Microarchitectural side-channel and transient execution attacks continue to leak cryptographic secrets and confidential data—even on the latest CPUs. While these attacks are well studied, new variants keep emerging. Most rely on observing cache state through high-resolution timers, but on modern ARM64 systems, such timers are increasingly restricted or unavailable.
In this talk, we show how to leak hidden cache state without timing measurements, re-enabling these attacks. We introduce a fuzzing-based methodology that automatically discovers architectural leakage primitives, using differential testing, F-score–based ranking, and covert-channel verification. By fuzzing 160 devices across 37 microarchitectures—including smartphones, laptops, and cloud servers—we uncovered five previously undocumented cache-state leakage primitives, two of which are robust and broadly exploitable.
We’ll dissect these primitives, demonstrate their power with a timer-free Spectre variant and a cache-based AES key-recovery attack, and compare them against traditional timer-based techniques. Finally, we highlight how the same primitives can be turned into a defensive mechanism to detect cache eviction and automatically stop ongoing attacks.
Our results show that restricting timers is not enough: cache state leaks are alive and well on ARM64, broadening the attack surface in ways both attackers and defenders must now reckon with.