Return-Oriented Programming in RISC-V
This work addresses security vulnerabilities in RISC-V systems, showing that ROP attacks are practical and pose a significant threat, which is incremental as it builds on existing ROP concepts but applies them to a new ISA.
The paper tackled the feasibility of Return-Oriented Programming (ROP) attacks on RISC-V by demonstrating that RISC-V ROP can achieve Turing-complete calculations and arbitrary function calls using gadgets from the GNU libc library, and they created a compiler to convert complex code into RISC-V ROP chains.
RISC-V is an open-source hardware ISA based on the RISC design principles, and has been the subject of some novel ROP mitigation technique proposals due to its open-source nature. However, very little work has actually evaluated whether such an attack is feasible assuming a typical RISC-V implementation. We show that RISC-V ROP can be used to perform Turing complete calculation and arbitrary function calls by leveraging gadgets found in a version of the GNU libc library. Using techniques such as self-modifying ROP chains and algorithmic ROP chain generation, we demonstrate the power of RISC-V ROP by creating a compiler that converts code of arbitrary complexity written in a popular Turing-complete language into RISC-V ROP chains.