Alessandro Savino
Sessions
Side-channel attacks leveraging microarchitectural features are well-studied on x86 and ARM, but less so on RISC-V. This work implements and evaluates Flush+Reload cache-side-channel attacks on user-space software in a RISC-V system simulated in gem5 full-system mode. We develop both eviction-based and cache-block-invalidate (cbo.inval) probes, establishing an attack methodology for an unprivileged process using the RISC-V cycle counter. Our experiments reveal timing differences between cached and evicted accesses, confirming the existence of exploitable timing channels. While key recovery remains partial, these results demonstrate the feasibility of cache side-channel attacks on RISC-V and validate gem5 as an effective platform for microarchitectural security research.
Fault Injection Attacks (FIAs) induce transient hardware faults to subvert software security mechanisms, yet assessing fault resilience, especially during early design phases, remains impractical without specialized laboratory equipment. Microarchitectural simulation provides a reproducible and scalable alternative. This paper presents InjectV, a gem5-based fault injection framework targeting RISC-V systems, which employs trace-guided fault injection by identifying Candidate Injection Points (CIPs) at security-critical operations including control-flow branches and conditional comparisons. Supporting transient corruption of architectural registers and physical memory under full-system simulation, InjectV demonstrates that guided fault injection requires 95.8% fewer injections than random exploration to expose successful attacks on the FISSC VerifyPIN benchmarks.