pith. sign in

arxiv: 2605.17406 · v1 · pith:JTJYE2J7new · submitted 2026-05-17 · 💻 cs.CR

Rethinking Side-Channel Analysis: Automated Discovery and Analysis of Side-Channel Leakage with LLM-Assisted Agents

Zhen Xu , Zihao Wang , Yuhua Sun , XiaoFeng Wang This is my paper

Pith reviewed 2026-05-19 23:31 UTC · model grok-4.3

classification 💻 cs.CR
keywords side-channel analysisautomated discoveryLLM agentssystem explorationfew-shot learningiOS securityinformation leakage
0
0 comments X

The pith

SCAgent automates discovery of side-channel leaks by using LLM agents to explore sensitive events and verify channels without manual targets or large datasets.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents SCAgent as a framework to automate side-channel risk analysis in complex systems. It employs agent-driven exploration guided by LLM semantic reasoning to identify sensitive targets beyond predefined events. The approach reasons over system documentation with explicit verification steps to discover feasible channels while addressing hallucination risks. Scalable analysis is enabled through few-shot learning on foundation models paired with a time-shift-robust feature extraction layer that handles raw signals for tabular models. The method is evaluated on iOS for OS-level channels observable by unprivileged apps, covering both standard benchmarks and new in-app activities.

Core claim

SCAgent is an automated framework for side-channel risk analysis. To identify sensitive targets beyond manually specified events, SCAgent performs agent-driven system exploration guided by LLM-based semantic reasoning. To systematically discover side channels while mitigating the risk of LLM hallucination, it reasons over system documentation and incorporates explicit verification to enforce semantic consistency, threat-model feasibility, and per-channel usability. To enable scalable analysis under limited data, SCAgent adopts a few-shot learning paradigm based on foundation models, avoiding the need to train bespoke models for each channel-event pair, and introduces a time-shift-robust fea

What carries the argument

SCAgent framework with LLM-assisted agents for system exploration, documentation-based reasoning with verification, few-shot learning on foundation models, and time-shift-robust feature extraction layer.

Load-bearing premise

LLM semantic reasoning combined with explicit verification over system documentation can reliably identify feasible side channels and mitigate hallucination risks sufficiently for practical use.

What would settle it

A controlled test where SCAgent identifies a channel as feasible but subsequent measurement shows no measurable information leakage for the claimed event.

Figures

Figures reproduced from arXiv: 2605.17406 by Xiaofeng Wang, Yuhua Sun, Zhen Xu, Zihao Wang.

Figure 1
Figure 1. Figure 1: Identified sensitive in-app activities. Sub-figure (a) shows the Trip app, where travel-related options are directly accessible from the home screen (highlighted by red boxes). By identifying clicks on these options, an attacker can infer users’ travel-related activities. Sub-figures (b) and (c) illustrate the TikTok app, where users first tap the “Add” button in (b) and then select a template in (c). The … view at source ↗
Figure 2
Figure 2. Figure 2: Impact of the dataset size collected in SCAgent. [PITH_FULL_IMAGE:figures/full_fig_p011_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Performance of SCAgent against frequency reduction. [PITH_FULL_IMAGE:figures/full_fig_p012_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Performance of SCAgent against gaussian noise. [PITH_FULL_IMAGE:figures/full_fig_p012_4.png] view at source ↗
read the original abstract

