boom-attacks icon indicating copy to clipboard operation
boom-attacks copied to clipboard

Published 20 hours ago verified publisher icon riscv-boom

Status of attacks on chipyard-based boom

Open austinharris opened this issue 5 years ago • 4 comments

I was able to successfully run the conditional branch mispredict and the indirect branch mispredict attacks with this chipyard version and the MediumBoomConfig: ef404ef0ba6c471430120f13818cc5027225d877

However the return stack buffer attack did not recover the correct secret.

austinharris avatar Dec 04 '19 19:12 austinharris

The RAS in BOOM was disabled due to bugs. We will push a version with a working RAS soon.

jerryz123 avatar Dec 04 '19 19:12 jerryz123

Thanks for re-testing it will all the changes that have happened to the core/SoC ecosystem recently!

abejgonzalez avatar Dec 04 '19 19:12 abejgonzalez

Thanks for re-testing it will all the changes that have happened to the core/SoC ecosystem recently!

Now RAS has been fixed in the latest boom, but I still can’t implement spectreRAS with the SmallConfigBoom and the chipyard. Can the current Boom protect against this spectre attack?

hz1490919302 avatar Jul 29 '20 10:07 hz1490919302

The spectreRAS implementation in this repository is unfinished, as the README notes. Perhaps someone should finish this. It should be pretty straightforward to modify the x86 code example in the original Spectre Returns paper.

In general, BOOM does not have protection against RAS-based attacks.

jerryz123 avatar Jul 29 '20 18:07 jerryz123