Trail of Bits Adds Constant Time Support to LLVM, Bolstering Encryption Security

Today, Trail of Bits announced they’ve added constant-time coding support for LLVM, “providing developers with compiler-level guarantees that their cryptographic implementations remain secure against branching-related timing attacks.”

LLVM forms the basis of many widely-used compilers such as Clang. Compilers usually try to optimize code, which normally is a great thing. But for cryptography, it can be a huge issue.

The problem is that any data-dependent behavior in the compiled code would create a timing side channel. If the compiler introduces a branch like if (i == secret_idx), the CPU will take different amounts of time depending on whether the branch is taken. Modern CPUs have branch predictors that learn patterns, making correctly predicted branches faster than mispredicted ones. An attacker who can measure these timing differences across many executions can statistically determine which index is being accessed, effectively recovering the secret. Even small timing variations of a few CPU cycles can be exploited with sufficient measurements.

What you want is constant-time code, meaning that the input will not affect the amount of time the code takes to execute, thus avoiding timing attacks.

To that end, the Trail of Bits team have developed a new family of intrinsics, or built-in functions in the compiler, that will guarantee code that’s meant to be constant-time will stay that way.

Unlike regular code that the optimizer freely rearranges and transforms, this intrinsic acts as a barrier. The optimizer recognizes it as a security-critical operation and preserves its constant-time properties through every compilation stage, from source code to assembly.

They mention a study that found that compilers break constant-time guarantees in numerous production cryptographic libraries.

With their new intrinsic, they report minimal performance overhead, 100% preservation of constant-time properties, and already successful integration with several major cryptographic libraries.

Several languages have already expressed interest in adopting the new intrinsic, including Rust, Swift, and WebAssembly.

With attacks like Spectre and GoFetch still fresh on people’s minds, hopefully protections like this can keep our cryptography safe.