| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 00000 | 0000000 |
|                 |                      |               |               |       |         |

A gem5-Based Simulation Platform for Evaluating RISC-V Security Against Microarchitectural Side-Channel Attacks

Mahreen KHAN

Telecom Paris, Institut Polytechnique de Paris

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 00000 | 0000000 |
| Agenda of       | f Presentation       | l             |               |       |         |





### RISC-V attack







| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| ●00             | 00000                | 000000        | 0000          | 00000 | 0000000 |
|                 |                      |               |               |       |         |

# **Security Basics**

### Information Security Perspective

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| O●O             | 00000                | 000000        | 0000          | 00000 | 0000000 |
| Why Secu        | rity Matters         | ?             |               |       |         |



https://www.visualcapitalist.com/sp/thematic-investing-3-key-trends-in-cybersecurity/

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 00●             | 00000                | 000000        | 0000          | 00000 | 0000000 |
| Secure S        | oftware: Can         | data still h  | a laskad?     |       |         |

icancu:



- Consider CPU as a black box
- Assume no bugs in software

Can data still be leaked?

Yes - Through hardware vulnerabilities and side channel attacks

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | ●0000                | 000000        | 0000          | 00000 | 0000000 |
|                 |                      |               |               |       |         |

# **Side-Channel Attacks**

Focus on Micro-architectural Side-Channels

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | O●000                | 000000        | 0000          | 00000 | 0000000 |
| Side-Cha        | nnel: Major S        | Security Co   | ncern         |       |         |

### Side Channel Attacks

Side channel information can be collected from the physical behavior of a system and exploited by attackers to extract sensitive data.



Different types of Side-channels

### Focus for this presentation:

Microarchitectural timing side-channel attacks

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00●00                | 000000        | 0000          | 00000 | 0000000 |
| Understar       | nding Microa         | rchitecture   |               |       |         |

- Performance optimization elements:
  - Speculative execution
  - Cache hierarchies
  - Branch prediction



Typical CPU microarchitecture components

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 000●0                | 000000        | 0000          | 00000 | 0000000 |
| Cache O         | ptimization          |               |               |       |         |

### **Benefits:**

- Reduces memory latency (10-100x shorter than DRAM)
- Improves power efficiency

### Risks:

- Creates timing side-channels
- Leaks access patterns
- Reveals cryptographic secrets



### Famous Attack: Flush+Reload



### **Benefits:**

Improves pipeline utilization

Risks:

Out of bound memory access



Famous attack: Spectre

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 00000 | 0000000 |
| 000             | 00000                |               | 0000          | 00000 | 0000000 |

## **RISC-V** attack

### Focus on Flush+Fault attack on RISC-V

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 0●0000        | 0000          | 00000 | 0000000 |
| RISC-V: E       | merging Arc          | hitecture     |               |       |         |

### Why RISC-V Matters

62.4 billion RISC-V cores forecast by 2026 (Market projection across IoT, AI and security-sensitive domains)

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 00●000        | 0000          | 00000 | 0000000 |
| RISC-V: (       | Challenges           |               |               |       |         |

A lot of work is done to understand Intel x86 and ARM vulnerabilities.

BUT what about RISC-V?

### **RISC-V Challenges: Critical Gap**

- Less mature RISC-V security analysis
- Custom extension security
- Verification complexity

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000€00        | 0000          | 00000 | 0000000 |
| RISC-V: \       | /irtual Securi       | ty Testing    | Platform      |       |         |

### Bridging the Gap

- Open-source virtual platform for RISC-V security research
- Enables testing of microarchitectural attacks and defenses
- Prototypes Hardware Performance Counters (HPCs) for security use





I will focus on the analysis of the **Flush+Fault** attack on RISC-V. A similar methodology was applied to the **Evict+Spec+Time** attack.





- Flush the instruction cache using fence.i.
- Record a precise timestamp immediately after the flush.
- Triggers a fault or a return by jump to a victim instruction.
- Record second timestamp after the fault or return.
- Calculate the time delta between both timestamps:
  - Shorter time indicates a cache hit.
  - Longer time indicates a cache miss.
- To avoid speculative prefetching, the attacker issues multiple calls to dummy locations outside the targeted cache line.

| 000 00000 00000 0000 0000 000 | Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs |  |
|-------------------------------|-----------------|----------------------|---------------|---------------|------|--|
|                               |                 |                      |               | 0000 ·        |      |  |

# Gem5 Analysis

### Flush+Fault analysis using Gem5

### Tool Comparison

- ✓ gem5: Full-system, cycle-accurate but moderate speed
- QEMU: Fast emulation but less accurate
- Spike: ISA simulator but no timing accuracy
- Verilog Simulators: Highly accurate but very slow.



| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 00€0          | 00000 | 0000000 |
| Gem5 sim        | ulator: a too        | I for secur   | ity analysis  |       |         |

### Why Choose gem5?

• Full-system simulation

• Rich microarchitectural stats

Attack Analysis using gem5



| Security Basics<br>000 | Side-Channel Attacks<br>00000 | RISC-V attack<br>000000 | Gem5 Analysis<br>000● | HPCs<br>00000 | ML<br>0000000 |
|------------------------|-------------------------------|-------------------------|-----------------------|---------------|---------------|
| Gem5 Ar                | alysis Results                | 5                       |                       |               |               |
|                        |                               |                         |                       |               |               |

