{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:22:05Z","timestamp":1766442125869,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":83,"publisher":"ACM","funder":[{"DOI":"10.13039\/100000028","name":"Semiconductor Research Corporation","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000028","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100006785","name":"Google","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100006785","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765141","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:33:16Z","timestamp":1763854396000},"page":"3326-3340","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["RISC\n                    <scp>over<\/scp>\n                    : Automatic Discovery of User-exploitable Architectural Security Vulnerabilities in Closed-Source RISC-V CPUs"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-8029-0621","authenticated-orcid":false,"given":"Fabian","family":"Thomas","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Saarland, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-1608-0957","authenticated-orcid":false,"given":"Eric Garc\u00eda","family":"Arribas","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Saarland, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-1201-0299","authenticated-orcid":false,"given":"Lorenz","family":"Hetterich","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Saarland, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-0213-5773","authenticated-orcid":false,"given":"Daniel","family":"Weber","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Saarland, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-6684-2035","authenticated-orcid":false,"given":"Lukas","family":"Gerlach","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Saarland, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-9094-6412","authenticated-orcid":false,"given":"Ruiyi","family":"Zhang","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Saarland, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6744-3410","authenticated-orcid":false,"given":"Michael","family":"Schwarz","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Saarland, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"2015. CVE-2015-5307. https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2015-5307 CVE-2015- 5307."},{"key":"e_1_3_2_2_2_1","unstructured":"2015. CVE-2015-8104. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE- 2015-8104 CVE-2015-8104."},{"key":"e_1_3_2_2_3_1","unstructured":"2018. CVE-2018-12207. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-12207 CVE- 2018-12207."},{"key":"e_1_3_2_2_4_1","unstructured":"2021. CVE-2021-26339. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE- 2021-26339 CVE-2021-26339."},{"key":"e_1_3_2_2_5_1","unstructured":"Arm. 2016. System Validation at ARM: Enabling Our Partners to Build Better Systems."},{"key":"e_1_3_2_2_6_1","unstructured":"Krste Asanovic Rimas Avizienis Jonathan Bachrach Scott Beamer David Biancolin Christopher Celio Henry Cook Daniel Dabbelt John Hauser Adam Izraelevitz et al. 2016. The rocket chip generator. EECS Berkley (2016)."},{"key":"e_1_3_2_2_7_1","unstructured":"Olaf Bernstein. 2023. rvv-bench: RISC-V Vector benchmark. https:\/\/github.com\/camel-cdr\/rvv-bench"},{"key":"e_1_3_2_2_8_1","volume-title":"Encarsia: Evaluating CPU Fuzzers via Automatic Bug Injection. In USENIX Security.","author":"B\u00f6lcskei Matej","year":"2025","unstructured":"Matej B\u00f6lcskei, Flavien Solt, Katharina Ceesay-Seitz, and Kaveh Razavi. 