Why does it analyze assembly instead of just source code?

Compilers often optimize code in ways that introduce timing variations not visible in high-level source code. Analyzing assembly or bytecode ensures the analysis reflects what actually runs on the CPU.

Which programming languages does this skill support?

It supports a wide range of languages including C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JavaScript, TypeScript, Python, and Ruby.

Does it automatically fix the code?

No, this skill focuses on detection. It flags dangerous instructions and provides guidance, but a developer must verify the data flow and implement constant-time alternatives like bit-masking.

What are timing side-channel vulnerabilities?

Timing side-channels occur when the execution time of a program varies based on secret data, allowing an attacker to recover keys or plaintext by measuring how long an operation takes.

Constant-Time Analysis

Name: Constant-Time Analysis
Author: trailofbits

bytrailofbits

•

939

Security & Testing

Detects timing side-channel vulnerabilities in cryptographic code to prevent sensitive data leakage through execution timing.

About

Developed by Trail of Bits, this skill enables Claude to identify critical timing side-channel vulnerabilities in cryptographic implementations. It analyzes assembly and bytecode to detect operations like secret-dependent branches, divisions, and table lookups that vary in execution time based on input values. By supporting 12+ languages and allowing for cross-architecture and multi-optimization level testing, it helps developers ensure their encryption, signing, and key derivation logic remains secure against sophisticated timing attacks like KyberSlash.

Key Features

Assembly and bytecode-level detection of variable-time instructions
Optimization level auditing (O0-O3) to catch compiler-introduced leaks
Targeted function filtering for specific audit workflows
Multi-language analysis for C, C++, Rust, Go, Java, Python, and more
Cross-architecture testing support for x86_64 and ARM64
939 GitHub stars

Use Cases

Auditing cryptographic primitives for timing side-channel vulnerabilities
Verifying that compiler optimizations haven't broken constant-time logic
Reviewing code that handles private keys, plaintext, or authentication tokens

About

Key Features

Assembly and bytecode-level detection of variable-time instructions
Optimization level auditing (O0-O3) to catch compiler-introduced leaks
Targeted function filtering for specific audit workflows
Multi-language analysis for C, C++, Rust, Go, Java, Python, and more
Cross-architecture testing support for x86_64 and ARM64
939 GitHub stars

Use Cases

Auditing cryptographic primitives for timing side-channel vulnerabilities
Verifying that compiler optimizations haven't broken constant-time logic
Reviewing code that handles private keys, plaintext, or authentication tokens