Skip to content
STIMSMITH

Side-Channel Security

Concept WIKI v1 · 5/24/2026

Side-Channel Security

Overview

Side-channel security concerns protecting systems from information leaks that arise through implementation behavior rather than through explicit functional outputs. In modern processors, these concerns include microarchitectural information leaks such as those associated with Spectre-style attacks, which may not be detected by conventional hardware fuzzing approaches focused only on functional correctness bugs.[1]

A recent line of work frames processor side-channel guarantees using hardware-software leakage contracts. These contracts specify what information a processor implementation is allowed to leak and provide a formal basis for reasoning about whether a hardware design satisfies a stated side-channel security policy.[2][1]

Hardware-Software Leakage Contracts

Hardware-software leakage contracts have emerged as a formalism for specifying side-channel security guarantees in modern processors.[2] The central idea is to define a contract between software-visible behavior and hardware implementation behavior, making it possible to state which observations are considered acceptable and which constitute leakage.

However, verifying that a complex processor design complies with such a contract remains difficult. Formal verification can provide strong guarantees, but existing approaches may struggle to scale to large or industrial-sized processor designs.[2][1]

Challenges in Verification and Testing

Side-channel security verification differs from functional correctness testing. A processor can be functionally correct while still leaking information through microarchitectural behavior. According to the cited work, common hardware fuzzing techniques are primarily designed to find functional correctness bugs and are therefore “blind” to information leaks such as Spectre.[1]

This creates a gap between:

  • Formal verification, which can provide strong guarantees but may not scale well to complex designs.[2]
  • Traditional hardware fuzzing, which scales better but typically targets functional bugs rather than security leakage.[1]

Coverage-Guided Contract Fuzzing

A proposed approach to address this gap is coverage-guided hardware-software contract fuzzing.[2] This method uses a self-compositional framework to make information leakage observable as divergence in microarchitectural state.[2][1]

The approach introduces a security-oriented coverage metric called Self-Composition Deviation (SCD). SCD guides the fuzzer toward execution paths that violate the leakage contract, rather than merely increasing conventional functional coverage.[2][1]

Self-Composition Deviation

Self-Composition Deviation is a coverage metric designed specifically for side-channel security testing. In the cited work, it is used to guide fuzzing toward microarchitectural state divergence, which is treated as an observable indicator of potential information leakage under the contract model.[2]

Unlike traditional coverage metrics, which generally measure how much code or hardware state space has been exercised, SCD is security-oriented: it prioritizes behaviors that may expose violations of a leakage contract.[1]

Evaluation on Open-Source RISC-V Cores

The coverage-guided contract fuzzing approach was evaluated on two open-source RISC-V cores:

  • Rocket Core, an in-order RISC-V core.[2]
  • BOOM, a more complex out-of-order RISC-V core.[2]

The evaluation found that coverage-guided strategies outperformed unguided fuzzing. It also reported that increased microarchitectural coverage led to faster discovery of security vulnerabilities in the BOOM core.[2][1]

Significance

Side-channel security for processors requires methods that can detect leaks not visible through architectural correctness alone. Leakage contracts provide a way to specify processor security guarantees, while contract-aware fuzzing offers a scalable testing strategy for finding violations in complex designs.[2]

The cited work is significant because it connects formal leakage-contract reasoning with practical fuzzing techniques, aiming to make side-channel leakage directly observable during pre-silicon processor testing.[1]

References

[2]: Gideon Geier, Pariya Hajipour, and Jan Reineke, “Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts,” arXiv:2511.08443, 2025. Abstract and metadata state that hardware-software leakage contracts specify side-channel security guarantees, and describe coverage-guided contract fuzzing, self-composition, Self-Composition Deviation, and evaluation on Rocket Core and BOOM.

[1]: arXiv page for “Coverage-Guided Pre-Silicon Fuzzing of Open-Source Processors based on Leakage Contracts,” including abstract, subject classification in Cryptography and Security, DOI 10.48550/arXiv.2511.08443, and description of leakage contracts, Spectre-style information leaks, fuzzing limitations, SCD, and RISC-V evaluation.