…and there you go:

https://ccs25files.zoolab.org/main/ccsfb/1REOCPAR/3719027.3765061.pdf

https://misc0110.net/files/exfilstate_ccs25.pdf

From https://www.sigsac.org/ccs/CCS2025/accepted-papers/ (#378)

Literally published less than a day ago:

ExfilState: Automated Discovery of Timer-Free Cache Side Channels on ARM CPUs

At the same conference (CCS) that the paper referred to by the ars technica article was accepted.

You can implement a counting-thread that’s even more precise than the CPU’s timer (TSC on x86) platforms. This was shown in attacks on Intel SGX, where the rdtsc instruction to access the time-stamp counter is unavailable.

https://link.springer.com/chapter/10.1007/978-3-319-60876-1_1

https://arxiv.org/pdf/1702.08719

If you remove access to the timer, attackers will simply build one.