Architecture and Hardware

Bulletproofing RISC-V Cores

The RISC-V logo.
The defining moment of RISC-V's popularity will come when implementers prove open instruction-set architectures can improve cybersecurity according to Pacific Northwest National Laboratory's Jerry Cochran.

The intellectual property (IP) of the latest reduced instruction set computer (RISC-V) is royalty-free, tempting original equipment manufacturers (OEMs) worldwide to switch from more expensive processors despite RISC-V's lack of built-in security features. With a basic core of only about 50 instructions, without extensions RISC-V is only suitable for the simplest Internet of Things (IoT) devices. In its favor, RISC-V is specifically designed to add just the extensions needed for an application, thus cutting processor size and cost to a minimum.

The RISC-V open standard instruction-set architecture (open ISA) is modeled on open source software: free to anyone wishing to invest the time and money to download, adapt, and verify the functionality of their implementation. Just as open source software allows free downloads of its program files, likewise RISC-V allows free downloads of the program files describing its hardware functions (in IEEE 1364 standard Verilog format).

However, the defining moment of RISC-V's popularity will come when implementers prove that open ISAs can improve the deteriorating cybersecurity scene, according to Jerry Cochran, chief information security officer at Pacific Northwest National Laboratory (PNNL).

Cochran's cybersecurity research group is repeatedly asked about the caliber of RISC-V's cybersecurity. "We tell them that it depends on the quality of the processor architect's work. For instance, Qualcomm successfully extended the ARM architecture with multiple cores, a GPU, DSP, and modem to make its popular Snapdragon. Its future processors will probably successfully add similar extensions including security hardware to RISC-V cores," said Cochran.

Growing interest in RISC-V's open ISA prompted Phoenix, AZ-based Semico Research Corp. to forecast the RISC-V's market share will rise from near-zero today to about 6% of the total available market (TAM) by 2025. That's over 60 billion RISC-V processors in a trillion-unit market.

Of course, that still leaves over 94% of the market in the hands of companies that charge for the many man-years they have invested in the mature security and other capabilities on their processors. Today RISC-V processor engineers are playing catch-up with more than 70 RISC-V processor designs in various stages of development (not counting those already on the market, such as Rambus' CryptoManager Root of Trust). With the exception of Rambus, most of the other RISC-V cores come from startups specializing in the emerging RISC-V core and ecosystem markets. However, among the RISC-V Foundation members are many of the big players too, including Hewlett Packard, IBM, Infineon, Nvidia, NXP, Qualcomm, Samsung, Siemens and Sony. Notable exceptions are ARM and Intel (which each have their own proprietary RISC cores).

The more than 530 members of the RISC Foundation appear to validate its market strategy of offering royalty-free IP for open ISA. As the hardware version of open-source software, RISC-V's open ISA offers total transparency into the inner workings of the IP, and they make it easy for chip makers to add their own instruction set extensions.

Regarding cybersecurity, the RISC-V Foundation hopes \ many of its members will offer security hardware extensions as royalty-free IP downloadable from the Foundation's library. Unfortunately, the quality of the implementations of donated security instruction extensions remains to be seen.

According to Kevin Barker, director of PNNL's Center for Advance Technology Evaluation (CENATE), where new technologies are vetted, the quality of security hardware boils down to the quality of the engineers implementing it, pitting experienced ARM and Intel engineers against the various skillsets of RISC-V Foundation members.

"Security comes down to the implementation of an ISA extension 99% of the time," said Barker. "Some individual members will probably offer open access to their RISC-V extensions, hoping to crowdsource security vulnerability detection. But crowdsourcing has yet to prove to be an advantage over careful designing by experienced engineers. Formal methods, in particular, give engineers a higher confidence level compared to crowdsourcing."

Asmae Mhassni, a principle engineer at Intel, agrees. "There is no magic bullet to prevent non-cybersecurity experts from introducing vulnerabilities when extending an ISA. In-depth knowledge, understanding systems at a high architecture level, and assumptions about the end environment are all essential parts of secure development," said Mhassni.

Intel secures each individual IP block to ensure it does not contain vulnerabilities on its own, then the blocks are integrated together to be certain vulnerabilities are not introduced by their interaction. Finally testing tools and formal methods are used to identify unintended functionalities beyond the ISA specification.

"Detecting security vulnerabilities as early as possible is key to a successful processor design," said Mhassni.

David Patterson at the University of California, Berkeley, an ACM A.M. Turing Award recipient who coined the term RISC, has no magic bullet to offer; he did not even intend for RISC-V to be commercialized. Patterson's academic team, notably including fellow professor Krste Asanovic, merely needed an open ISA for research. "We needed an open ISA for our own research, and neither ARM nor Intel would reveal the details of their proprietary designs, so we created RISC-V. To our surprise, companies were immediately interested in our royalty-free IP for use in their commercial devices, especially Internet of Things [IoT] developers," said Patterson.

ARM has since relented, promising to open the ISA of its popular Cortex M processor, banking on the likelihood that newly designed RISC-V cores will likely not be able to compete with the decades of hardware security experience built into every ARM processor. For instance, the Google Developers Forum already lists over 100 entries regarding potential RISC-V security flaws. Proving RISC-V can be just as secure as the market's mature processors is a tall order, according to Patterson.

"One interesting possibility is to implement experimental security extensions on FPGAs (flat-panel gate arrays), then make them available to hackers who can stage attacks and hopefully identify their vulnerabilities before they are ratified for inclusion in the RISC-V Foundation's open ISA library," said Patterson.

Some RISC-V Foundation members, including Dover Microsystems and Veridify Security, already are offering security IP extensions for a few common vulnerabilities, but not for free. Most novel among these is Dover's CoreGuard, a class-based, hybrid hardware/software security product that attaches directly to a RISC-V core, running in parallel with its execution.

"CoreGuard provides instruction-by-instruction checking that cannot be skipped or turned off, and the software component of CoreGuard allows precise specification of allowed and disallowed behaviors so it can adapt to a changing threat landscape," according to Greg Sullivan, chief scientist at Dover Microsystems.

Officially, RISC-V cybersecurity is in the hands of the RISC-V Foundation's Security Standing Committee, chaired by Rambus Fellow Helena Handschuh. The committee already contributed has a draft specification for the necessary root-of-trust, secure boot, and other open ISA extensions needed to match the security of proprietary processors. That specification, however, has yet to be ratified.

Nevertheless, Handschuh is well aware of the cryptographic extensions needed for RISC-V to successfully compete in the marketplace, and claims the Committee is up to the task, which she says will be easier than was securing open-source software.

"Managing open source software is complicated because of the difficulty of backtracking a security bug to its origin.

Likewise, backtracking hardware security bugs is nearly impossible for proprietary ISAs which hide the details of their instruction's execution. However, the open architecture of RISC-V enables much easier backtracking of security flaws to their source by offering transparency in the execution details of its hardware source code."

R. Colin Johnson is a Kyoto Prize Fellow who has worked as a technology journalist for two decades.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More