DOI: 10.53941/pc.2026.100006 ISSN: 3083-2454

RV-Sec5: Enhancing Pre-Silicon Security Evaluation of RISC-V Processors through Targeted ISA-Level Instrumentation in the gem5 Simulation Framework †

Florent Bruguier, Jawad Haj Yahya, Lirida Naviner, Maria Mushtaq, Muhammad Awais

The open-source RISC-V Instruction Set Architecture (ISA) is being adopted rapidly in security-sensitive areas such as IoT, edge computing, and aerospace systems, which makes early-stage security validation increasingly important. Yet most existing approaches still depend either on post-silicon testing or on high-level emulation. Neither is well suited to exposing ISA-specific vulnerabilities or microarchitectural side effects during the design phase. As a result, there remains a gap between highlevel security policies and the way hardware actually behaves at runtime, and that gap can leave processors exposed to privilege escalation, memory protection failures, and side-channel leakage that may only become visible late in development. In this paper, we present RV-Sec5, a systematic and policy-driven framework for ISA-level security evaluation built on the gem5 cycle-accurate simulator. RV-Sec5 provides a formal method for translating high-level security invariants, including privilege isolation, Physical Memory Protection (PMP) enforcement, and Control and Status Register (CSR) integrity, into automated cycle-accurate instrumentation points embedded directly in the ISA decoder. By recording precise architectural execution context at instruction commit time, the framework supports specification-driven methodology of privilege escalation attempts and enables systematic correlation between ISA-level events and microarchitectural behavior, including TLB activity and cache state changes, without interfering with functional execution. Our results shows that RV-Sec5 can significantly detects the specification violation on the events that are permitted in User mode, the results shows that after extending the gem5 with the hooks added and ISA modified, it create an overhead on the simulation. The overall overhead of RV-Sec5 for the simulation time is less than 4% and the overhead for the memory usage is less than 2% across the evaluated workloads. RV-Sec5 is a modular, cycle-accurate observation and post-execution detection virtual platform that reduces the gap between architectural security requirements and their enforcement at the Microarchitectural level, using post-silicon testing within the RISC-V processor design flow.

More from our Archive