What is constant-time testing?

Constant-time testing is a security methodology used to verify that the execution time of a cryptographic function does not vary based on the secret data it processes, thereby preventing timing attacks.

How does this skill assist in security audits?

It provides a comprehensive handbook of known vulnerability patterns, tool recommendations (like dudect and Timecop), and a multi-phase workflow to detect and fix timing leaks.

Can this skill help detect cache-timing attacks?

Yes, it specifically identifies secret-dependent array accesses, which are a primary source of cache-timing vulnerabilities in algorithms like AES.

Which programming languages does this skill focus on?

While timing principles apply to all languages, the guidance specifically addresses C/C++ patterns often found in low-level cryptographic libraries and assembly optimizations.

Is statistical testing enough to guarantee security?

No, statistical testing (like dudect) detects differences but cannot prove their absence. This skill recommends combining it with formal verification for high-assurance requirements.

Constant-Time Security Testing

Name: Constant-Time Security Testing
Author: trailofbits

bytrailofbits

•

939

•

Seguridad y Pruebas

Detects and analyzes timing side-channel vulnerabilities in cryptographic code to prevent secret data leakage.

The Constant-Time Testing skill provides specialized guidance for auditing cryptographic implementations to ensure execution time remains independent of secret data. It helps security researchers and developers identify risky patterns such as conditional jumps, cache-sensitive array accesses, and processor-dependent operations that can expose private keys. By leveraging a structured workflow involving statistical tools like dudect and dynamic analysis tools like Timecop, this skill enables users to detect, pinpoint, and remediate timing side channels across various cryptographic primitives and protocols.

Características Principales

01Guides dynamic runtime tracing to pinpoint exact lines of code causing leaks.

02Provides workflows for statistical timing analysis using dudect and Welch's t-test.

03Covers formal verification and symbolic execution approaches for high-assurance security.

04Identifies common timing violation patterns like conditional branching and cache-timing leaks.

05939 GitHub stars

06Offers remediation strategies and masking techniques for cryptographic implementation.

Casos de Uso

01Auditing cryptographic primitives and protocols for side-channel resistance.

02Implementing new cryptographic algorithms from scratch while following constant-time best practices.

03Reviewing security-critical pull requests that handle private keys or sensitive tokens.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add trailofbits/skills constant-time-testing

For use in Claude.ai and ChatGPT

Download Skill