Abstract—Microarchitectural attacks threaten the security of
computer systems even in the absence of software vulnerabil-
ities. Such attacks are well explored on x86 and ARM CPUs,
with a wide range of proposed but not-yet deployed hardware
countermeasures. With the standardization of the RISC-V
instruction set architecture and the announcement of support
for the architecture by major processor vendors, RISC-V
CPUs are on the verge of becoming ubiquitous. However, the
microarchitectural attack surface of the first commercially-
available RISC-V hardware CPUs still needs to be explored.
This paper analyzes the two commercially-available off-the-
shelf 64-bit RISC-V (hardware) CPUs used in most RISC-V
systems running a full-fledged commodity Linux system. We
evaluate the microarchitectural attack surface and introduce
3 new microarchitectural attack techniques: Cache+Time, a
novel cache-line-granular cache attack without shared memory,
Flush+Fault exploiting the Harvard cache architecture for
Flush+Reload, and CycleDrift exploiting unprivileged access to
instruction-retirement information. We also show that many
known attacks apply to these RISC-V CPUs, mainly due
to non-existing hardware countermeasures and instruction-set
subtleties that do not consider the microarchitectural attack
surface. We demonstrate our attacks in 6 case studies, includ-
ing the first RISC-V-specific microarchitectural KASLR break
and a CycleDrift-based method for detecting kernel activity.
Based on our analysis, we stress the need to consider the
microarchitectural attack surface during every step of a CPU
design, including custom ISA extensions.