Most cache side-channel attacks rely on observing cache state through high-resolution timers, but on modern ARM64 systems such timers are increasingly restricted or unavailable. We reveal a previously unknown class of timer-free architectural side channels, where short instruction sequences expose cache state directly through architectural side effects—in register values, memory, or exception metadata—without any timing measurements.
Our system, ExfilState, implements a fuzzing-based discovery approach to find such leakage primitives. It applies differential testing to contrast cached versus uncached states, F-score ranking to separate signal from noise, and covert-channel verification to confirm genuine leakage. In our evaluation across 160 devices and 37 ARM microarchitectures, ExfilState uncovered five new cache-state leakage primitives. These primitives enable timer-free AES key-recovery attacks and Spectral, an architectural Spectre attack, on commodity ARM cores, and can also be repurposed to detect cache eviction in real time.
Our results show that restricting timers does not close the attack surface: architectural side channels remain a practical and largely unmitigated path for cache-state leakage on modern ARM CPUs.