Skip to main content

Architecture 1005: RISC-V Assembly


OpenSecurityTraining2

About This Course

The RISC-V architecture is the new hotness! It's going to take over the world! (Or is it?... (It is!;))) But what is RISC-V, and why should you care?

RISC-V is an open source Instruction Set Architecture (ISA). Or, in reality, a small, tight-knit family of ISAs and ISA extensions. The multiple ISAs allow it to be modular and be cut down to work for a 32-bit embedded system, or scaled up for a 64-bit desktop system. (And there's even a fairly clear path to 128-bit super-computer extensions in the future.)

But it's the open-source aspect of RISC-V which is what will make it take over. In a world where many embedded device makers use ARM ISAs, but have to pay ARM a licensing fee, what company wouldn't want to investigate making their chips without paying licensing fees to ARM, or Tensilica, or others? E.g. in 2022 Espressif indicated they'll be using RISC-V exclusively for all future chips. So in the same way that Linux found some clearly beneficial early niches, and kept expanding from there, RISC-V has begun to find its niches, and natural market forces will cause it to continue expand.

So this is the class where you can get ahead of the curve, and learn RISC-V assembly language, and be able to reverse engineer software written for RISC-V hardware!

In this class we take a top-down approach of looking at simple C code, compiling it, and then understanding the assembly instructions that were generated. We look at new C examples designed to introduce the fewest new instructions at a time. And we use programatically-randomized games and spaced repetition to reinforce the student's memorization of what the instructions do. The class outline is as follows:

  • Introduction
  • Registers
  • Your first instruction - No-op.
    • Instructions learned: NOP, ADDI
  • Just returning from a function + learning about the stack.
    • Instructions learned: LI, RET, JR, JALR, SD, LD, MOV, C.JR, C.SDSP, C.LDSP, C.ADDI4SPN, C.ADDI
  • Understanding local variables.
    • Instructions learned: SW, LW, SH, LH, LHU, SB, LBU, LB, LUI, AUIPC, ADD, ADDW, ADDIW, SUBW, SEXT.W, C.MV, C.ADDI16SP, C.LD, C.ADD, C.ADDIW
  • Calling functions and calling conventions.
    • Instructions learned: JAL, CALL, J, SUB, C.SUB
  • Boolean operations.
    • Instructions learned: AND, OR, XOR, NOT, C.AND, C.OR, C.XOR, XORI, ANDI, ORI, ZEXT.B
  • Control flow.
    • Instructions learned: BNE, BGE, BGEU, BLT, BLTU, BNEZ, C.BNEZ, BEQZ, BEQ, C.BEQZ, BGTZ, BLTZ
  • Bit shifting.
    • Instructions learned: SLLI, SRLI, SRAI, SLL, SRL, SRA, SLLW, SRLW, SRAW, SLLIW, SRLIW, SRAIW, LWU, C.SUBW, C.SLLI, C.SRLI, C.SRAI
  • "Set-if-less-than" instructions.
    • Instructions learned: SNEZ, SLTU, SGTZ, SLT, SLTI, SLTIU
  • The stragglers that we just need to collect in order to complete our full set of base 32 and 64-bit instructions!
    • Instructions learned: FENCE, ECALL, EBREAK
  • "M" standard ISA extension - Multiplication, Division, and Remainder.
    • Instructions learned: MUL, DIVU, REMU, MULHU, MULW, DIVUW, REMUW, DIV, REM, DIVW, REMW, MULH, MULHSU
  • Read The Fun Manual!
  • Writing inline assembly for fun and understanding!
  • The infamous CMU Binary Bomb - now with 100% more RISC-V!

For those who've taken the OST2 Arch1001: x86-64 Assembly class in the past, this class follows the same format, and it will feel very familiar.

Requirements

You must be comfortable with C programming.

If you need to learn C, we recommend Learn-C.org, and Dartmouth's 'C Programming with Linux' edX class.

Frequently Asked Questions

How long does it take to complete this class?

Based on beta tester feedback, it takes an average of 28.5 hours. This does not include the binary bomb lab, or the setup for optional class material such as doing the binary bomb in Ghidra instead of GDB.

What learning paths is this class used in?

Reverse Engineering, and Trusted Systems Design

Does the instructor teach this class in person?

Yes, but only occasionally. Upcoming trainings will be listed here, and private trainings can also be requested.

Course Staff

Xeno wuz here...

Xeno Kovah

Xeno founded OpenSecurityTraining in 2011 to share his and others' trainings more widely. He relaunched OST2 in 2021.

Xeno's from Minnesota and has a BS in CS from UMN. He received a MS in computer security from Carnegie Mellon through the National Science Foundation "CyberCorps Scholarship for Service". But the US government didn't really yet know what to do with "cyber" people in 2007; so he ended up going to work for a Federally Funded Research and Development Center - MITRE. Xeno worked exclusively on internal-funded research projects, first as a participant and later as a leader on Windows kernel malware detection and trusted computing projects. Towards the end, other cool researchers inspired him to dig into BIOS and firmware level threats.

Xeno left MITRE to start an independent consultancy, LegbaCore, with Corey Kallenberg in 2015. Less than a year later, under mysterious circumstances that he's legally prevented from stating, he started working for Apple. While at Apple he helped get SecureBoot on Macs with the addition of the T2 chip. He also led the SecureBoot design and implementation project for the ARM-based M1 Macs. But between those big, visible, multi-year, projects, he was silently improving the security of a bunch of the 3rd party peripheral processors' hardware and firmware. He liked working at Apple because he had a bully pulpit where he could force 3rd parties to do the right thing or lose their business. But he likes OST better, so he left in 2020 to work on this full time.

Xeno has a touch of the illness known as being a "collector" (it's not quite to the level of being a "hoarder", so he can't get on TV for it or anything...) Consequently he collects speaker badges and has presented at IEEE S&P, ACM CCS, BlackHat USA/EUR, DEF CON, CanSecWest, PacSec, Hardwear.io NL, Hack in the Box KUL/AMS/GSEC/HKT, H2HC, Microsoft BlueHat, Shmoocon, Hack.lu, NoHat, Hacktivity, HackFest, NoSuchCon, SummerCon, RSA, ToorCon, DeepSec, VirusBulletin, MIRCon, AusCERT, Trusted Infrastructure Workshop, NIST NICE Workshop, and the DOD Information Assurance Symposium. And yet he still says "MORE!"

Enroll