2025. Encarsia: Evaluating CPU Fuzzers via Automatic Bug Injection. In USENIX Security."},{"key":"e_1_3_2_2_9_1","doi-asserted-by":"crossref","unstructured":"Pietro Borrello Catherine Easdon Martin Schwarzl Roland Czerny and Michael Schwarz. 2023. CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode. In WOOT.","DOI":"10.1109\/SPW59333.2023.00031"},{"key":"e_1_3_2_2_10_1","unstructured":"Pietro Borrello Andreas Kogler Martin Schwarzl Moritz Lipp Daniel Gruss and Michael Schwarz. 2022. \u00c6PIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture. In USENIX Security."},{"key":"e_1_3_2_2_11_1","volume-title":"Michael Schwarz, Moritz Lipp, Benjamin von","author":"Canella Claudio","year":"2019","unstructured":"Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A Systematic Evaluation of Transient Execution Attacks and Defenses. In USENIX Security. Extended classification tree and PoCs at https:\/\/transient.fail\/.."},{"key":"e_1_3_2_2_12_1","unstructured":"Christopher Celio David A. Patterson and Krste Asanovi\u0107. 2015. The Berkeley Out-of-Order Machine (BOOM): An Industry-Competitive Synthesizable Parameterized RISC-V Processor. Technical Report."},{"key":"e_1_3_2_2_13_1","volume-title":"Shesha: Multi-head Microarchitectural Leakage Discovery in new-generation Intel Processors. arXiv preprint","author":"Chakraborty Anirban","year":"2024","unstructured":"Anirban Chakraborty, Nimish Mishra, and Debdeep Mukhopadhyay. 2024. Shesha: Multi-head Microarchitectural Leakage Discovery in new-generation Intel Processors. arXiv preprint (2024)."},{"key":"e_1_3_2_2_14_1","unstructured":"CHIPS Alliance. 2023. riscv-dv. https:\/\/github.com\/chipsalliance\/riscv-dv"},{"key":"e_1_3_2_2_15_1","unstructured":"Robert R. Collins. 1998. The Pentium F00F Bug. http:\/\/www.rcollins.org\/ddj\/May98\/F00FBug.html"},{"key":"e_1_3_2_2_16_1","volume-title":"Phantom Trails: Practical Pre-Silicon Discovery of Transient Data Leaks. In USENIX Security.","author":"de Faveri Tron Alvise","year":"2025","unstructured":"Alvise de Faveri Tron, Raphael Isemann, Hany Ragab, Cristiano Giuffrida, Klaus von Gleissenthall, and Herbert Bos. 2025. Phantom Trails: Practical Pre-Silicon Discovery of Transient Data Leaks. In USENIX Security."},{"key":"e_1_3_2_2_17_1","volume-title":"Conjunct: Learning inductive invariants to prove unbounded instruction safety against microarchitectural timing attacks. In S&P.","author":"Dinesh Sushant","year":"2024","unstructured":"Sushant Dinesh, Madhusudan Parthasarathy, and Christopher W Fletcher. 2024. Conjunct: Learning inductive invariants to prove unbounded instruction safety against microarchitectural timing attacks. In S&P."},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN48063.2020.00047"},{"key":"e_1_3_2_2_19_1","volume-title":"Hardware Backdoors in x86 CPUs. Black Hat US","author":"Domas Christopher","year":"2018","unstructured":"Christopher Domas. 2018. Hardware Backdoors in x86 CPUs. Black Hat US (2018)."},{"key":"e_1_3_2_2_20_1","unstructured":"RISC-V Foundation. 2019. RISC-V ''V'' Vector Extension 0.7.1. https:\/\/github.com\/riscv\/riscv-v-spec\/releases\/tag\/0.7.1"},{"key":"e_1_3_2_2_21_1","unstructured":"RISC-V Foundation. 2021a. RISC-V ''V'' Vector Extension 1.0. https:\/\/wiki.riscv.org\/display\/HOME\/RatifiedExtensions"},{"key":"e_1_3_2_2_22_1","unstructured":"RISC-V Foundation. 