A Chinese research team identified a severe security flaw in the design of RISC-V processors, posing a threat to China's expanding domestic semiconductor/Chip sector. This flaw in the design of RISC-V processors enables cyber attackers to bypass modern processors' security measures without administrative rights. This leads to the possible theft of sensitive information and breaches of personal privacy. RISC-V is an open-source standard used in advanced chips and semiconductors. Unlike mainstream CPU architectures like Intel's and AMD's X86, RISC-V offers free access and can be modified without restriction. The vulnerability was discovered in RISC-V's SonicBOOM open-source code and confirmed by Professor Hu Wei's team at Northwestern Polytechnical University (NPU), a major defense research institute in Shaanxi. On April 24, the Chinese research team, which specializes in hardware design security, vulnerability detection, and cryptographic application safety, reported the issue to China's National Computer Network Emergency Response Technical Team/Coordination Centre (CNCERT). Later, in an official statement, additional details were revealed by NPU on May 24. This openness has made it a critical component of China's strategy to circumvent US-imposed chip bans and achieve semiconductor independence.

US-imposed chip bans: What It Is?

Since 2022, US officials have set broad restrictions on which computing processors can be supplied to China, reducing shipments of Nvidia (NVDA.O), Advanced Micro Devices (AMD.O), and Intel (INTC.O), among others. These restrictions mirrored previous limits on semiconductor shipment to Huawei Technologies (HWT.UL). However, U.S. officials have granted licenses to at least two US companies, Intel and Qualcomm (QCOM.O), to continue shipping chips to Huawei, which is using an Intel chip to power a new laptop model.

Why is This Vulnerability a Trouble For China?

The vulnerability's discovery is particularly troubling for China, which has been relying heavily on RISC-V to develop its CPUs. By the end of 2022, over 50 different versions of locally produced RISC-V chips were mass-produced in China, primarily for embedded applications such as industrial controls, power management, wireless connectivity, storage control, and the Internet of Things. Recent developments have seen RISC-V expanding into more demanding applications, including industrial control, autonomous driving, artificial intelligence, telecommunications, and data centers. RISC-V processors have gained popularity due to their simplicity, modularity, scalability, and the rapid evolution of the architecture since its inception.

Discovery of RISC-V

RISC-V was developed in 2010 by Professor David Patterson at the University of California, Berkeley, who also designed RISC-I in 1980. Despite its advantages, the newly discovered flaw in RISC-V could undermine its reliability and security, potentially impacting its adoption and use in critical applications. This discovery is part of China’s national key research and development program in processor hardware security, initiated in 2021. The program, carried out by CNCERT, Tsinghua University, NPU, and the Institute of Microelectronics of the Chinese Academy of Sciences, focuses on the research and detection of hardware vulnerabilities. The CNCERT report emphasized that processor-related vulnerability mining is highly challenging, with the number of RISC-V processor vulnerabilities in global libraries being significantly lower than software and firmware vulnerabilities.

NPU Role

NPU's participation in discovering this weakness demonstrates its status as a pioneer in China's information security education and research, which aligns with the country's strategic needs. NPU developed its "information confrontation" undergraduate program in 2000, which was later renamed "information security" in 2009. In 2011, it established the National Institute of Confidentiality, which added "secrecy" to the curriculum. In 2018, the university expanded its cybersecurity focus by founding the School of Cybersecurity. This vulnerability influences China, affecting global technology corporations and the semiconductor industry. As China pursues semiconductor independence, addressing and mitigating such vulnerabilities will be critical to guarantee the security and dependability of its domestic chip industry.