Technical & DevelopmentIntermediate

constant-time-analysis

Detect compiler-induced timing side-channels in crypto code

Developer Setup

Setup & Installation

bash

npx skills add https://github.com/trailofbits/skills --skill constant-time-analysis

npx skills add https://github.com/trailofbits/skills --skill constant-time-analysis

Or paste this URL into your assistant to install:

https://github.com/trailofbits/skills/tree/main/plugins/constant-time-analysis View on GitHub

Overview

What This Skill Does

Detects timing side-channel vulnerabilities in cryptographic code across 12 languages. It analyzes assembly and bytecode for variable-time operations like secret-dependent branches, divisions, and table lookups that can leak private key material through execution timing. Developed by Trail of Bits.

Application

When to use this Skill

Configuring integration settings for custom agent workflows.
Optimizing query execution and response latency in production.
Developing clean, standard-compliant implementations for enterprise services.
Troubleshooting connection timeouts and authentication handshakes.
Monitoring API rate limits and execution pipelines programmatically.

Documentation

Show Skills.md file

Constant-Time Analyzer (ct-analyzer)

A portable tool for detecting timing side-channel vulnerabilities in compiled cryptographic code. Analyzes assembly output from multiple compilers and architectures to detect instructions that could leak secret data through execution timing.

Background

Timing side-channel attacks exploit variations in execution time to extract secret information from cryptographic implementations. Common sources include:

Hardware division (DIV, IDIV): Execution time varies based on operand values
Floating-point operations (FDIV, FSQRT): Variable latency based on inputs
Conditional branches: Different execution paths have different timing

The infamous KyberSlash attack demonstrated how division instructions in post-quantum cryptographic implementations could be exploited to recover secret keys.

Features

Multi-language support: C, C++, Go, Rust, PHP, JavaScript, TypeScript, Python, Ruby
Multi-architecture support: x86_64, ARM64, ARM, RISC-V, PowerPC, s390x, i386
Multi-compiler support: GCC, Clang, Go compiler, Rustc
Scripting language support: PHP (VLD/opcache), JavaScript/TypeScript (V8 bytecode), Python (dis), Ruby (YARV)
Optimization-level testing: Test across O0-O3, Os, Oz
Multiple output formats: Text, JSON, GitHub Actions annotations
Cross-compilation: Analyze code for different target architectures

Quick Start

Lines 1 - 25 of 381

Recommendations

Explore other random skills

TechnicalIntermediate

azure-identity-java

Microsoft Entra ID authentication

TechnicalIntermediate

azure-cosmos-java

Cosmos DB NoSQL with global distribution

TechnicalIntermediate

azure-monitor-opentelemetry-exporter-java

OpenTelemetry export to Azure Monitor

All skills My patterns