2021b. RISC-V ''Zfh'' and ''Zfhmin'' Standard Extensions for Half-Precision Floating-Point Version 1.0. https:\/\/wiki.riscv.org\/display\/HOME\/RecentlyRatifiedExtensions"},{"key":"e_1_3_2_2_23_1","unstructured":"RISC-V Foundation. 2022. riscv-opcodes. https:\/\/github.com\/riscv\/riscv-opcodes"},{"key":"e_1_3_2_2_24_1","unstructured":"RISC-V Foundation. 2023. RISC-V Architecture Test SIG. https:\/\/github.com\/riscv-non-isa\/riscv-arch-test"},{"key":"e_1_3_2_2_25_1","unstructured":"Mike Frysinger. 2024. vdso(7) \u2014 Linux manual page."},{"key":"e_1_3_2_2_26_1","unstructured":"GCC Team. 2024. GCC 14 Release Series - Changes New Features and Fixes. https:\/\/gcc.gnu.org\/gcc-14\/changes.html Retrieved 2024-09-20."},{"key":"e_1_3_2_2_27_1","doi-asserted-by":"crossref","unstructured":"Lukas Gerlach Daniel Weber Ruiyi Zhang and Michael Schwarz. 2023. A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs. In S&P.","DOI":"10.1109\/SP46215.2023.10179399"},{"key":"e_1_3_2_2_28_1","volume-title":"Introspectre: A pre-silicon framework for discovery and analysis of transient execution vulnerabilities. In ISCA.","author":"Ghaniyoun Moein","year":"2021","unstructured":"Moein Ghaniyoun, Kristin Barber, Yinqian Zhang, and Radu Teodorescu. 2021. Introspectre: A pre-silicon framework for discovery and analysis of transient execution vulnerabilities. In ISCA."},{"key":"e_1_3_2_2_29_1","doi-asserted-by":"crossref","unstructured":"Ben Gras Cristiano Giuffrida Michael Kurth Herbert Bos and Kaveh Razavi. 2020. ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures. In NDSS.","DOI":"10.14722\/ndss.2020.23018"},{"key":"e_1_3_2_2_30_1","unstructured":"Jana Hofmann Emanuele Vannacci C\u00e9dric Fournet Boris K\u00f6pf and Oleksii Oleksenko. 2023. Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions. In USENIX Security."},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/TEST.2010.5699215"},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"crossref","unstructured":"Yao Hsiao Nikos Nikoleris Artem Khyzha Dominic P Mulligan Gustavo Petri Christopher W Fletcher and Caroline Trippel. 2024. RTL2M\u03bcPATH: Multi-\u03bcPATH Synthesis with Applications to Hardware Security Verification. In MICRO.","DOI":"10.1109\/MICRO61859.2024.00045"},{"key":"e_1_3_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560578"},{"key":"e_1_3_2_2_34_1","volume-title":"Difuzzrtl: Differential fuzz testing to find cpu bugs. In S&P.","author":"Hur Jaewon","year":"2021","unstructured":"Jaewon Hur, Suhwan Song, Dongup Kwon, Eunjin Baek, Jangwoo Kim, and Byoungyoung Lee. 2021. Difuzzrtl: Differential fuzz testing to find cpu bugs. In S&P."},{"key":"e_1_3_2_2_35_1","unstructured":"RISC-V International. 2024. Spike RISC-V ISA Simulator. https:\/\/github.com\/riscv-software-src\/riscv-isa-sim"},{"key":"e_1_3_2_2_36_1","volume-title":"EXAMINER: Automatically locating inconsistent instructions between real devices and CPU emulators for ARM. In ASPLOS.","author":"Jiang Muhui","year":"2022","unstructured":"Muhui Jiang, Tianyi Xu, Yajin Zhou, Yufeng Hu, Ming Zhong, Lei Wu, Xiapu Luo, and Kui Ren. 2022. EXAMINER: Automatically locating inconsistent instructions between real devices and CPU emulators for ARM. In ASPLOS."},{"key":"e_1_3_2_2_37_1","unstructured":"joopdehoop. 2023. Firmware update for 'Chinese' F133 head unit. https:\/\/www.reddit.com\/r\/CarAV\/comments\/18ivjsg\/firmware_update_for_chinese_f133_head_unit\/"},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"crossref","unstructured":"Nursultan Kabylkas Tommy Thorn Shreesha Srinath Polychronis Xekalakis and Jose Renau. 