Side-channel attacks exploit unintended information leakage from system behavior and continue to pose serious privacy risks in modern platforms. Despite extensive prior work, side-channel analysis remains largely manual and fragmented, typically assuming predefined target events and a fixed set of known channels. As systems and applications grow increasingly complex, several fundamental questions remain unanswered: which user or system events are sensitive in practice, how side channels associated with these events can be systematically discovered without exhaustive manual effort, and how their leakage can be analyzed at scale without prohibitive data collection and model training costs. To address these questions, we present SCAgent, an automated framework for side-channel risk analysis. To identify sensitive targets beyond manually specified events, SCAgent performs agent-driven system exploration guided by LLM-based semantic reasoning. To systematically discover side channels while mitigating the risk of LLM hallucination, it reasons over system documentation and incorporates explicit verification to enforce semantic consistency, threat-model feasibility, and per-channel usability. To enable scalable analysis under limited data, SCAgent adopts a few-shot learning paradigm based on foundation models, avoiding the need to train bespoke models for each channel--event pair. To bridge the gap between raw time-series side-channel signals and tabular foundation models, SCAgent further introduces a time-shift--robust feature extraction layer that enables effective downstream analysis. We instantiate SCAgent on iOS as a first step, focusing on OS-level side channels observable by unprivileged applications. Our evaluation spans standard benchmarks such as foreground app and website fingerprinting, as well as newly identified sensitive in-app activities in popular applications.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper introduces SCAgent, an automated framework for side-channel risk analysis using LLM-assisted agents. It performs agent-driven system exploration with LLM semantic reasoning to identify sensitive targets, reasons over system documentation with explicit verification for semantic consistency, threat-model feasibility, and per-channel usability to discover side channels while mitigating hallucinations, and uses few-shot learning with foundation models and a time-shift-robust feature extraction layer for scalable analysis with limited data. The framework is evaluated on iOS for OS-level side channels observable by unprivileged apps, covering benchmarks like foreground app and website fingerprinting as well as newly identified in-app activities.

Significance. If the results hold, this work has the potential to significantly advance the field of side-channel analysis by automating the discovery of sensitive events and channels, reducing reliance on manual effort and large datasets. The combination of LLM reasoning with verification steps and the few-shot paradigm could enable more comprehensive privacy assessments in complex systems like mobile OSes. The time-shift-robust feature extraction layer represents a practical innovation for applying tabular models to time-series side-channel data.

major comments (2)
  1. [Target identification and channel discovery] In the description of target identification and channel discovery: the verification for threat-model feasibility is described as relying on semantic consistency checks and reasoning over system documentation. This is load-bearing for the central claim, as the skeptic note highlights that without automated leakage probes or statistical tests on real traces to confirm observable leakage under the unprivileged-app threat model, it cannot reliably distinguish hallucinated or non-leaking proposals from genuine ones; downstream few-shot analysis and fingerprinting results would then lack validity.
  2. [Evaluation] Abstract and evaluation description: the manuscript states that evaluation spans standard benchmarks such as foreground app and website fingerprinting as well as newly identified sensitive in-app activities, yet supplies no quantitative results, error analysis, performance metrics, or detailed validation data. This absence undermines assessment of the framework's effectiveness and the reliability of discovered channels.
minor comments (1)
  1. The abstract uses 'time-shift--robust' with a double dash; a single hyphen ('time-shift-robust') would improve readability and consistency.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback and the opportunity to improve the manuscript. We address each major comment point by point below, indicating planned revisions where appropriate.

read point-by-point responses

  1. Referee: [Target identification and channel discovery] In the description of target identification and channel discovery: the verification for threat-model feasibility is described as relying on semantic consistency checks and reasoning over system documentation. This is load-bearing for the central claim, as the skeptic note highlights that without automated leakage probes or statistical tests on real traces to confirm observable leakage under the unprivileged-app threat model, it cannot reliably distinguish hallucinated or non-leaking proposals from genuine ones; downstream few-shot analysis and fingerprinting results would then lack validity.

    Authors: We agree that semantic verification over documentation is a key component for filtering proposals and reducing hallucinations, but it is not the sole basis for validity. The framework uses this step to generate candidate channels, after which the few-shot analysis and fingerprinting evaluations are performed on real side-channel traces collected from iOS under the unprivileged-app threat model. These empirical results on standard benchmarks (foreground app and website fingerprinting) and newly identified activities serve as the primary validation that the discovered channels exhibit observable leakage. To strengthen the manuscript, we will expand the target identification section with a clearer description of this two-stage process, add explicit discussion of the limitations of purely semantic checks, and include more details on how real-trace evaluations confirm feasibility. We will also reference the skeptic note more directly when explaining the verification design. revision: partial

  2. Referee: [Evaluation] Abstract and evaluation description: the manuscript states that evaluation spans standard benchmarks such as foreground app and website fingerprinting as well as newly identified sensitive in-app activities, yet supplies no quantitative results, error analysis, performance metrics, or detailed validation data. This absence undermines assessment of the framework's effectiveness and the reliability of discovered channels.

