Communications of the ACM
Bulletproofing RISC-V Cores
The defining moment of RISC-V's popularity will come when implementers prove open instruction-set architectures can improve cybersecurity according to Pacific Northwest National Laboratory's Jerry Cochran.
Credit: RISC-V Foundation
The intellectual property (IP) of the latest reduced instruction set computer (RISC-V) is royalty-free, tempting original equipment manufacturers (OEMs) worldwide to switch from more expensive processors despite RISC-V's lack of built-in security features. With a basic core of only about 50 instructions, without extensions RISC-V is only suitable for the simplest Internet of Things (IoT) devices. In its favor, RISC-V is specifically designed to add just the extensions needed for an application, thus cutting processor size and cost to a minimum.
The RISC-V open standard instruction-set architecture (open ISA) is modeled on open source software: free to anyone wishing to invest the time and money to download, adapt, and verify the functionality of their implementation. Just as open source software allows free downloads of its program files, likewise RISC-V allows free downloads of the program files describing its hardware functions (in IEEE 1364 standard Verilog format).
However, the defining moment of RISC-V's popularity will come when implementers prove that open ISAs can improve the deteriorating cybersecurity scene, according to Jerry Cochran, chief information security officer at Pacific Northwest National Laboratory (PNNL).
Cochran's cybersecurity research group is repeatedly asked about the caliber of RISC-V's cybersecurity. "We tell them that it depends on the quality of the processor architect's work. For instance, Qualcomm successfully extended the ARM architecture with multiple cores, a GPU, DSP, and modem to make its popular Snapdragon. Its future processors will probably successfully add similar extensions including security hardware to RISC-V cores," said Cochran.
Growing interest in RISC-V's open ISA prompted Phoenix, AZ-based Semico Research Corp. to forecast the RISC-V's market share will rise from near-zero today to about 6% of the total available market (TAM) by 2025. That's over 60 billion RISC-V processors in a trillion-unit market.
Of course, that still leaves over 94% of the market in the hands of companies that charge for the many man-years they have invested in the mature security and other capabilities on their processors. Today RISC-V processor engineers are playing catch-up with more than 70 RISC-V processor designs in various stages of development (not counting those already on the market, such as Rambus' CryptoManager Root of Trust). With the exception of Rambus, most of the other RISC-V cores come from startups specializing in the emerging RISC-V core and ecosystem markets. However, among the RISC-V Foundation members are many of the big players too, including Hewlett Packard, IBM, Infineon, Nvidia, NXP, Qualcomm, Samsung, Siemens and Sony. Notable exceptions are ARM and Intel (which each have their own proprietary RISC cores).
The more than 530 members of the RISC Foundation appear to validate its market strategy of offering royalty-free IP for open ISA. As the hardware version of open-source software, RISC-V's open ISA offers total transparency into the inner workings of the IP, and they make it easy for chip makers to add their own instruction set extensions.
Regarding cybersecurity, the RISC-V Foundation hopes \ many of its members will offer security hardware extensions as royalty-free IP downloadable from the Foundation's library. Unfortunately, the quality of the implementations of donated security instruction extensions remains to be seen.
According to Kevin Barker, director of PNNL's Center for Advance Technology Evaluation (CENATE), where new technologies are vetted, the quality of security hardware boils down to the quality of the engineers implementing it, pitting experienced ARM and Intel engineers against the various skillsets of RISC-V Foundation members.
"Security comes down to the implementation of an ISA extension 99% of the time," said Barker. "Some individual members will probably offer open access to their RISC-V extensions, hoping to crowdsource security vulnerability detection. But crowdsourcing has yet to prove to be an advantage over careful designing by experienced engineers. Formal methods, in particular, give engineers a higher confidence level compared to crowdsourcing."
Asmae Mhassni, a principle engineer at Intel, agrees. "There is no magic bullet to prevent non-cybersecurity experts from introducing vulnerabilities when extending an ISA. In-depth knowledge, understanding systems at a high architecture level, and assumptions about the end environment are all essential parts of secure development," said Mhassni.
Intel secures each individual IP block to ensure it does not contain vulnerabilities on its own, then the blocks are integrated together to be certain vulnerabilities are not introduced by their interaction. Finally testing tools and formal methods are used to identify unintended functionalities beyond the ISA specification.
