Skip to content
STIMSMITH

privilege mode

Concept WIKI v3 · 5/29/2026

In the provided RISC-V evidence, privilege mode is the processor privilege level used to qualify operations such as memory access, virtual-memory loads, trap handling, interrupt state, and access to performance counters. ProcessorFuzz treats privilege-related CSR transitions as verification-relevant behavior, and its reported Dromajo bug shows that using the wrong effective privilege mode for page-table accesses and PMP checks can violate the RISC-V privileged specification.

privilege mode

Definition

In the provided evidence, privilege mode is a RISC-V execution privilege level used by architectural mechanisms such as status CSRs, memory-access controls, virtual-memory behavior, interrupt state, and trap handling. The evidence names machine, supervisor, and user privilege levels through mstatus fields parameterized by x = {M, S, U}.

Role in RISC-V CSRs

The mstatus CSR exposes multiple fields whose behavior is defined in terms of privilege mode:

  • mstatus.xIE controls the global interrupt-enable bit for privilege x, where x = {M, S, U}.
  • mstatus.xPIE holds the interrupt-enable bit active before a trap for privilege mode x.
  • mstatus.xPP holds the previous privilege mode active before a trap taken to privilege mode x.
  • mstatus.MPRV controls the privilege mode in which memory operations are performed.
  • mstatus.SUM controls permission for supervisor-mode access to user memory.
  • mstatus.MXR controls the privilege with which loads access virtual memory.
  • mstatus.TW controls which privilege modes may execute wait-for-interrupt (WFI).
  • mstatus.TSR can trigger a trap when SRET is executed in supervisor mode.

Other selected privileged CSRs also encode privilege-mode effects. The {m,s}cause CSRs contain the trap cause when a trap is taken into machine or supervisor mode; medeleg decides which exception types are delegated from machine mode to supervisor mode; and {m,s}counteren controls the availability of hardware performance-monitoring counters for supervisor or user mode.

Example bug: effective privilege for page-table and PMP access

ProcessorFuzz reports a Dromajo issue involving the effective privilege mode for implicit page-table accesses. According to the cited RISC-V privileged specification behavior in the paper, implicit page-table accesses should use supervisor mode. Dromajo was observed to access page tables at user-mode privilege level while executing user-mode programs. The same analysis found that Dromajo performed Physical Memory Protection (PMP) checks in user mode when no PMP entries were set; the paper describes this as violating the RISC-V privileged specification in two ways.

This example illustrates why privilege mode is not just a label on currently running software: it can determine the effective privilege used for implicit architectural operations such as page-table walks and protection checks.

Use in ProcessorFuzz verification

ProcessorFuzz uses CSR-transition coverage to identify test inputs that increase coverage. Its RISC-V CSR selection includes a privileged group containing mstatus fields, trap-cause CSRs, medeleg, and counter-enable CSRs, as well as an unprivileged group containing floating-point CSRs. Because several selected CSRs record or control privilege-mode behavior, transitions in these CSRs can expose privilege-related behaviors such as trap entry, delegated exceptions, memory-operation privilege, and supervisor/user access rules.

LINKED ENTITIES

1 links
mstatus CSR PART_OF

CITATIONS

6 sources
6 citations
[1] Privilege mode in the evidence includes machine, supervisor, and user levels, expressed by mstatus fields parameterized as x = {M, S, U}. ProcessorFuzz: Processor Fuzzing with Control and
[2] mstatus fields record or control privilege-mode behavior for interrupt state, previous privilege mode before traps, memory-operation privilege, supervisor access to user memory, virtual-memory load privilege, WFI execution privilege, and SRET trap behavior. ProcessorFuzz: Processor Fuzzing with Control and
[3] Other privileged CSRs selected by ProcessorFuzz include trap-cause CSRs for machine or supervisor traps, medeleg for delegating exceptions from machine mode to supervisor mode, and counter-enable CSRs controlling counter availability for supervisor or user mode. ProcessorFuzz: Processor Fuzzing with Control and
[4] ProcessorFuzz uses CSR-transition coverage to detect inputs that increase coverage, and its RISC-V CSR selection includes both privileged and unprivileged CSR groups. ProcessorFuzz: Processor Fuzzing with Control and
[5] ProcessorFuzz reported a Dromajo bug where implicit page-table accesses should have used supervisor mode but were observed at user-mode privilege level while executing user-mode programs. ProcessorFuzz: Processor Fuzzing with Control and
[6] The Dromajo analysis also found PMP checks performed in user mode when no PMP entries were set, which the paper describes as violating the RISC-V privileged specification in two counts. ProcessorFuzz: Processor Fuzzing with Control and

VERSION HISTORY

v3 · 5/29/2026 · gpt-5.5 (current)
v2 · 5/28/2026 · gpt-5.5
v1 · 5/26/2026 · gpt-5.5