    Authors: We acknowledge that the current abstract and high-level evaluation description lack specific quantitative metrics, which limits the reader's ability to assess effectiveness. The full evaluation section of the manuscript does contain results from the benchmarks and new activities, including accuracy figures and comparisons. In the revised version, we will update the abstract to include key performance metrics (e.g., fingerprinting accuracies) and add a concise summary of error analysis and validation data to the evaluation overview. This will make the claims more concrete while preserving the focus on the framework's automation aspects. revision: yes

Circularity Check

0 steps flagged

No circularity: SCAgent is an empirical LLM-assisted framework without derivations or self-referential reductions

full rationale

The paper describes an automated side-channel analysis framework relying on LLM semantic reasoning, explicit verification over system documentation, few-shot learning with foundation models, and a time-shift-robust feature extraction layer. No mathematical equations, parameter fitting, or derivation chains are present in the provided abstract or description. The central claims rest on external foundation models and verification processes rather than reducing to self-defined inputs or self-citations by construction. This is self-contained against external benchmarks as an engineering approach.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 2 invented entities

The central claim rests on assumptions about LLM reasoning reliability and introduces new framework components without independent external validation shown in the abstract.

axioms (2)
  • domain assumption LLM-based semantic reasoning can effectively guide system exploration for sensitive event identification
    Invoked in the agent-driven exploration component of the framework.
  • domain assumption Explicit verification enforces semantic consistency and threat-model feasibility
    Stated as mitigation for LLM hallucination in channel discovery.
invented entities (2)
  • SCAgent framework no independent evidence
    purpose: Automated side-channel risk analysis using agents and few-shot models
    New framework presented as the core contribution.
  • time-shift-robust feature extraction layer no independent evidence
    purpose: Bridge raw time-series side-channel signals to tabular foundation models
    Introduced to enable downstream analysis.

pith-pipeline@v0.9.0 · 5821 in / 1327 out tokens · 35749 ms · 2026-05-19T23:31:30.169368+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

67 extracted references · 67 canonical work pages · 2 internal anchors

  1. [1]

    Peeking into your app without actually seeing it: UI state inference and novel android attacks,

    Q. A. Chen, Z. Qian, and Z. M. Mao, “Peeking into your app without actually seeing it: UI state inference and novel android attacks,” in Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014, 2014, pp. 1037–1052

    work page 2014

  2. [2]

    Memento: Learning secrets from process footprints,

    S. Jana and V . Shmatikov, “Memento: Learning secrets from process footprints,” inIEEE Symposium on Security and Privacy, SP 2012, 21- 23 May 2012, San Francisco, California, USA, 2012, pp. 143–157

    work page 2012

  3. [3]

    Screenmilker: How to milk your android screen for secrets,

    C. Lin, H. Li, X. Zhou, and X. Wang, “Screenmilker: How to milk your android screen for secrets,” in21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014, 2014

    work page 2014

  4. [4]

    Identity, location, disease and more: inferring your secrets from android public resources,

    X. Zhou, S. Demetriou, D. He, M. Naveed, X. Pan, X. Wang, C. A. Gunter, and K. Nahrstedt, “Identity, location, disease and more: inferring your secrets from android public resources,” in2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013, 2013, pp. 1017–1028

    work page 2013

  5. [5]

    Os-level side channels without procfs: Exploring cross-app information leakage on ios,

    X. Zhang, X. Wang, X. Bai, Y . Zhang, and X. Wang, “Os-level side channels without procfs: Exploring cross-app information leakage on ios,” in25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018, 2018

    work page 2018

  6. [6]

    The danger of minimum exposures: Understanding cross-app information leaks on ios through multi-side-channel learning,

    Z. Wang, J. Guan, X. Wang, W. Wang, L. Xing, and F. Alharbi, “The danger of minimum exposures: Understanding cross-app information leaks on ios through multi-side-channel learning,” inProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 281–295

    work page 2023

  7. [7]

    Chatgpt — openai,

    “Chatgpt — openai,” https://openai.com/chatgpt/, 2024

    work page 2024

  8. [8]

    Perplexity ai,

    “Perplexity ai,” https://www.perplexity.ai/, 2024

    work page 2024

  9. [9]

