Analysis of Transient-Execution Attacks on the out-of-order CHERI-RISC-V Microprocessor Toooba

Abstract: Transient-execution attacks have been deemed a large threat for microarchitectures through research in recent years. In this work, I reproduce and develop transient-execution attacks against RISC-V and CHERI-RISC-V microarchitectures. CHERI is an instruction set architecture (ISA) security extension that provides fine-grained memory protection and compartmentalisation. I conduct transient-execution experiments for this work on Toooba – a superscalar out-of-order processor implementing CHERI-RISC-V. I present a new subclass of transient-execution attacks dubbed Meltdown-CF(Capability Forgery). Furthermore, I reproduced all four major Spectre-style attacks and important Meltdown-style attacks. This work analyses all attacks and explains the outcome of the respective experiments based on architectural and microarchitectural decisions made by their developers. While all four Spectre-style attacks could be successfully reproduced, the cores do not appear to be vulnerable to prior Meltdown-style attacks. I find that Spectre-BTB and Spectre-RSB pose a large threat to CHERI systems as well as the newly developed transientexecution attack subclass Meltdown-CF. However, all four major Spectre-style attacks and all attacks of the Meltdown-CF subclass violate CHERI’s security model and therefore require security mechanisms to be put in place.