Caches have long been known to leak information across isolation boundaries, with classic attacks relying on timing to distinguish cache hits and misses. However, modern CPUs and operating systems increasingly limit timer resolution or restrict access to cycle counters, making such attacks less reliable in practice. As an alternative, architectural side channels replace timing with instruction sequences whose architectural outcome depends on cache state, offering higher robustness.
In this paper, we introduce I2SC, a generic timer-free architectural cache side channel that exploits instruction/data-cache incoherence on RISC-V, ARM, and LoongArch. I2SC leverages a widespread RISC property: stores through the data path are invisible to instruction fetch when the instruction cache holds stale lines, yielding architecturally distinct outcomes that reveal cache state. Unlike prior work that targets only instruction caches, I2SC generalizes this behavior into a timer-free oracle for both instruction and data caches via a transient-execution-based cache-state transfer gadget. We evaluate I2SC on 18 microarchitectures, finding that 12 microarchitectures are affected. To demonstrate the security impact of I2SC, we mount three end-to-end attacks: a timer-free AES key-recovery, a Spectre variant with architectural leakage across all three architectures, achieving reliability on par with or exceeding prior timing-based methods, and a classical side-channel attack on Android shared libraries leaking user input. Finally, we discuss both software and hardware mitigations, noting that full prevention likely requires hardware changes.