ES2504-01bf6a89 - Clock glitch attack on RISC-V softprocessor

[stevechristeycoley]

Submission File: ES2504-01bf6a89-new-clock-glitch-attack-risc-v-softprocessor.txt

ID: ES2504-01bf6a89

SUBMISSION DATE: 2025-04-21 15:28:34

NAME: Clock glitch attack on RISC-V softprocessor core (cv32e40x) results in the execution of exception handler. In the absence of the exception handler the glitched instruction is skipped and/or program counter redirection occurs.

DESCRIPTION:

Our study conducted on a RISC-V soft-core processor (cv32e40x) revealed two
novel vulnerabilities.

(1) We found a novel method to induce instruction skips by glitching the
clock, which prevents critical values from being loaded from memory, thus
disrupting program execution.

(2) Using a precise clock glitch, converts a fetched legal instruction into
an illegal one mid-execution, diverting control flow in a manner
exploitable by attackers. We have identified four timing windows (cases) in
which the processor fails to detect these illegal control-flow diversions,
allowing silent, undetected corruption of the program state.

• Case 1: The instruction is skipped, triggering the 'illegal'
  flag and the exception handler.
• Case 2: The destination register is zeroed while triggering the
  'illegal' flag and the exception handler.
• Case 3: The destination register is zeroed without triggering the
  'illegal' flag or the exception handler.
• Case 4: The destination register is partially corrupted without
  triggering the 'illegal' flag or the exception handler

[stevechristeycoley]

ES2504-01bf6a89 has been assigned to a member of the CWE Content Team as part of Initial Review (Phase 3, Stage 1). The review process will analyze the submission for potential Submission problems and Scope exclusions.

We will provide feedback as soon as possible.

Depending on the results, the submission may then be moved to Phase 4, Stage 1 (Initial Consultation) or Phase 6, Stage 1 (Initial Acceptance).

More details are at:

https://cwe.mitre.org/community/submissions/guidelines.html

[stevechristeycoley]

This submission has been accepted (Phase 6) and will move to a new stage. This means that the CWE Team has agreed to make the suggested change(s) to the relevant CWE entry/entries and include this change in an upcoming version.

• If we need to obtain additional details or work closely on finalizing changes before modifying the CWE entry/entries, we will move to Stage 2, Phase 7: Det-Sub-Requested.

• If no further changes are needed, then we will move to Stage 3, Phase 12: Internal-Update, where we will begin to modify CWE content directly.

You should receive notification about the next phase change shortly.

Any issues listed below are still active but will be addressed in a
later phase. Generally, no response is necessary at this time.

Thank you for supporting CWE!

The CWE Team

=================================================================

SUB.MISSDET - "Missing details"

URL: SUB.MISSDET

Description: The submission is missing some requested or required details
for elements other than name and description.

Resolution: The submission cannot progress to later phases if it does not
have all required elements.

Comments: For your awareness, we have identified the following
questions or issues. We will address these with you once we move the
submission to Stage 2, Detailed Submission, which we will begin after
accepting this initial submission.

C1) We agree with the suggested "new example scenario" for CWE-1247
("Clock glitch on pipelined CPU causing instruction skips and silent
state corruption"), which we would treat as a new Demonstrative
Example. This proposal does not closely follow our style for
demonstrative examples, so we will work with you in a later stage to
modify the example, such as: (1) making it more consequence related;
(2) Developing both bad and good pipelining code snippets or designs;
(3) The good coding snippet should include the "adequate
microarchitectural robustness and fault handling" that the submitter
mentions. We will also explore if there are such things that industry
commonly uses. (4) A visual of the instruction pipeline, even if
ASCII, would really increase the readability. Finally, (5) we believe
that this example could be used for CWE-1332 if we just focus on the
part related to the instruction skip.

C2) We believe that the "Common Consequences" suggestions for CWE-1247
will be a good improvement for common consequences. Also, we can
update CWE-1332's common consequences with instruction skip specifics.

C3) For "Potential Mitigations" for CWE-1247: These seem like good
additions. In a later stage, we may want to clarify the following:
What is the cost or complexity of these mitigations? Are these
mitigations appropriate for all processors or just safety-critical
applications? Would you use these mitigations where cost is being
optimized?

C4) We believe that the "Example wording for CWE-1332 or a
relationship note" can be used in the Common Consequences element for
CWE-1332.

C5) Regarding the "High-level abstraction of our experimental
results": it appears that this seems duplicative of the previous
information.

C6) Currently, CWE-1247 and CWE-1332 have a "PeerOf" relationship, but
do not share the same parent. Outside the scope of this submission,
the CWE Team will separately determine if other relationships will be
more appropriate.

Response: [NO RESPONSE NECESSARY; ISSUES TO BE RESOLVED IN STAGE 2]