    Github copilot · your ai pair programmer,

    “Github copilot · your ai pair programmer,” https://github.com/features/ copilot/, 2024

    work page 2024

  10. [10]

    “Gemini,” https://gemini.google.com/app, 2024

    work page 2024

  11. [11]

    A survey on hallucination in large language models: Principles, taxonomy, challenges, and open questions,

    L. Huang, W. Yu, W. Ma, W. Zhong, Z. Feng, H. Wang, Q. Chen, W. Peng, X. Feng, B. Qinet al., “A survey on hallucination in large language models: Principles, taxonomy, challenges, and open questions,”ACM Transactions on Information Systems, vol. 43, no. 2, pp. 1–55, 2025

    work page 2025

  12. [12]

    Mobile-bench: An evaluation benchmark for LLM-based mobile agents,

    S. Deng, W. Xu, H. Sun, W. Liu, T. Tan, J. Liu, A. Li, J. Luan, B. Wang, R. Yan, and S. Shang, “Mobile-bench: An evaluation benchmark for LLM-based mobile agents,” in Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), L.-W. Ku, A. Martins, and V . Srikumar, Eds. Bangkok, Thailand: Association f...

    work page 2024

  13. [13]

    CoRR , volume =

    L. Wang, Y . Deng, Y . Zha, G. Mao, Q. Wang, T. Min, W. Chen, and S. Chen, “Mobileagentbench: An efficient and user-friendly benchmark for mobile llm agents,”arXiv preprint arXiv:2406.08184, 2024

    work page arXiv 2024

  14. [14]

    AndroidWorld: A Dynamic Benchmarking Environment for Autonomous Agents

    C. Rawles, S. Clinckemailliet, Y . Chang, J. Waltz, G. Lau, M. Fair, A. Li, W. Bishop, W. Li, F. Campbell-Ajala, D. Toyama, R. Berry, D. Tyamagundlu, T. Lillicrap, and O. Riva, “ANDROIDWORLD: A DY- NAMIC BENCHMARKING ENVIRONMENT FOR AUTONOMOUS AGENTS,” inInternational Conference on Learning Representations (ICLR), 2025, arXiv:2405.14573v5

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  15. [15]

    Spa-bench: A comprehensive benchmark for smartphone agent evaluation,

    J. Chen, D. Yuen, B. Xie, Y . Yang, G. Chen, Z. Wu, L. Yixing, X. Zhou, W. Liu, S. Wanget al., “Spa-bench: A comprehensive benchmark for smartphone agent evaluation,” inNeurIPS 2024 Workshop on Open- World Agents, 2024

    work page 2024

  16. [16]

    Autoeval: A practical frame- work for autonomous evaluation of mobile agents,

    J. Sun, Z. Hua, and Y . Xia, “Autoeval: A practical frame- work for autonomous evaluation of mobile agents,”arXiv preprint arXiv:2503.02403, 2025

    work page arXiv 2025

  17. [17]

    The great multivariate time series classification bake off: a review and experimental evaluation of recent algorithmic advances,

    A. P. Ruiz, M. Flynn, J. Large, M. Middlehurst, and A. J. Bagnall, “The great multivariate time series classification bake off: a review and experimental evaluation of recent algorithmic advances,”Data Min. Knowl. Discov., vol. 35, no. 2, pp. 401–449, 2021

    work page 2021

  18. [18]

    ROCKET: exceptionally fast and accurate time series classification using random convolutional kernels,

    A. Dempster, F. Petitjean, and G. I. Webb, “ROCKET: exceptionally fast and accurate time series classification using random convolutional kernels,”Data Min. Knowl. Discov., vol. 34, no. 5, pp. 1454–1495, 2020

    work page 2020

  19. [19]

    Accurate predictions on small data with a tabular foundation model,

    N. Hollmann, S. M ¨uller, L. Purucker, A. Krishnakumar, M. K¨orfer, S. B. Hoo, R. T. Schirrmeister, and F. Hutter, “Accurate predictions on small data with a tabular foundation model,”Nature, vol. 637, no. 8045, pp. 319–326, 2025

    work page 2025

  20. [20]

    Gpt on the wire: Towards realistic network traffic con- versations generated with large language models,