2021. Effective processor verification with logic fuzzer enhanced co-simulation. In MICRO.","DOI":"10.1145\/3466752.3480092"},{"key":"e_1_3_2_2_39_1","volume-title":"TheHuzz: Instruction Fuzzing of Processors Using Golden-Reference Models for Finding Software-Exploitable Vulnerabilities. In USENIX Security Symposium.","author":"Kande Rahul","year":"2022","unstructured":"Rahul Kande, Addison Crump, Garrett Persyn, Patrick Jauernig, Ahmad-Reza Sadeghi, Aakash Tyagi, and Jeyavijayan Rajendran. 2022. TheHuzz: Instruction Fuzzing of Processors Using Golden-Reference Models for Finding Software-Exploitable Vulnerabilities. In USENIX Security Symposium."},{"key":"e_1_3_2_2_40_1","unstructured":"Kelly Le. 2024. Alibaba's Damo Academy plans to launch latest version of its XuanTie RISC-V processor this year. https:\/\/www.scmp.com\/tech\/big-tech\/article\/3255830\/alibabas-damo-academy-plans-launch-latest-version-its-xuantie-risc-v-processor-year Retrieved 2024-09-10."},{"key":"e_1_3_2_2_41_1","volume-title":"Spectre Attacks: Exploiting Speculative Execution. In S&P.","author":"Kocher Paul","year":"2019","unstructured":"Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In S&P."},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"crossref","unstructured":"Paul C. Kocher. 1996. Timing Attacks on Implementations of Diffe-Hellman RSA DSS and Other Systems. In CRYPTO.","DOI":"10.1007\/3-540-68697-5_9"},{"key":"e_1_3_2_2_43_1","doi-asserted-by":"crossref","unstructured":"Kevin Laeufer Vighnesh Iyer David Biancolin Jonathan Bachrach Borivoje Nikoli\u0107 and Koushik Sen. 2023. Simulator independent coverage for RTL hardware languages. In ASPLOS.","DOI":"10.1145\/3582016.3582019"},{"key":"e_1_3_2_2_44_1","volume-title":"Meltdown: Reading Kernel Memory from User Space. In USENIX Security.","author":"Lipp Moritz","year":"2018","unstructured":"Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In USENIX Security."},{"key":"e_1_3_2_2_45_1","unstructured":"William M McKeeman. 1998. Differential testing for software. (1998)."},{"key":"e_1_3_2_2_46_1","unstructured":"Milk-V. 2023. Milk-V Pioneer. https:\/\/milkv.io\/pioneer"},{"key":"e_1_3_2_2_47_1","volume-title":"USENIX Security Symposium.","author":"Moghimi Daniel","year":"2020","unstructured":"Daniel Moghimi, Moritz Lipp, Berk Sunar, and Michael Schwarz. 2020. Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis. In USENIX Security Symposium."},{"key":"e_1_3_2_2_48_1","volume-title":"Daniel Gruss, and Frank Piessens.","author":"Murdock Kit","year":"2020","unstructured":"Kit Murdock, David Oswald, Flavio D. Garcia, Jo Van Bulck, Daniel Gruss, and Frank Piessens. 2020. Plundervolt: Software-based Fault Injection Attacks against Intel SGX. In S&P."},{"key":"e_1_3_2_2_49_1","volume":"200","author":"Oh Nahmsuk","unstructured":"Nahmsuk Oh, Philip P Shirvani, and Edward J McCluskey. 2002. Error detection by duplicated instructions in super-scalar processors. In IEEE Transactions on Reliability.","journal-title":"Edward J McCluskey."},{"key":"e_1_3_2_2_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3503222.3507729"},{"volume-title":"Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing","author":"Oleksenko Oleksii","key":"e_1_3_2_2_51_1","unstructured":"Oleksii Oleksenko, Marco Guarnieri, Boris K\u00f6pf, and Mark Silberstein. 2023. Hide and Seek with Spectres: Efficient discovery of speculative information leaks with random testing. In IEEE S&P."},{"key":"e_1_3_2_2_52_1","unstructured":"Tavis Ormandy. 