This work uncovers a novel CPU–GPU cross-core covert channel in shared-memory SoCs: on mobile SoCs lacking a shared last-level cache (LLC) and requiring no privileged physical memory access, it constructs a high-throughput memory-contention-based covert channel (MC³) leveraging DRAM access timing contention. Methodologically, it introduces a synergistic mechanism integrating DRAM side-channel modeling, dynamic memory bandwidth contention control, and adaptive signal encoding. Evaluated on the NVIDIA Orin platform, MC³ achieves a throughput of 6.4 kbps with a bit error rate below 1%, marking the first demonstration of low-overhead, high-robustness covert communication between heterogeneous processors. This work breaks the conventional reliance of covert channels on either cache sharing or privilege escalation, thereby establishing a new paradigm for memory security assessment and defense in modern SoCs.

Shared-memory system-on-chips (SM-SoC) are ubiquitously employed by a wide-range of mobile computing platforms, including edge/IoT devices, autonomous systems and smartphones. In SM-SoCs, system-wide shared physical memory enables a convenient and financially-feasible way to make data accessible by dozens of processing units (PUs), such as CPU cores and domain specific accelerators. In this study, we investigate vulnerabilities that stem from the shared use of physical memory in such systems. Due to the diverse computational characteristics of the PUs they embed, SM-SoCs often do not employ a shared last level cache (LLC). While the literature proposes covert channel attacks for shared memory systems, high-throughput communication is currently possible by either relying on an LLC or privileged/physical access to the shared memory subsystem. In this study, we introduce a new memory-contention based covert communication attack, MC3, which specifically targets the shared system memory in mobile SoCs. Different from existing attacks, our approach achieves high throughput communication between applications running on CPU and GPU without the need for an LLC or elevated access to the system. We extensively explore the effectiveness of our methodology by demonstrating the trade-off between the channel transmission rate and the robustness of the communication. We demonstrate the utility of MC3 on NVIDIA Orin AGX, Orin NX, and Orin Nano up to a transmit rate of 6.4 kbps with less than 1% error rate.