    J. A. Delgado-Soto, J. E. L. de Vergara, I. Gonz ´alez, D. Perdices, and L. de Pedro, “Gpt on the wire: Towards realistic network traffic con- versations generated with large language models,”Computer Networks, vol. 265, p. 111308, 2025

    work page 2025

  21. [21]

    Exploring the power of large language models: Automated compliance checks in architecture engineering and construction industries,

    X. Liu, “Exploring the power of large language models: Automated compliance checks in architecture engineering and construction industries,” Cardiff University, Tech. Rep., 2025. [Online]. Available: https://orca.cardiff.ac.uk/id/eprint/177710

    work page 2025

  22. [22]

    Incident diagnosing and reporting system based on retrieval augmented large language model,

    P. Yuan, L. Tang, Y . Liu, K. Yuji, M. Sato, and H. Chen, “Incident diagnosing and reporting system based on retrieval augmented large language model,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 39, no. 28, 2025, pp. 29 721–29 723

    work page 2025

  23. [23]

    Leveraging llms and attention-mechanism for automatic annotation of historical maps,

    Y . Yuan and M. Sester, “Leveraging llms and attention-mechanism for automatic annotation of historical maps,”AGILE: GIScience Series, vol. 6, p. 52, 2025

    work page 2025

  24. [24]

    Artificial intelligence orchestration for text-based ultrasonic simulation via self-review by multi-large language model agents,

    S. Kim, Y . Yu, and H. Seo, “Artificial intelligence orchestration for text-based ultrasonic simulation via self-review by multi-large language model agents,”Scientific Reports, 2025. [Online]. Available: https://www.nature.com/articles/s41598-025-97498-y

    work page 2025

  25. [25]

    Pentestgpt: An llm-empowered automatic penetration testing tool,

    G. Deng, Y . Liu, V . Mayoral-Vilches, P. Liu, Y . Li, Y . Xu, T. Zhang, Y . Liu, M. Pinzger, and S. Rass, “Pentestgpt: An llm-empowered automatic penetration testing tool,”arXiv preprint arXiv:2308.06782, 2023

    work page arXiv 2023

  26. [26]

    Large language model guided protocol fuzzing,

    R. Meng, M. Mirchev, M. B ¨ohme, and A. Roychoudhury, “Large language model guided protocol fuzzing,” inProceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS), vol. 2024, 2024

    work page 2024

  27. [27]

    Oedipus: Llm-enchanced reasoning captcha solver,

    G. Deng, H. Ou, Y . Liu, J. Zhang, T. Zhang, and Y . Liu, “Oedipus: Llm-enchanced reasoning captcha solver,” inProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, 2025, pp. 6–20

    work page 2025

  28. [28]

    Large language models for blockchain security: A systematic literature review,

    Z. He, Z. Li, S. Yang, H. Ye, A. Qiao, X. Zhang, X. Luo, and T. Chen, “Large language models for blockchain security: A systematic literature review,”arXiv preprint arXiv:2403.14280, 2024

    work page arXiv 2024

  29. [29]

    No pardon for the interruption: New inference attacks on android through interrupt timing analysis,

    W. Diao, X. Liu, Z. Li, and K. Zhang, “No pardon for the interruption: New inference attacks on android through interrupt timing analysis,” inIEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016, 2016, pp. 414–432

    work page 2016

  30. [30]

    Peeping tom in the neighborhood: Keystroke eavesdropping on multi-user systems,

    K. Zhang and X. Wang, “Peeping tom in the neighborhood: Keystroke eavesdropping on multi-user systems,” in18th USENIX Security Sym- posium, Montreal, Canada, August 10-14, 2009, Proceedings, 2009, pp. 17–32

    work page 2009

  31. [31]

    CVE-2017-13852

    “CVE-2017-13852.” Available from MITRE, CVE-ID CVE-2017- 13852, Aug 2017. [Online]. Available: http://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2017-13852

    work page 2017

  32. [32]

    CVE-2017-13873

    “CVE-2017-13873.” Available from MITRE, CVE-ID CVE-2017- 13873, Aug 2017. [Online]. Available: http://cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-2017-13873

    work page 2017

  33. [33]

