Yewon Hwang  Taeweon Suh  Gunjae Koo

10.5626/JOK.2025.52.2.95

Cache side-channel attack RISC-V SoC Hardware Trojan third-party IP security

A modern System-on-Chip (SoC) incorporates multiple third-party intellectual properties (IPs) provided by external vendors. Such third-party IPs can be vulnerable to security attacks exploiting hardware Trojans. Namely, attackers may include malicious hardware logic that can perform unauthorized operations within a third-party coprocessor. In this paper, we present a cache side-channel attack scenario that exploits the coprocessor interface, called RoCC, in a RISC-V open-source SoC platform. We demonstrate that attackers can effectively execute a Flush+Reload type cache side-channel attack by activating a malicious memory access logic in a custom IP exploiting RoCC instructions. Our evaluation exhibits the proposed attack can perform flush operations 9.4 times faster than traditional cache side-channel attack methods. This paper highlights the need for defense mechanisms against hardware security attacks in SoC design utilizing open-source processors.