ES2504-01bf6a89 - Clock glitch attack on RISC-V softprocessor #172
Description
Submission File: ES2504-01bf6a89-new-clock-glitch-attack-risc-v-softprocessor.txt
ID: ES2504-01bf6a89
SUBMISSION DATE: 2025-04-21 15:28:34
NAME: Clock glitch attack on RISC-V softprocessor core (cv32e40x) results in the execution of exception handler. In the absence of the exception handler the glitched instruction is skipped and/or program counter redirection occurs.
DESCRIPTION:
Our study conducted on a RISC-V soft-core processor (cv32e40x) revealed two
novel vulnerabilities.
(1) We found a novel method to induce instruction skips by glitching the
clock, which prevents critical values from being loaded from memory, thus
disrupting program execution.
(2) Using a precise clock glitch, converts a fetched legal instruction into
an illegal one mid-execution, diverting control flow in a manner
exploitable by attackers. We have identified four timing windows (cases) in
which the processor fails to detect these illegal control-flow diversions,
allowing silent, undetected corruption of the program state.
- Case 1: The instruction is skipped, triggering the 'illegal'
flag and the exception handler. - Case 2: The destination register is zeroed while triggering the
'illegal' flag and the exception handler. - Case 3: The destination register is zeroed without triggering the
'illegal' flag or the exception handler. - Case 4: The destination register is partially corrupted without
triggering the 'illegal' flag or the exception handler