    Procharvester: Fully automated analysis of procfs side-channel leaks on android,

    R. Spreitzer, F. Kirchengast, D. Gruss, and S. Mangard, “Procharvester: Fully automated analysis of procfs side-channel leaks on android,” inProceedings of the 2018 on asia conference on computer and communications security, 2018, pp. 749–763

    work page 2018

  34. [34]

    Androtime: Identifying timing side channels in the android api,

    G. Palfinger, B. Pr ¨unster, and D. J. Ziegler, “Androtime: Identifying timing side channels in the android api,” in2020 IEEE 19th Interna- tional Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, 2020, pp. 1849–1856

    work page 2020

  35. [35]

    Cache template attacks: Automating attacks on inclusive{Last-Level}caches,

    D. Gruss, R. Spreitzer, and S. Mangard, “Cache template attacks: Automating attacks on inclusive{Last-Level}caches,” in24th USENIX Security Symposium (USENIX Security 15), 2015, pp. 897–912

    work page 2015

  36. [36]

    {FLUSH+ RELOAD}: A high resolution, low noise, l3 cache{Side-Channel}attack,

    Y . Yarom and K. Falkner, “{FLUSH+ RELOAD}: A high resolution, low noise, l3 cache{Side-Channel}attack,” in23rd USENIX security symposium (USENIX security 14), 2014, pp. 719–732

    work page 2014

  37. [37]

    Last-level cache side-channel attacks are practical,

    F. Liu, Y . Yarom, Q. Ge, G. Heiser, and R. B. Lee, “Last-level cache side-channel attacks are practical,” in2015 IEEE symposium on security and privacy. IEEE, 2015, pp. 605–622

    work page 2015

  38. [38]

    Robust website fingerprinting through the cache occupancy channel,

    A. Shusterman, L. Kang, Y . Haskal, Y . Meltser, P. Mittal, Y . Oren, and Y . Yarom, “Robust website fingerprinting through the cache occupancy channel,” in28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019, 2019, pp. 639–656

    work page 2019

  39. [39]

    The spy in the sandbox: Practical cache attacks in javascript and their implications,

    Y . Oren, V . P. Kemerlis, S. Sethumadhavan, and A. D. Keromytis, “The spy in the sandbox: Practical cache attacks in javascript and their implications,” inProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, 2015, pp. 1406–1418

    work page 2015

  40. [40]

    There’s always a bigger fish: a clarifying analysis of a machine-learning-assisted side-channel attack,

    J. Cook, J. Drean, J. Behrens, and M. Yan, “There’s always a bigger fish: a clarifying analysis of a machine-learning-assisted side-channel attack,” inISCA ’22: The 49th Annual International Symposium on Computer Architecture, New York, New York, USA, June 18 - 22, 2022, 2022, pp. 204–217

    work page 2022

  41. [41]

    Powerful: Mobile app fingerprinting via power analysis,

    Y . Chen, X. Jin, J. Sun, R. Zhang, and Y . Zhang, “Powerful: Mobile app fingerprinting via power analysis,”IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, pp. 1–9, 2017

    work page 2017

  42. [42]

    {PowerSpy}: Location tracking using mobile device power analysis,

    Y . Michalevsky, A. Schulman, G. A. Veerapandian, D. Boneh, and G. Nakibly, “{PowerSpy}: Location tracking using mobile device power analysis,” in24th USENIX Security Symposium (USENIX Security 15), 2015, pp. 785–800

    work page 2015

  43. [43]

    Let’s take it offline: Boosting brute-force attacks on iphone’s user authentication through SCA,

    O. Lisovets, D. Knichel, T. Moos, and A. Moradi, “Let’s take it offline: Boosting brute-force attacks on iphone’s user authentication through SCA,”IACR Trans. Cryptogr. Hardw. Embed. Syst., vol. 2021, no. 3, pp. 496–519, 2021

    work page 2021

  44. [44]

    ECDSA key extraction from mobile devices via nonintrusive physical side channels,

    D. Genkin, L. Pachmanov, I. Pipman, E. Tromer, and Y . Yarom, “ECDSA key extraction from mobile devices via nonintrusive physical side channels,” inProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, 2016, pp. 1626–1638

    work page 2016

  45. [45]

    TabPFN: A Transformer That Solves Small Tabular Classification Problems in a Second

