RISC-V Foundation Forms Security Committee
July 24, 2018
Building a more secure world is a goal for any ISA. RISC-V is actively doing something about it.
The RISC-V Foundation announced the formation of its Security Standing Committee this month, setting in motion the beginning of a movement where academia, industry, and public agencies collaborate to employ the free and open RISC-V instruction set architecture (ISA) to solve long-standing computer hardware problems. My hope and expectation is that the committee becomes the center of gravity for computer security.
I immediately saw the potential for RISC-V to address the industry’s processor security needs when the ISA first came to my attention almost four years ago. Unlike closed processor architectures, RISC-V enables anyone to inspect and analyze the architecture to assess the ISA’s security. The simplicity of the RISC-V ISA also makes for a smaller attack surface which helps minimize vulnerabilities.
Since RISC-V was first developed, we’ve seen a number of projects using the ISA to build stronger security solutions. At the first RISC-V Workshop held in 2015, the LowRISC project presented a tagged memory micro-architecture employed to prevent the potential hijacking of the processor control flow. At the second RISC-V Workshop six months later, I talked to participants from BAE Systems who were involved in the DARPA CRASH program and were now looking to implement the concepts they had developed for clean slate secure computing using RISC-V.
All the Foundation needed to do was form a security technical working group, which happened at the first Board of Directors meeting in May 2016, and the rest would take care of itself. Or so I thought. Over the next few meetings, the security working group hadn’t made much progress, while the base ISA, vector extensions, and memory consistency model groups were making steady progress.
One insight I learned is that a lot of the value in RISC-V is that the ISA is based on ideas that are 30 years old and have withstood the test of time. Even the vector extensions are rooted in the Cray architecture of the 1970s and have been driven by experts who had done their PhDs on vectors in the mid-90s. My thinking at the time was that similar good ideas for security had all been formulated a decade ago and were sitting on a shelf somewhere waiting for the right time to be implemented. However, as I reached out to the RISC-V community, I realized that no such formulation existed and that a collaborative effort would be needed to create that formulation.
The other realization was that, unlike the memory consistency model, security is not a well-defined problem that can be tackled by one group. Security is an expansive topic and has many facets that are imperative to address. At the 7th RISC-V Workshop last November, we were excited by the huge interest expressed by members in participating in the security group. However, everyone seemingly had their own aspect of security they wanted to highlight or discuss. Participation had gone up more than tenfold but we were clearly not organized to channel it yet.
At the Board meeting that November, I made the case that the Foundation should form a standing committee for security, reporting to the board. The independent standing committee could discuss security in the broader context and recommend any necessary technical working groups to tackle specific topics on a finite timescale. There was support for the idea in principle, but we were still six months away from acting on the proposal.
The proposal got an unexpected assist in January. During a vibrant late-night RISC-V WeChat discussion group, someone posted a link to an article about two newly discovered security flaws. Having been heavily involved with security since 2008, news of the Spectre and Meltdown attacks wasn’t a shock to me, but it opened up a lot of eyes within the broader RISC-V community and nudged us closer to creating the committee.
The remaining task was to find the right leadership. Paul Kocher, one of the authors of the Spectre attack, recommended Dr. Helena Handschuh, a fellow at Rambus and a well-recognized expert in the security community for her contributions to cryptography, cryptanalysis, and hardware security, to lead the effort as the committee chair. The recruitment process memorably included a meeting with Paul, Helena, my colleague Richard Newell, fellow board member David Patterson, and me huddled around a table outside a Starbucks in cold San Francisco. Dr. Joseph Kiniry, principal scientist at Galois, graciously accepted our request to take on the vice-chair role.
The Committee quickly created a charter and spawned the original trusted execution environment and crypto extension work into two independent technical working groups. An immediate goal is to create a taxonomy of processor security domains, assess the state-of-the-art in each domain, and identify and prioritize any action. The domain of timing attacks (which includes both Spectre and Meltdown) is already being addressed. We also plan to publish guidelines for good security practices when developing new processor microarchitectures and sub-systems. The Committee is quickly growing and includes Berkeley Architecture Group, Bluespec, CSIRO’s Data61, Dover, Draper, Esperanto Technologies, Indian Institute of Technology (IIT) Madras, Intrinsic ID, Galois, Hex Five Security, Microsemi, Micron Technology, NXP, Rambus, SecureRF, SiFive, and Western Digital.
We expect to see a large number of RISC-V implementations fueled by the ISA’s openness and the new imperative for hardware innovation. The ISA can’t guarantee that an implementation is secure, but the Foundation has the critical role of promoting best security practices. The Committee will be hosting regular talks on security topics to help spread awareness of new developments and spur lively discussions.
I would like to make an appeal for new members to join the RISC-V Foundation and the Security Standing Committee to become involved in developing better security practices and solutions, which is fundamental to every business in our industry. In addition to participation from security companies, we’d also like participation from the big data giants and defense companies. If you’re reading this and are excited about this opportunity to build a more secure world, reach out to the Foundation to get involved.
As a footnote, David Patterson and John Hennessy incorporated solving security challenges into their ACM A.M. Turing Award talk in June 2018 about the new Golden Age of computer architecture. I’m sure David has the same expectations that I do that the RISC-V Security Standing Committee will play a central role in this endeavor.
Ted Speers is a member of the RISC-V Foundation Board of Directors and head of product architecture and planning for Microsemi’s PRO BU.