2023a. Reptar. https:\/\/lock.cmpxchg8b.com\/reptar.html"},{"key":"e_1_3_2_2_53_1","unstructured":"Tavis Ormandy. 2023b. Zenbleed. https:\/\/lock.cmpxchg8b.com\/zenbleed.html"},{"key":"e_1_3_2_2_54_1","unstructured":"Shisong Qin Chao Zhang Kaixiang Chen and Zheming Li. 2021. iDEV: Exploring and exploiting semantic deviations in ARM instruction processing. In ISSTA."},{"key":"e_1_3_2_2_55_1","unstructured":"Pengfei Qiu Dongsheng Wang Yongqiang Lyu and Gang Qu. 2019. VoltJockey: Breaking SGX by Software-Controlled Voltage-In\u00addu\u00adced Hardware Faults. In AsianHOST."},{"key":"e_1_3_2_2_56_1","unstructured":"Scaleway. 2024. The world's first RISC-V servers available in the cloud. https:\/\/labs.scaleway.com\/en\/em-rv1\/"},{"key":"e_1_3_2_2_57_1","volume-title":"Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In USENIX Security.","author":"Scharnowski Tobias","year":"2022","unstructured":"Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi. 2022. Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In USENIX Security."},{"key":"e_1_3_2_2_58_1","unstructured":"Mark Seaborn. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. http:\/\/googleprojectzero.blogspot.com\/2015\/03\/exploiting-dram-rowhammer-bug-to-gain.html Retrieved on June 26 2015."},{"key":"e_1_3_2_2_59_1","volume-title":"Silifuzz: Fuzzing cpus by proxy. arXiv:2110.11519","author":"Serebryany Kostya","year":"2021","unstructured":"Kostya Serebryany, Maxim Lifantsev, Konstantin Shtoyk, Doug Kwan, and Peter Hochschild. 2021. Silifuzz: Fuzzing cpus by proxy. arXiv:2110.11519 (2021)."},{"key":"e_1_3_2_2_60_1","unstructured":"Agam Shah. 2023. China Deploys Massive RISC-V Server in Commercial Cloud. https:\/\/www.hpcwire.com\/2023\/11\/08\/china-deploys-massive-risc-v-server-in-commercial-cloud\/"},{"key":"e_1_3_2_2_61_1","unstructured":"SiFive. 2021. https:\/\/starfivetech.com\/uploads\/u54_core_complex_manual_21G1.pdf"},{"key":"e_1_3_2_2_62_1","unstructured":"SiFive. 2022. HF105 Datasheet. https:\/\/sifive.cdn.prismic.io\/sifive\/d0556df9-55c6-47a8-b0f2-4b1521546543_hifive-unmatched-datasheet.pdf"},{"key":"e_1_3_2_2_63_1","unstructured":"SiFive. 2024. HF106 Datasheet. https:\/\/www.sifive.com\/document-file\/hifive-premier-p550-datasheet"},{"key":"e_1_3_2_2_64_1","unstructured":"Sipeed. 2021. Sipeed Wiki. https:\/\/wiki.sipeed.com\/en\/index.html"},{"key":"e_1_3_2_2_65_1","unstructured":"Sipeed. 2022. RISC-V 64bit chip (C910) run Android 10. https:\/\/twitter.com\/SipeedIO\/status\/1457529282134089734"},{"key":"e_1_3_2_2_66_1","unstructured":"Sipeed. 2023. Lichee Console 4A. https:\/\/sipeed.com\/licheepi4a"},{"key":"e_1_3_2_2_67_1","volume-title":"Cascade: CPU Fuzzing via Intricate Program Generation. In USENIX Security.","author":"Solt Flavien","year":"2024","unstructured":"Flavien Solt, Katharina Ceesay-Seitz, and Kaveh Razavi. 2024. Cascade: CPU Fuzzing via Intricate Program Generation. In USENIX Security."},{"key":"e_1_3_2_2_68_1","unstructured":"SpacemiT. 2024. SpacemiT Key Stone K1. https:\/\/www.spacemit.com\/en\/key-stone-k1\/"},{"key":"e_1_3_2_2_69_1","doi-asserted-by":"crossref","unstructured":"Fredrik Strupe and Rakesh Kumar. 2020. Uncovering hidden instructions in Armv8-A implementations. In HASP.","DOI":"10.1145\/3458903.3458906"},{"key":"e_1_3_2_2_70_1","unstructured":"T-Head. 2021. openC910. https:\/\/github.com\/T-head-Semi\/openc910"},{"key":"e_1_3_2_2_71_1","unstructured":"T-Head. 2022a. C906. https:\/\/www.t-head.cn\/product\/c906"},{"key":"e_1_3_2_2_72_1","unstructured":"T-Head. 2022b. T-Head Extension Spec. https:\/\/github.com\/T-head-Semi\/thead-extension-spec"},{"key":"e_1_3_2_2_73_1","doi-asserted-by":"crossref","unstructured":"Fabian Thomas Michael Torres Daniel Moghimi and Michael Schwarz. 