    N. Hollmann, S. M ¨uller, K. Eggensperger, and F. Hutter, “Tabpfn: A transformer that solves small tabular classification problems in a second,”arXiv preprint arXiv:2207.01848, 2022

    work page internal anchor Pith review Pith/arXiv arXiv 2022

  46. [46]

    Mobile-agent-e: Self-evolving mobile assistant for complex tasks.arXiv preprint arXiv:2501.11733, 2025

    Z. Wang, H. Xu, J. Wang, X. Zhang, M. Yan, J. Zhang, F. Huang, and H. Ji, “Mobile-agent-e: Self-evolving mobile assistant for complex tasks,”arXiv preprint arXiv:2501.11733, 2025

    work page arXiv 2025

  47. [47]

    Inceptiontime: Finding alexnet for time series classification,

    H. I. Fawaz, B. Lucas, G. Forestier, C. Pelletier, D. F. Schmidt, J. Weber, G. I. Webb, L. Idoumghar, P. Muller, and F. Petitjean, “Inceptiontime: Finding alexnet for time series classification,”Data Min. Knowl. Discov., vol. 34, no. 6, pp. 1936–1962, 2020. APPENDIX A. Open Science The implementation of SCAgent is available at: https: //anonymous.4open.sc...

    work page 1936

  48. [48]

    You must switch categories frequently

    PRIORITIZE COVERAGE: Do not focus on a single vertical (e.g., Hotels) for more than 4 steps. You must switch categories frequently

    work page

  49. [49]

    BREADTH-FIRST SEARCH: If you see multiple top-level options (e.g., ’Flights’, ’Hotels’, ’Trains’, ’Attractions’), you must explore a different one than the previous run

    work page

  50. [50]

    Once you identify a leak in a sub- category, explicitly perform a ’Back’ action or tap ’Home’ to explore a new category

    DEPTH LIMIT: Do not go deeper than the ’Details Page’. Once you identify a leak in a sub- category, explicitly perform a ’Back’ action or tap ’Home’ to explore a new category

    work page

  51. [51]

    If you reach a form, log the risk and leave immediately to find a new button

    ANTI-RABBIT HOLE: Do not fill out long forms. If you reach a form, log the risk and leave immediately to find a new button. Use this ’UI-to-Leak’ Logic Table for your exploration:

    work page

  52. [52]

    - Specific Leak: ’Exactly which item/article the user is interested in’ (Traffic Analysis)

    IF you see [Lists with Images / News / Search Results]→THEN conclude: - Vulnerability: Loading specific items creates unique Network Packet Size sequences. - Specific Leak: ’Exactly which item/article the user is interested in’ (Traffic Analysis)

    work page

  53. [53]

    - Specific Leak: ’Current App Lifecycle State (e.g., User is about to pay vs

    IF you see [Major Transitions (e.g., opening ’Payment’, ’Camera’, or ’Settings’)]→THEN conclude: - Vulnerability: Activity switching alters Shared Memory & WindowManager state. - Specific Leak: ’Current App Lifecycle State (e.g., User is about to pay vs. just browsing)’ (UI State Inference)

    work page

  54. [54]

    - Specific Leak: ’Specific complex content being viewed’ (GPU Fingerprinting)

    IF you see [Infinite Scroll / Maps / Video / 3D Models]→THEN conclude: - Vulnerability: High-load rendering creates measurable GPU usage spikes. - Specific Leak: ’Specific complex content being viewed’ (GPU Fingerprinting)

    work page

  55. [55]

    - Specific Leak: ’Approximate search query content’ (via Traffic Analysis)

    IF you see [Search Bars with Auto-complete]→THEN conclude: - Vulnerability: Real-time suggestions trigger network bursts per character. - Specific Leak: ’Approximate search query content’ (via Traffic Analysis). Execution & Logging Requirement: Explore autonomously. When you interact with a risky element, you MUST output a log in this exact format: ’RISK ...

    work page

  56. [56]

    Categorization (Diversity): First, classify all available vectors into distinct Hardware/Resource Types (specifically: Network I/O, Hardware Acceleration/GPU, Micro-architecture/Execution, and Memory/Storage)

    work page

  57. [57]

    - Auxiliary Vector (Optional): Select a second vector within the same type ONLY IF it enhances the Primary Vector by measuring a different dimension (e.g., Static vs

