{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,5]],"date-time":"2026-03-05T07:21:50Z","timestamp":1772695310440,"version":"3.50.1"},"reference-count":92,"publisher":"IEEE","license":[{"start":{"date-parts":[[2026,1,31]],"date-time":"2026-01-31T00:00:00Z","timestamp":1769817600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,1,31]],"date-time":"2026-01-31T00:00:00Z","timestamp":1769817600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100004543","name":"China Scholarship Council","doi-asserted-by":"publisher","award":["202406210249"],"award-info":[{"award-number":["202406210249"]}],"id":[{"id":"10.13039\/501100004543","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,1,31]]},"DOI":"10.1109\/hpca68181.2026.11408465","type":"proceedings-article","created":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T20:47:22Z","timestamp":1772657242000},"page":"1-15","source":"Crossref","is-referenced-by-count":0,"title":["SSBleed: Non-Speculative Side-Channel Attacks via Speculative Store Bypass on Armv9 CPUs"],"prefix":"10.1109","author":[{"given":"Chang","family":"Liu","sequence":"first","affiliation":[{"name":"Tsinghua University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hongpei","family":"Zheng","sequence":"additional","affiliation":[{"name":"Tsinghua University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xin","family":"Zhang","sequence":"additional","affiliation":[{"name":"Peking University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dapeng","family":"Ju","sequence":"additional","affiliation":[{"name":"Tsinghua University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dongsheng","family":"Wang","sequence":"additional","affiliation":[{"name":"Tsinghua University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yinqian","family":"Zhang","sequence":"additional","affiliation":[{"name":"Southern University of Science and Technology"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Trevor E.","family":"Carlson","sequence":"additional","affiliation":[{"name":"National University of Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/RTAS.2013.6531080"},{"key":"ref2","volume-title":"Security Analysis of AMD Predictive Store Forwardind","year":"2023"},{"key":"ref3","volume-title":"Arm Architecture Reference Manual for A-profile architecture"},{"key":"ref4","volume-title":"Arm Cortex-X3 Core Technical Reference Manual"},{"key":"ref5","volume-title":"Arm Neoverse N2 Core Technical Reference Manual r0p3"},{"key":"ref6","first-page":"971","article-title":"Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Barberis","year":"2022"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1145\/3445814.3446708"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363194"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363219"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.5555\/3361338.3361356"},{"key":"ref11","first-page":"1117","article-title":"GoFetch: Breaking ConstantTime Cryptographic Implementations Using Data Memory-Dependent Prefetchers","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Chen","year":"2024"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA57654.2024.00037"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.23919\/DATE58400.2024.10546531"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/3575693.3575719"},{"key":"ref15","volume-title":"Shared Learning Table for Load Value Prediction and Load Address Prediction","author":"Chou","year":"2024"},{"key":"ref16","volume-title":"Early Load Execution via Constant Address and Stride Prediction","author":"Chou","year":"2023"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.1998.694770"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA53966.2022.00013"},{"key":"ref19","volume-title":"Counterbased Memory Disambiguation Techniques for Selectively Predicting Load\/store Conflicts","author":"Evgeni","year":"2009"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3173162.3173204"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3411504.3421216"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179368"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.241038"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417289"},{"key":"ref25","article-title":"VMScape: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments","volume-title":"Symposium on Security and Privacy (S&P)","author":"Graf","year":"2026"},{"key":"ref26","first-page":"955","article-title":"Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Gras","year":"2018"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_14"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-09484-2_7"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3676641.3716020"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2020.i1.321-347"},{"key":"ref31","volume-title":"Fast Store Forwarding Predictor"},{"key":"ref32","volume-title":"Speculative Store Bypass"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690189"},{"key":"ref34","first-page":"7957","article-title":"Found in Translation: A Generative Language Modeling Approach to Memory Access Pattern Attacks","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Jia","year":"2025"},{"key":"ref35","first-page":"2095","article-title":"FLOP: Breaking the Apple M3 CPU via False Load Output Predictions","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Kim","year":"2025"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00098"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00039"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA57654.2024.00045"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"key":"ref40","first-page":"2137","article-title":"Indirector: High-Precision Branch Target Injection Attacks Exploiting the Indirect Branch Predictor","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Li","year":"2024"},{"key":"ref41","volume-title":"MDS - Microarchitectural Data Sampling","year":"2019"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/237090.237173"},{"key":"ref43","first-page":"549","article-title":"ARMageddon: Cache Attacks on Mobile Devices","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Lipp","year":"2016"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/DAC63849.2025.11132915"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3676641.3716004"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/DAC56929.2023.10247985"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA57654.2024.00014"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.43"},{"key":"ref49","volume-title":"Mbed TLS Version 3.6.2","year":"2025"},{"key":"ref50","first-page":"469","article-title":"CopyCat: Controlled Instruction-Level Attacks on Enclaves","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Moghimi","year":"2020"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA61900.2025.00016"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/3214292.3214293"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179391"},{"key":"ref54","first-page":"1481","article-title":"SpecFuzz: Bringing Spectre-type vulnerabilities to the surface","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Oleksenko","year":"2020"},{"key":"ref55","volume-title":"Specialized Memory Disambiguation Mechanisms for Different Memory Read Access Types","author":"Olson","year":"2016"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/3243176.3243208"},{"key":"ref57","first-page":"663","article-title":"Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Puddu","year":"2021"},{"key":"ref58","first-page":"1451","article-title":"Rage Against the Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Ragab","year":"2021"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690242"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24078"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/3470496.3527429"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.1998.742775"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA52012.2021.00036"},{"key":"ref64","article-title":"Branch Privilege Injection: Compromising Spectre v2 Hardware Mitigations by Exploiting Branch Predictor Race Conditions","volume-title":"USENIX Security Symposium (USENIX Security)","author":"R\u00fcegge","year":"2025"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623124"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23027"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354252"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2006.39"},{"key":"ref69","volume-title":"Providing Load Address Predictions Using Address Prediction Tables Based on Load Path History in Processor-based Systems","author":"Sheikh","year":"2023"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243736"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2006.1598113"},{"key":"ref72","first-page":"989","article-title":"TLB;DR: Enhancing TLB-based Attacks with TLB Desynchronized Reverse Engineering","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Tatar","year":"2022"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00087"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833570"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2019.00058"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-51479-1_2"},{"key":"ref77","first-page":"675","article-title":"ScatterCache: Thwarting Cache Attacks via Cache Set Randomization","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Werner","year":"2019"},{"key":"ref78","first-page":"3825","article-title":"Retbleed: Arbitrary Speculative Code Execution with Return Instructions","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Wikner","year":"2022"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/3613424.3614275"},{"key":"ref80","volume-title":"wolfSSL Version 5.7.6-stable","year":"2025"},{"key":"ref81","first-page":"719","article-title":"FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack","volume-title":"USENIX security symposium (USENIX security)","author":"Yarom","year":"2014"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1145\/3620666.3651382"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179415"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2025.3525628"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.1999.765938"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1145\/3579371.3589100"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/3352460.3358274"},{"key":"ref88","first-page":"7267","article-title":"(M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Zhang","year":"2023"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45719-2_6"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA57654.2024.00039"},{"key":"ref91","first-page":"7125","article-title":"Ultimate SLH: Taking Speculative Load Hardening to the Next Level","volume-title":"USENIX Security Symposium (USENIX Security)","author":"Zhang","year":"2023"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1145\/3676641.3715985"}],"event":{"name":"2026 IEEE International Symposium on High Performance Computer Architecture (HPCA)","location":"Sydney, Australia","start":{"date-parts":[[2026,1,31]]},"end":{"date-parts":[[2026,2,4]]}},"container-title":["2026 IEEE International Symposium on High Performance Computer Architecture (HPCA)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11408404\/11408433\/11408465.pdf?arnumber=11408465","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,5]],"date-time":"2026-03-05T06:50:37Z","timestamp":1772693437000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11408465\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,31]]},"references-count":92,"URL":"https:\/\/doi.org\/10.1109\/hpca68181.2026.11408465","relation":{},"subject":[],"published":{"date-parts":[[2026,1,31]]}}}