for RISC-V. In this paper we describe our efforts in porting an Intel x86-64 benchmark suite for cache-based timing vulnerabilities to RISC-V. We then use this benchmark to evaluate the security of three commercially available RISC-V processors, the T-Head C910 and the SiFive U54 and U74 cores. We observe that the C910 processor exhibits more distinct timing types than the other processors, leading to the assumption that code running on the C910 would be exposed to more microarchitectural vulnerability sources. In addition, our evaluation reveals that of the vulnerabilities covered by the benchmark exist in all processors, while only are absent from all cores. Our work, in particular the ported benchmark, aims to support RISC-V processor designers to identify leakage sources early in their designs and to support the development of countermeasures.

Paper Structure

This paper contains 32 sections, 1 figure, 7 tables.

Table of Contents

  1. Introduction
  2. Contributions.
  3. Background
  4. System Caches and Caching
  5. Cache Hierarchy.
  6. Cache Specifications.
  7. Cache Replacement Policy.
  8. Cache Coherence Protocol.
  9. Cache-based Timing Vulnerabilities
  10. Prime$+$Probe Osvik2006.
  11. Evict$+$Time Osvik2006.
  12. Flush$+$Reload Yarom2014.
  13. Flush$+$Flush Gruss2016.
  14. *Deng2020a Deng2020a Benchmark Suite
  15. Observable timing types.
  16. ...and 17 more sections

Figures (1)

  • Figure 1: Most frequent clock cycle latencies over 10000 tests, per timing type and per target. Label prefixes Lx_ or REMOTE_Lx, refer to the cache block location in the cache level x on local or remote core. Label suffixes _CLEAN or _DIRTY, refer to the cache block state before the memory operation, respectively.