"Detecting security vulnerabilities as early as possible is key to a successful processor design," said Mhassni.
David Patterson at the University of California, Berkeley, an ACM A.M. Turing Award recipient who coined the term RISC, has no magic bullet to offer; he did not even intend for RISC-V to be commercialized. Patterson's academic team, notably including fellow professor Krste Asanovic, merely needed an open ISA for research. "We needed an open ISA for our own research, and neither ARM nor Intel would reveal the details of their proprietary designs, so we created RISC-V. To our surprise, companies were immediately interested in our royalty-free IP for use in their commercial devices, especially Internet of Things [IoT] developers," said Patterson.
ARM has since relented, promising to open the ISA of its popular Cortex M processor, banking on the likelihood that newly designed RISC-V cores will likely not be able to compete with the decades of hardware security experience built into every ARM processor. For instance, the Google Developers Forum already lists over 100 entries regarding potential RISC-V security flaws. Proving RISC-V can be just as secure as the market's mature processors is a tall order, according to Patterson.
"One interesting possibility is to implement experimental security extensions on FPGAs (flat-panel gate arrays), then make them available to hackers who can stage attacks and hopefully identify their vulnerabilities before they are ratified for inclusion in the RISC-V Foundation's open ISA library," said Patterson.
Some RISC-V Foundation members, including Dover Microsystems and Veridify Security, already are offering security IP extensions for a few common vulnerabilities, but not for free. Most novel among these is Dover's CoreGuard, a class-based, hybrid hardware/software security product that attaches directly to a RISC-V core, running in parallel with its execution.
"CoreGuard provides instruction-by-instruction checking that cannot be skipped or turned off, and the software component of CoreGuard allows precise specification of allowed and disallowed behaviors so it can adapt to a changing threat landscape," according to Greg Sullivan, chief scientist at Dover Microsystems.
Officially, RISC-V cybersecurity is in the hands of the RISC-V Foundation's Security Standing Committee, chaired by Rambus Fellow Helena Handschuh. The committee already contributed has a draft specification for the necessary root-of-trust, secure boot, and other open ISA extensions needed to match the security of proprietary processors. That specification, however, has yet to be ratified.
Nevertheless, Handschuh is well aware of the cryptographic extensions needed for RISC-V to successfully compete in the marketplace, and claims the Committee is up to the task, which she says will be easier than was securing open-source software.
"Managing open source software is complicated because of the difficulty of backtracking a security bug to its origin.
Likewise, backtracking hardware security bugs is nearly impossible for proprietary ISAs which hide the details of their instruction's execution. However, the open architecture of RISC-V enables much easier backtracking of security flaws to their source by offering transparency in the execution details of its hardware source code."
R. Colin Johnson is a Kyoto Prize Fellow who has worked as a technology journalist for two decades.
Comments
Krste Asanovic
I am disappointed that CACM would publish this article, which is
riddled with false information and a frankly non-technical partisan
analysis on the important issue of computer security. I explain the
inaccuracies and misrepresentations below.
The non-profit RISC-V Foundation (now reincorporated as RISC-V
International) does not have a "market strategy of offering
royalty-free IP for open ISA" and does not allow "free downloads of
the program files describing its hardware functions (in IEEE 1364
standard Verilog format)." RISC-V International does not offer RISC-V
IP at all and its policy is to remain neutral, not endorsing any
particular open-source or proprietary RISC-V implementations.
RISC-V is not an open-source processor; it is an open specification.
The open specification enables there to be open-source cores, and
there are many available. But the article almost completely ignores
the vibrant proprietary RISC-V IP market, where there are already more
commercial RISC-V core IP vendors than for any other ISA in history.
These vendors operate with a licensing and royalty business model
similar to non-RISC-V core IP providers (in fact, several had
businesses selling implementations based on their own proprietary ISA
before switching to selling proprietary implementations based on the
open RISC-V ISA).
"Regarding cybersecurity, the RISC-V Foundation hopes many of its
members will offer security hardware extensions as royalty-free IP
downloadable from the Foundation's library. Unfortunately, the quality
of the implementations of donated security instruction extensions
remains to be seen." This paragraph is incorrect and misleading - the
Foundation does not have a royalty-free IP "library" and so cannot
accept donations of IP. As with the many other open standards in our
industry, Foundation members do collaborate on developing open
specifications for ISA extensions, including features related to
security, and benefit from the open discussion of the specifications
among leading academic and industrial experts.