2025. ExfilState: Automated Discovery of Timer-Free Cache Side Channels on ARM CPUs. In CCS.","DOI":"10.1145\/3719027.3765061"},{"key":"e_1_3_2_2_74_1","volume-title":"\u03bcRL: Discovering Transient Execution Vulnerabilities Using Reinforcement Learning. arXiv preprint arXiv:2502.14307","author":"Tol M Caner","year":"2025","unstructured":"M Caner Tol, Kemal Derya, and Berk Sunar. 2025. \u03bcRL: Discovering Transient Execution Vulnerabilities Using Reinforcement Learning. arXiv preprint arXiv:2502.14307 (2025)."},{"key":"e_1_3_2_2_75_1","volume-title":"Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In USENIX Security.","author":"Bulck Jo Van","year":"2018","unstructured":"Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution. In USENIX Security."},{"key":"e_1_3_2_2_76_1","doi-asserted-by":"crossref","unstructured":"Zilong Wang Gideon Mohr Klaus von Gleissenthall Jan Reineke and Marco Guarnieri. 2023. Specification and verification of side-channel security for open-source processors via leakage contracts. In CCS.","DOI":"10.1145\/3576915.3623192"},{"volume-title":"Unprivileged ISA, Version 20191213.","author":"Waterman Andrew","key":"e_1_3_2_2_77_1","unstructured":"Andrew Waterman and Krste Asanovi'c. 2019. The RISC-V Instruction Set Manual, Vol. I: Unprivileged ISA, Version 20191213."},{"key":"e_1_3_2_2_78_1","unstructured":"Andrew Waterman Krste Asanovi\u00e7 and John Hauser. 2021. The RISC-V Instruction Set Manual Volume II: Privileged Architecture Document Version 20211203."},{"key":"e_1_3_2_2_79_1","volume-title":"The RISC-V compressed instruction set manual, version 1.7. EECS Department","author":"Waterman Andrew","year":"2015","unstructured":"Andrew Waterman, Yunsup Lee, David A Patterson, and Krste Asanovi\u0107. 2015. The RISC-V compressed instruction set manual, version 1.7. EECS Department, University of California, Berkeley (2015)."},{"key":"e_1_3_2_2_80_1","volume-title":"Osiris: Automated Discovery of Microarchitectural Side Channels. In USENIX Security.","author":"Weber Daniel","year":"2021","unstructured":"Daniel Weber, Ahmad Ibrahim, Hamed Nemati, Michael Schwarz, and Christian Rossow. 2021. Osiris: Automated Discovery of Microarchitectural Side Channels. In USENIX Security."},{"key":"e_1_3_2_2_81_1","unstructured":"Xcalibyte. 2022. Roma Laptop Pre-order. https:\/\/xcalibyte.com.cn\/en\/roma-preorder\/"},{"key":"e_1_3_2_2_82_1","unstructured":"Jinyan Xu Yiyuan Liu Sirui He Haoran Lin Yajin Zhou and Cong Wang. 2023. MorFuzz: Fuzzing processor via runtime instruction morphing enhanced synchronizable co-simulation. In USENIX Security."},{"key":"e_1_3_2_2_83_1","unstructured":"Ruiyi Zhang Lukas Gerlach Daniel Weber Lorenz Hetterich Youheng L\u00fc Andreas Kogler and Michael Schwarz. 2024. CacheWarp: Software-based Fault Injection using Selective State Reset. In USENIX Security."}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765141","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:18:10Z","timestamp":1766441890000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765141"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":83,"alternative-id":["10.1145\/3719027.3765141","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765141","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}