Tested **Flush+Fault** which exploits instruction cache flushing and branch mispredictions.



| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | ●0000 | 0000000 |
|                 |                      |               |               |       |         |

### Hardware Performance Counters (HPCs) Custom HPCs within Gem5

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | O●OOO | 0000000 |
| Custom          | HPCs in gem          | 5 · Motivat   | tion          |       |         |

### Why Custom HPCs (Security-Centric)?

- gem5 currently does not have HPCs for observing cache or branch predictor misses. The metrics are important for detecting/analyzing microarchitectural side channel attacks.
- Need to create a gem5-based virtual platform with custom HPCs for branch misprediction, cache misses etc.
- Useful for attack detection. close to a real hardware scenario.

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 00●00 | 0000000 |
| <u> </u>        |                      | · · –         |               |       |         |

### Creating Custom HPCs in gem5



Workflow for creating custom HPCs into gem5.



**A novel framework** developed for attack assessment that uses gem5-based custom HPC for RISC-V security analysis.



| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 0000● | 0000000 |
| LDC An          | alveie Deculte       | Across Mar    | ious Morlel   | aada  |         |

### HPC Analysis Results Across Various Workloads



L1 instruction cache miss analysis across various workloads (with and without Flush+Fault attack) using gem5-simulated HPCs.



Branch misprediction analysis across various workloads (with and without Flush+Fault attack) using gem5-simulated HPCs.

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 00000 | •000000 |
|                 |                      |               |               |       |         |

# Machine Learning (ML)

### ML for attack detection

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 00000 | 0000000 |
| Mativat         | ion: MI for Si       | do Channa     | Dotoction     |       |         |

### otivation. ME for Side-Channel Detection

### Why ML with gem5-based HPC traces?

- ML can learn attack vs. benign patterns automatically
- Enables virtual platform-based detection before hardware implementation
- Supports rapid prototyping of detection models

Security Basics Side-Channel Attacks RISC-V attack Gem5 Analysis HPCs O0000 ML 000000 MC 00000 ML 000000 MC 00000 ML 000000 MC 00000 ML 0000000 MC 00000 ML 0000000 MC 00000 MC 00000



Methodology for HPC trace generation and ML-based detection using gem5.

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 00000 | 0000000 |
| ML-Based        | Attack Dete          | ction: Resu   | lts           |       |         |

### **Evaluation Metrics:**

- Accuracy: Proportion of correct predictions out of all predictions.
- **Precision:** Proportion of predicted attacks that were actual attacks.
- **Recall:** Proportion of actual attacks that were correctly predicted.

| Model | Accuracy | Precision | Recall |
|-------|----------|-----------|--------|
| RF    | 0.99     | 0.99      | 0.99   |
| SVM   | 0.96     | 0.95      | 0.97   |
| NB    | 0.95     | 0.92      | 0.96   |

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 00000 | 0000●00 |
| Publicati       | ons                  |               |               |       |         |

- Paper accepted at SECRYPT 2025, Spain: "Assessing Security RISC: Analyzing Flush+Fault Attack on RISC-V using gem5"
- Paper accepted at EICC 2025, France: "Evaluating KASLR Break on RISC-V using gem5"
- Paper accepted at IOLTS 2025, Italy: "Detection using gem5 and Machine Learning: A Case Study on Fault-based Attacks in RISC-V"
- Paper accepted at SAMOS 2025, Greece: "Prototyping Custom Hardware Performance Counters in gem5 Simulator: A Framework for RISC-V Side-Channel Attack Assessment"
- Paper accepted at IEEE CSR HACS 2025, Greece: "SpectreShield: Design and Analysis of Spectre Countermeasures on RISC-V Using gem5"
- Paper accepted at 28th Euromicro Conference Series on Digital System Design (DSD), Italy: "Evict+Spec+Time on RISC-V: Gem5-Based Implementation and Microarchitectural Analysis"

| Security Basics<br>000 | Side-Channel Attacks | RISC-V attack<br>000000 | Gem5 Analysis<br>0000 | HPCs<br>00000 | ML<br>00000●0 |
|------------------------|----------------------|-------------------------|-----------------------|---------------|---------------|
| Future V               | Vork                 |                         |                       |               |               |
|                        |                      |                         |                       |               |               |

### Goal

Build a flexible RISC-V platform to evaluate microarchitectural attacks and defenses.

#### Wide Attack Coverage

 ${\scriptsize \bigcirc}~$  Support for cache attacks, speculative execution, branch prediction, and TLB-based side channels

### ML-Based Detection Techniques

 ${\ensuremath{\, \bullet \, }}$  Use gem5 statistics for selecting HPCs to train models for detecting attack patterns in execution traces

#### O Countermeasure Evaluation

- Implement and test branch predictor partitioning, cache isolation, and locking
- Measure effectiveness and performance trade-offs

| Security Basics | Side-Channel Attacks | RISC-V attack | Gem5 Analysis | HPCs  | ML      |
|-----------------|----------------------|---------------|---------------|-------|---------|
| 000             | 00000                | 000000        | 0000          | 00000 | 000000● |
| Question        | answers              |               |               |       |         |

### Thank You!

### Contact: mahreen.khan@telecom-paris.fr