Regarding "...pitting experienced ARM and Intel engineers against the
various skillsets of RISC-V Foundation members." First, (as the article itself notes) the
Foundation membership includes most of the largest companies in the
industry, responsible for building some of the most capable and secure
microprocessors ever developed. Second, there are many published
security flaws in legacy instruction set implementations, so this
experience was clearly insufficient to tackle difficult security
challenges.
This is only one of the many places the article appears intent to cast
aspersions on the quality of RISC-V security implementations by
implying that RISC-V is only a low-quality open-source project instead
of an open specification supported by multiple professional
engineering teams.
The link provided to the list of "over 100 entries regarding potential
RISC-V security flaws" is simply a link to search a public mailing
list for any article containing the word "security". This is sloppy
and unacceptable journalism, especially for an article appearing in
our leading professional organization's website, and is highly
misleading and damaging. This mailing list search merely provides
evidence of the degree of interest in security issues among the RISC-V
community.
As another inaccuracy, I am sure ARM executives would be shocked to
learn that they have "promised to open the ISA" of its Cortex-M
products (citation please!). ARM has announced support for some degree of customer
instruction extension, but this is far short of opening the ISA.
One important aspect of why an open specification helps security was
not mentioned at all in the article. Implementers are free to build
their own trusted RISC-V core without requiring an architectural
license, yet can still leverage the large RISC-V software ecosystem.
This is why Nvidia chose to use RISC-V, instead of other proprietary
ISAs, to build the security cores shipping on their current production
GPUs (a case study that is a glaring omission from the article).
Computer security is one of the most difficult and important issues in computer
architecture today. Existing "mature" proprietary solutions are
suffering from a growing flood of new vulnerability discoveries that
have left the vendors scrambling to supply patches. The community
needs to move forward developing new techniques, and the open RISC-V
ISA provides an ideal environment in which this research can be done.
This is why RISC-V has been widely adopted by the security research
community as well as in commercial security applications.
Krste Asanovic
Chairman of the Board, RISC-V International
ACM Fellow
R Colin Johnson
Thank you, Dr. Asanovic, for your thoughtful comments on my story.
My personal opinion is that RISC-V will become an important competitor to the deeply entrenched ARM and Intel ISAs. Much good work has already been done to advance RISC-V including SiFive's development tools, and the many open-source tools and Verilog hardware files already available on GitHub with more to come.
Your internal RISC-V Foundation's Security Standing Committee Chair also told me that they have drafted their recommended solutions to RISC-V security issues. Hopefully, their contribution will make it "Bulletproof" as the title of my story portends.
ARM and Intel will, of course, not roll over and die anytime soon. In fact, ARM announced at its Developer's Conference a new policy of allowing its licensees to add custom instructions. The news article "Why ARM opened up its instruction set..." claims that ARM's new policy of allowing custom instructions, is a direct challenge to RISC-V. "Customers have been pushing ARM to let them customize the ISA for a few years, and under pressure from the changing environment and the threat of RISC-V, it is." (See ARM's website for how-to add custom instructions).
As to your generalizations about my bias against RISC-V, I can only note that my opinions are not mentioned in the story, but all the issues to which you object are attributed to your peers. Even beyond that, all those peers quoted in the story are in favor of RISC-V and look forward to the day when it is indeed made bulletproof with security extensions to its excellent core ISA. As mentioned in my story, bulletproof security for RISC-V is inevitable, because of the excellent research teams working on the problem at Hewlett Packard, IBM, Infineon, Nvidia, NXP, Qualcomm, Samsung, Siemens and Sony.
Thank you again for your comments, and I do apologize for giving you the impression that I am anti-RISC-V. On the contrary, I believe that making it bulletproof will assure its long-term success.
Andrew Chien
I wanted to clarify that this piece appears under the web banner of CACM, but is a staff-commissioned piece. Our web presentation is a little ambiguous, and have already decided to make changes to make this more clear.
In short, its not subject to the rigorous Editorial Board process that we employ on CACM print and digital library articles.
So journalistic standards apply, not scientific.
cheers, -Andrew, Editor-in-Chief, CACM.
Displaying all 3 comments