How RISC-V Security Stacks Strengthen Computer Architecture

The RISC-V community is embracing an entirely new platform for security to help provide the necessary simplicity to minimize attack surfaces while also enabling designers to assess the security of the open-source architecture for themselves.  

The RISC-V platform and its security stack are enabling developers to create solutions for defending against vulnerabilities like Meltdown and Spectre that are inevitable in today’s Wild West of exponentially proliferating connected devices.

In their June 2018 Turing Lecture at the 45th International Symposium on Computer Architecture, computer pioneers David Patterson and John Hennessy described a New Golden Age of Computer Architecture (PDF). In their presentation, they describe four elements of the Golden Age:

1. Domain-specific hardware/software co-design
2. Open instruction sets
3. Agile chip design
4. Enhanced security

While RISC-V has emerged as a compelling open-source instruction set architecture for the advancement and investment in domain-specific architectures, it is also emerging as a solution for processor security.

 

RISC-V's Growing Popularity

To provide some context, the FPGA Business Unit at Microchip Technology Inc. has been engaged in the emergence of RISC-V since December 2014. Our attraction to RISC-V and its potential spanned multiple dimensions including the freedom to innovate, control of processor destiny, and lowering costs. These dimensions are inwardly focused and address our ability to differentiate and compete in the market. To us, RISC-V also represented a generational opportunity to get processor security right — a collaborative and outwardly focused dimension where the security experts had a chance to collaborate and solve problems in computer security.

 

Getting FPGA Security Right

Our own experience getting FPGA security right gave us insight into the hardware security threats that existed in computing and the challenges that the industry faced finding solutions to these threats. Our deep dive into FPGA security started in 2008 and began paying dividends with the launch of our first FPGA with an integrated processor subsystem in 2012.

In order to allow users to build secure applications, we needed to create a layered approach starting with secure hardware at the foundation. This would enable building a layer for design security, or IP protection, upon which the application layer could then be built by the customer. As part of the process, we became aware of the existence of side-channel attacks such as differential power analysis (DPA) that allowed keys to be easily extracted. As a result, we became the only FPGA provider to deploy DPA countermeasures offered by CRI (now Rambus).

Projecting our experiences with FPGA security to the state of processor security, we observed that the foundational hardware layers for processors were established decades ago before processor security was a concern for the market. The incumbent instruction set architectures (ISAs) responded to the growing demand for secure computing with what amounted to inelegant patches to a fragile system.

We were also acutely aware of side channels and, in particular, micro-architectural side channels through which a processor implementation feature that is masked from the programmer can be exploited to leak information. With the announcements of Spectre and Meltdown, the entire computer industry became aware of the threat posed by micro-architectural side channels and the need to re-build the hardware foundations of computer architecture.

 

RISC-V Security Advancements 

We saw the potential for RISC-V as a platform for reworking the hardware foundations for computing, and we were not alone. Security has been a major theme of RISC-V, starting from the very first workshop when security was a major component of presentations by LowRISC and the Shakti Processor Program. These two examples highlight the scope of collaboration enabled by RISC-V.

The Shakti Processor Program is funded by the Government of India and illustrative of the opportunity for countries to employ RISC-V to gain some technology independence and LowRISC is fueled by the burgeoning open-source hardware movement. The security-related content of RISC-V industry events has grown at the same pace as the events themselves, with 13 of the 55 sessions at the inaugural RISC-V Summit in December 2018 dedicated to security.

 

Figure 1. Presentation at one of 13 security sessions at the 2018 RISC-V Summit.

 

In addition to being the focus of entire sessions to security, there are many indicators that the RISC-V ISA is on its way to becoming the center of gravity for processor security.  

• DARPA is investing in RISC-V and security and chose RISC-V as the evaluation platform for its  System Security Integrated Through Hardware (SSITH) program.
• More than 30 members of the RISC-V Foundation either have security-based RISC-V offerings or are contributing to the security working groups.
• The Foundation has two technical working groups (Crypto and Trusted Execution Environment) that are creating RISC-V ISA extensions.
• The RISC-V Foundation has created a Security Standing Committee which identifies and coordinates multi-faceted security activities including promoting RISC-V as the ideal security vehicle and developing a consensus around best security practices for the IoT and embedded devices.

 

Figure 2. More than 30 members of the RISC-V Foundation have security offerings or participate in the security activities driven by the Foundation. Image courtesy of the RISC-V Foundation.

 

The RISC-V Foundation Security Standing Committee

Among the Foundation Security Standing Committee’s notable offerings is the speaker program. Once a month, speakers from inside and outside the Foundation are invited to speak on a broad range of security-related topics. One speaker, Gernot Heiser from Data61, provided a framework that has the potential to inform how a RISC-V based computer security paradigm might emerge. Gernot and his colleagues at Data61 were around in the early days of research into micro-architectural side channels and in 2016 they wrote a paper (A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware) describing a taxonomy of attacks based on them.  

They have proposed an abstraction called the “augmented” Instruction Set Architecture (aISA) that extends the contract between hardware and software beyond the traditional ISA that intentionally abstracts away all notions of time and micro-architecture. In contrast, the aISA includes mechanisms allowing an application binary interface (ABI) to exert more control over the micro-architectural state of the processor system. For example, this might include the flushing of caches or the operation of branch-prediction logic to provide security assurances with respect to threats like cache timing channels.

Once we define and implement the aISA, we have the opportunity to create what I term the RISC-V Security Stack, which is rooted in formally verified implementations of formally specified elements of the stack. This stack starts with the hardware and the base ISA and extends to a layer that implements the aISA. On top of this is a secure microkernel that can now have access to the micro-architectural state through the aISA and implement countermeasures to micro-architectural side-channel attacks.  

 

Figure 3. A formally specified and verified RISC-V security stack.

 

RISC-V has already delivered on many of the promises the community first saw, including rebuilding the foundations of computer security. Its role in securing computer architecture and processors will only grow. 

Industry Articles are a form of content that allows industry partners to share useful news, messages, and technology with All About Circuits readers in a way editorial content is not well suited to. All Industry Articles are subject to strict editorial guidelines with the intention of offering readers useful news, technical expertise, or stories. The viewpoints and opinions expressed in Industry Articles are those of the partner and not necessarily those of All About Circuits or its writers.