Safety and security are increasingly important aspects when designing computer systems, and work is carried out within RISC-V International technical groups to establish specifications that address safe and secure computing. In this blog post, we will touch on the Control Flow Integrity specification currently undergoing standardization, as well as the Smpemp and Smstateen extensions, ratified in November 2021. The NOEL-V RISC-V processor, developed by Frontgrade Gaisler, implements these features to enable the creation of robust and secure computer systems.
Control Flow Integrity
The Shadow Stack and the Landing Pad are hardware mechanisms that address Control Flow Integrity issues.
The Shadow Stack is a security mechanism designed to protect the integrity of the program’s control flow by maintaining a protected stack that mirrors the original stack. When a function call is made, the return address is pushed onto both the regular stack and the Shadow Stack. During a subsequent return instruction, the processor verifies that the return address stored on the regular stack matches the corresponding value on the Shadow Stack. If there is a mismatch, it indicates potential tampering, and the processor can take appropriate actions to mitigate the attack, such as terminating the execution or triggering an alert.
To understand the significance of the Landing Pad, let’s first consider a scenario where an attacker successfully overwrites a portion of memory that contains important control flow information, such as function pointers or return addresses. In such cases, the program’s execution can be redirected to arbitrary locations, leading to unauthorized code execution and potential security breaches.
The Landing Pad feature acts as a safeguard against these memory-overwrite attacks by providing a mechanism to ensure that jumps or calls within the program occur only to intended and legitimate locations. It accomplishes this by introducing a dedicated memory region, separate from the program’s main memory space, where landing pads are placed.
By incorporating the Shadow Stack and the Landing Pad, the NOEL-V processor implements a robust defence against control flow manipulation attacks, offering reliable protection against Return-oriented Programming (ROP) and other similar exploitation techniques. These security features are part of the RISC-V Control Flow Integrity (CFI) specification, an ongoing standardization effort aimed at enhancing the security of RISC-V processors.
Two notable RISC-V extensions – Smepmp and Smstateen – play an important role in enabling software to implement secure systems.
Access control is a fundamental aspect of secure computing, ensuring that memory regions are properly protected and accessible only to the authorized modes or privilege levels. However, the current (v1.11) RISC-V Privileged Specification lacks the flexibility to permit access to a specific memory region solely by less-privileged modes, leaving potential vulnerabilities in the system’s security posture. To address this critical concern, the NOEL-V processor integrates the Smepmp extension. This enables fine-grained control over memory access permissions, including the ability to enforce access rules specifically for non-machine modes while restricting access for the machine mode.
Another critical challenge arises when an extension introduces processor states — typically in the form of explicit registers or other state elements — that the primary operating system (OS) or hypervisor remains unaware of. This lack of awareness prevents proper context switching and raises concerns about the integrity of shared resources. Under such circumstances, one user thread or guest OS could modify or write to the processor state, while another thread or guest OS might inadvertently access or examine this state, leading to potential security vulnerabilities and compromised system integrity.
Addressing this concern, the NOEL-V processor integrates the Smstateen extension which offers a proactive solution to hide the processor state that the OS or hypervisor is unaware of, ensuring that sensitive data and resources remain shielded from unauthorized access.
The security features described above are functions implemented in a hardware platform that are then leveraged by – or impose restrictions on – software. To create a complete system, software is designed and certified to an identified criticality level, and hardware is developed to certain standards including full design assurance flow.
However, the interface between hardware and software is often missing a contract, and the software design is often based on weak and incomplete assurances and descriptions in the hardware documentation. This creates a gap in the security model of hardware/software systems. Applications rely on software to provide security functions, but there is no formal guarantee that the software function is able to do that when running on a hardware platform.
The openness of RISC-V, and in particular when implementations of RISC-V hardware are provided with source code access, can aid in closing this gap. Bridging this gap is the focus of the CSSTII research project where a security evaluation per Common Criteria is performed on a NOEL-V SoC and associated documentation. The work performed will be described at the RISC-V Summit Europe with the poster Security Evaluation of a RISC-V-based SoC.
These and related topics will be presented at the upcoming RISC-V Summit Europe during a talk titled, “Safe, Secure, and Reliable Computing with the NOEL-V Processor: from the De-RISC H2020 Project and onward.” This talk will delve deeper into the security features of the NOEL-V processor and describe Frontgrade Gaisler’s ongoing research and development efforts.
In conclusion, the GR765 represents a great leap in radiation-hardened microprocessor technology. Currently under development, this octa-core microprocessor will incorporate the NOEL-V processor and the features highlighted earlier, and is poised to redefine the landscape of safe and secure computing for critical space applications.