Researchers from the Rochester Institute of Technology have published a paper exposing how Simultaneous Multithreading (SMT), a feature increasingly adopted in embedded MIPS processors to boost performance, creates powerful cross-core timing channels that can leak sensitive information.
The paper, titled MIPSBLEED: Uncovering Microarchitectural Timing Leaks in Pervasive Embedded Processors and authored by Ahmed Najeeb and Billy Bob Brumley, introduces a systematic analysis and exploitation framework that uncovers leakage in three shared microarchitectural components: the L1 data cache, the L1 instruction cache, and the execution engine.
MIPS processors have historically been single-core, single-thread designs, making them resistant to the kind of cross-core side-channel attacks that have plagued x86 and ARM chips for years. That is changing as manufacturers add SMT to embedded MIPS cores to improve throughput.
MIPSBLEED exploits the fact that when two threads share a physical core, they also share cache hierarchies and execution units. By carefully timing access patterns to these shared resources, an attacker thread can infer what a victim thread is processing. The technique works cross-core, meaning a malicious process running on one logical core can extract data from a process on another logical core sharing the same physical hardware.
The researchers demonstrated that the timing channels are reliable enough to leak cryptographic keys and other sensitive data from co-located processes.
Why this matters
Embedded MIPS processors are everywhere. They power routers, IoT devices, industrial controllers, and consumer electronics. Many of these devices handle encryption, authentication, or private data, precisely the kind of information that side-channel attacks are designed to extract.
The paper notes that SMT is being added to embedded MIPS chips specifically to improve performance in networking and edge-computing applications. But the security implications were not fully understood until now. The MIPSBLEED framework provides both a method for detecting these vulnerabilities and a proof-of-concept for exploiting them.
Mitigations
The researchers suggest several possible mitigations: cache partitioning between threads, randomising cache timing behaviour, or disabling SMT entirely in security-critical contexts. Each comes with performance trade-offs that embedded system designers will need to evaluate against their threat models.
The paper is published on arXiv under DOI 10.48550/arXiv.2606.16372 and is scheduled for peer-reviewed presentation.
Sources: Semiconductor Engineering (June 22); arXiv:2606.16372