Project Lavalamp research
LavalampBy George Sarris (0xcircuitbreaker)·April 20, 2026·5 min read

Why CPU Side-Channel Attacks Need a Hardware Fix

A decade of CPU timing side-channel attacks. Microcode patches ship late. An FPGA approach sidesteps the CPU vendor entirely — here's why that matters.

The short version

A CPU timing side-channel lets an adversary learn secrets from a victim process by watching how long specific operations take. If the victim is doing cryptography, "how long did the key comparison take" is enough to leak the key over many observations. If the victim is doing password validation, the same pattern applies. If the victim is an AI inference server decrypting a client's query, the leakage applies there too.

Side-channel attacks on modern CPUs are a persistent issue. Lavalamp's specific disclosure target is an SMT port-contention vulnerability on AMD Zen 5 (responsibly disclosed to AMD, NVIDIA, Google, and Microsoft), but the broader class — co-resident timing-channel leakage — is a longstanding industry concern. CPU vendors have shipped microcode patches in response to prior disclosures, but the patches are reactive and often re-break performance.

Lavalamp takes a different approach: fix it at the hardware boundary with an FPGA, outside the CPU vendor's control path. The attack shifts from "exploit a CPU-level timing oracle" to "defeat an FPGA-level masking layer that sits in front of the CPU's timing exposure."

Why software/microcode fixes hit a ceiling

Two structural reasons microcode-only mitigation is hard:

  1. The performance-leaks trade-off is real. Out-of-order execution, shared caches, and branch prediction are performance features that create observable timing channels by construction. Fully closing a channel in microcode typically sacrifices the performance the channel exists to deliver.
  2. Microcode is a narrow surface. Microcode can patch specific leak paths as they are discovered, but the class of micro-architectural side channels is broad and new variants keep being disclosed. Each fix closes a specific variant at some measured performance cost; the long tail remains.

Hardware-boundary mitigation — introducing controlled masking at the CPU's interface rather than deep inside its pipeline — is a complementary layer. Lavalamp is an instance of that approach for specific workloads.

What a hardware-boundary mitigation looks like

Lavalamp sits physically between the CPU and the workload. The FPGA introduces controlled masking into the timing signals that reach a co-resident observer. The masking reduces the signal-to-noise ratio that the observer needs for successful extraction — ideally by orders of magnitude — without materially affecting the workload's observable behavior.

The specific masking stack is proprietary (under NDA); the general principles are well-understood:

  • Hardware-rooted entropy fed into timing-sensitive paths
  • Controlled jitter on operations known to leak
  • Observable-side interference with cache and branch-predictor timing channels
  • All applied at the hardware boundary, transparent to the OS and the application

An independent third-party benchmark engagement is currently underway; full performance and leakage numbers are released only under evaluation NDA until the benchmark ships.

The three Lavalamp tiers

Lavalamp is packaged in three form factors, each targeting a different deployment reality:

Lavalamp Lite — USB

Consumer-grade USB FPGA device. Plug-and-go. Target use cases: cryptographic workstation operators, high-security personal devices, and anyone who wants the mitigation on a single machine without infrastructure.

Lavalamp Pro — PCIe

PCIe card form factor. Target use cases: servers running cryptography, VDI endpoints, exchanges, and any production workload where the mitigation needs to be on every machine in a rack.

Lavalamp OEM — IP-Core Licensing

The masking stack as licensable IP for integration into a customer's own ASIC or FPGA design. Target use cases: integrators building security-oriented appliances, firms building post-quantum inference appliances, or operators needing the mitigation baked directly into custom silicon.

What Lavalamp's guarantees actually are

A realistic post should be precise about what's claimed and what isn't:

What Lavalamp claims:

  • Order-of-magnitude reduction in side-channel leakage versus an unmitigated baseline, on the set of workloads measured in the forthcoming third-party benchmark.
  • Negligible CPU overhead in the production FPGA path — measured as a fraction of a percent.
  • OS-transparency — no application changes, no kernel patches, no recompilation required.
  • Vendor-independence — works regardless of CPU vendor, microcode version, or upstream patch behavior.

What Lavalamp does not claim:

  • It is not a cryptographically zero-leakage device. "Order-of-magnitude reduction" is meaningful but not infinite. For some attack budgets this matters; for most realistic adversaries it does not.
  • It is not a replacement for well-constructed constant-time cryptographic code. If your cryptography is variable-time, Lavalamp reduces the signal available to an attacker but does not make the code constant-time.
  • It is not a substitute for OS-level hardening, microcode patches, or good operational security. It's a layer, not a silver bullet.

Coverage areas

Lavalamp targets four specific operating environments documented on the public site:

  • Public cloud (AWS / Azure / GCP) — where co-residency is guaranteed by the economics of the platform, and side-channel attacks are a known risk model
  • Browser workloads (WebAssembly) — where untrusted client code executes in the browser's sandbox, which is itself subject to micro-architectural timing leakage
  • VDI / Citrix — where shared physical hardware runs multiple user desktops, and cross-tenant leakage is a customer-demanded protection
  • Post-quantum primitives (ML-KEM / Kyber) — where new cryptographic primitives' side-channel profiles are still being understood, and hardware-boundary protection buys time

High-value financial infrastructure (exchanges, custody, signing) is a named target market for the Pro and OEM tiers but runs inside the four coverage areas above — typically VDI-managed workstations for signing operators and cloud or on-prem servers for automated systems.

When to prioritize hardware mitigation

The honest framing: most workloads do not need Lavalamp. Most adversaries are not sophisticated enough to mount productive side-channel attacks, and most secrets are not valuable enough to justify the attack cost.

Lavalamp is for the workloads where both conditions fail:

  1. The adversary is sophisticated — nation-state, well-funded financial attacker, organized APT
  2. The secrets are valuable — cryptographic keys, biometric templates, exchange signing material, patient data, classified data

If your workload is in that category, microcode patching alone is a narrow defense. The class of attack is broad, the cost of a successful attack is the cost of your secret's valuation, and hardware-boundary mitigation is an underused layer in the defense stack.

Where this goes next

  • Independent third-party benchmark — in progress
  • Tier-specific deep-dives on Lite, Pro, and OEM — upcoming
  • Project Lavalamp product page for current status and contact

The benchmark numbers are the critical next milestone. When they ship (under evaluation NDA for the moment), we can move from "here's why this class of mitigation matters" to "here's precisely how much leakage reduction the specific Lavalamp design delivers on specific workloads."

Topics:hardware-securityside-channelfpgaspectrecryptographycpu-vulnerabilities