    Intra-Type Selection (Enhancement): For each identified Type, select the optimal configuration: - Primary Vector: Pick the single vector with the highest individual accuracy within this type. - Auxiliary Vector (Optional): Select a second vector within the same type ONLY IF it enhances the Primary Vector by measuring a different dimension (e.g., Static vs...

    work page

  58. [58]

    Core Principle Extraction: What is the root cause of the leak? (e.g., ”Shared Cache Contention”, ”Interrupt Latency”, ”DRAM Rowhammer”). 2. WebKit Contextualization: How does a modern browser (Safari/WebKit) trigger this resource? Example: If a paper discusses ”GPU Interrupts,” ask: ”Does complex CSS/WebGL on a website cause measurable GPU interrupt jitte...

    work page

  59. [59]

    Systematic Subsystem Scan (Web-Centric Matrix): Focus on subsystems that fluctuate heavily during web browsing. You must search for vectors in EACH category: Category A: The Rendering Pipeline (Visual Fingerprints) GPU & Metal: Search for ”IOSurface creation overhead”, ”CAMetalLayer frame timing jitter”, ”detecting GPU context switch latency iOS”. Can we ...

    work page

  60. [60]

    Selection Strategy: Generate 10 NOVEL distinct vectors which has never been mentioned in the papers that capture different dimensions of app activity

    Feasibility Check: For every vector, ask: ”Is this visible to a background/foreground sandboxed app while Safari is active?” Step 3: Comprehensive Inventory & Selection Output the Full Inventory: List ALL valid NEW side-channels, specifically explaining WHY this vector helps classify webs. Selection Strategy: Generate 10 NOVEL distinct vectors which has n...

    work page

  61. [61]

    If a global resource is blocked or returns generic errors, you must verify if Timing Side-Channels are possible

    The ”Inference via Latency” Rule Do not stop at ”Access Denied”. If a global resource is blocked or returns generic errors, you must verify if Timing Side-Channels are possible. - Question: Does the time it takes to fail (or return a result) change based on the system state? - Key Indicator: Look for Shared Resource Contention (e.g., Lock Contention, Cach...

    work page

  62. [62]

    - Gold Standard for Differentiation: - Different Channel: Vector A triggers Disk I/O + IPC (e.g., ’UIFont.systemFont’ loading a file) vs

    The ”Resource Bottleneck” Rule (Classification Standard) Classify vectors by underlying physical constraint, not API names. - Gold Standard for Differentiation: - Different Channel: Vector A triggers Disk I/O + IPC (e.g., ’UIFont.systemFont’ loading a file) vs. Vector B triggers Memory Table Lookup (e.g., ’UI- Font.familyNames’ reading a cache). Even if t...

    work page

  63. [63]

    Background Restrictions & State-Based Blocking: - Scope: Hardware (Mic/Cam) or signals disconnected/silenced by the OS when suspended/back- grounded

    work page

  64. [64]

    Sandbox & Resource Isolation: - Scope: ’audit token’ checks, Container isolation, specific XPC filtering

    work page

  65. [65]

    Low Accuracy & Physical Limitations: - Scope: Thermal throttling, signal-to-noise ratio too low

    work page

  66. [66]

    It relies on the exact same hardware unit (e.g., ALU, L1 Cache) as a generic baseline or a previously discussed vector

    Redundancy & Resource Overlap (The ”Duplicate” Check): - Scope: The vector offers no unique signature. It relies on the exact same hardware unit (e.g., ALU, L1 Cache) as a generic baseline or a previously discussed vector. Critical Constraints (Thinking ”Outside the Box”) You must explicitly check for failure modes NOT listed above: - Privacy Manifests: D...

    work page

  67. [67]

    Feasibility Score: 0/10 (Impossible) to 10/10 (Confirmed Working). 2. The Blocker: - Cite Category 1-5, OR ”OUTSIDE CONTEXT: [Reason]” (e.g., Entitlements, TCC). 3. Side-Channel Potential (Timing/Inference): - Analysis: Even if direct access fails, can we infer global state via latency/contention? (Yes/No + Explanation). 4. Mechanism & Bottleneck (Signatu...

    work page