Detecting Architectural Vulnerabilities in Closed-Source RISC-V CPUs (CISPA)
The paper “RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs” was published by researchers at CISPA Helmholtz Center for Information Security. Abstract “The open and extensible RISC-V instruction set has enabled many new CPU vendors...
The paper “RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in risc-v-cpus" class="pill" style="background:#ecfeff;color:#0e7490;border:1px solid #bae6fd;">Closed-Source RISC-V CPUs” was published by researchers at CISPA Helmholtz Center for Information Security.
Abstract
“The open and extensible RISC-V instruction set has enabled many new CPU vendors and implementations, but most commercial CPUs are closed-source, significantly hindering vulnerability analysis—especially for bugs exploitable from unprivileged user space.
We present RISCover, a user-space framework for detecting architectural vulnerabilities in closed-source RISC-V CPUs. It compares instruction-sequence behavior across CPUs, identifying deviations without source code, hardware changes, or models, and achieving orders-of-magnitude speedups over RTL-based methods. Unlike prior work, RISCover runs user code on Linux directly on real hardware, exposing vulnerabilities exploitable by unprivileged attackers. Evaluated on 8 off-the-shelf CPUs from 3 different vendors, it uncovers 4 previously unknown vulnerabilities.
Notably, GhostWrite lets unprivileged code write chosen bytes to physical memory, enabling arbitrary data leakage and full machine-mode execution, while 3 unprivileged ”halt-and-catch-fire” bugs halt CPUs and misaligned zero-stores silently corrupt data. Our results highlight the pressing need for post-silicon fuzzing techniques. RISCover complements existing RTL-level fuzzers by enabling rapid and automated security analysis of closed-source CPUs.”
Find the technical paper here. November 2025.
Fabian Thomas, Eric García Arribas, Lorenz Hetterich, Daniel Weber, Lukas Gerlach, Ruiyi Zhang, and Michael Schwarz. 2025. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs. In Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (CCS ’25). Association for Computing Machinery, New York, NY, USA, 3326–3340. https://doi.org/10.1145/3719027.3765141
The post Detecting Architectural Vulnerabilities in Closed-Source RISC-V CPUs (CISPA) appeared first on Semiconductor Engineering.
Abstract
“The open and extensible RISC-V instruction set has enabled many new CPU vendors and implementations, but most commercial CPUs are closed-source, significantly hindering vulnerability analysis—especially for bugs exploitable from unprivileged user space.
We present RISCover, a user-space framework for detecting architectural vulnerabilities in closed-source RISC-V CPUs. It compares instruction-sequence behavior across CPUs, identifying deviations without source code, hardware changes, or models, and achieving orders-of-magnitude speedups over RTL-based methods. Unlike prior work, RISCover runs user code on Linux directly on real hardware, exposing vulnerabilities exploitable by unprivileged attackers. Evaluated on 8 off-the-shelf CPUs from 3 different vendors, it uncovers 4 previously unknown vulnerabilities.
Notably, GhostWrite lets unprivileged code write chosen bytes to physical memory, enabling arbitrary data leakage and full machine-mode execution, while 3 unprivileged ”halt-and-catch-fire” bugs halt CPUs and misaligned zero-stores silently corrupt data. Our results highlight the pressing need for post-silicon fuzzing techniques. RISCover complements existing RTL-level fuzzers by enabling rapid and automated security analysis of closed-source CPUs.”
Find the technical paper here. November 2025.
Fabian Thomas, Eric García Arribas, Lorenz Hetterich, Daniel Weber, Lukas Gerlach, Ruiyi Zhang, and Michael Schwarz. 2025. RISCover: Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs. In Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (CCS ’25). Association for Computing Machinery, New York, NY, USA, 3326–3340. https://doi.org/10.1145/3719027.3765141
The post Detecting Architectural Vulnerabilities in Closed-Source RISC-V CPUs (CISPA) appeared first on Semiconductor Engineering.