Constant Time Analysis
Skill Verifiziert AktivDetects timing side-channel vulnerabilities in cryptographic code. Use when implementing or reviewing crypto code, encountering division on secrets, secret-dependent branches, or constant-time programming questions in C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JavaScript, TypeScript, Python, or Ruby.
To help developers and security auditors identify and fix timing side-channel vulnerabilities in cryptographic code, ensuring secrets are not leaked through execution time variations.
Funktionen
- Detects variable-time instructions (division, branches) in assembly/bytecode.
- Analyzes code for multiple languages and platforms.
- Supports cross-architecture and optimization level testing for compiled code.
- Provides guidance on constant-time fixes and secure coding patterns.
- Offers JSON output for CI integration.
Anwendungsfälle
- Reviewing new or existing cryptographic code for potential timing attacks.
- Implementing constant-time programming practices for sensitive operations.
- Auditing libraries and frameworks for side-channel leakage.
- Debugging issues related to secret handling in crypto implementations.
Nicht-Ziele
- Detecting microarchitectural side-channels (e.g., cache timing, Spectre).
- Performing runtime analysis or dynamic instrumentation.
- Analyzing code for vulnerabilities other than timing side-channels.
- Providing cryptographic primitives; it only analyzes existing code.
Trust
- info:Issues AttentionIn the last 90 days, 13 issues were opened and 4 were closed. The closure rate is low (approx. 24%), but the number of open issues is not excessively high.
Installation
Zuerst Marketplace hinzufügen
/plugin marketplace add trailofbits/skills/plugin install constant-time-analysis@trailofbitsQualitätspunktzahl
VerifiziertVertrauenssignale
Ähnliche Erweiterungen
Semgrep Rule Creator
100Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections.
Safe Mode
100Prevent destructive operations using Claude Code hooks. Three modes — cautious (warn on dangerous commands), lockdown (restrict edits to one directory), and clear (remove restrictions). Uses PreToolUse matchers for Bash, Edit, and Write.
Fixflow
100Führen Sie Codierungsaufgaben mit einem strengen Liefer-Workflow aus: Erstellen Sie einen vollständigen Plan, implementieren Sie Schritt für Schritt, führen Sie kontinuierlich Tests durch und committen Sie standardmäßig nach jedem Schritt (`per_step`). Unterstützt explizite Commit-Policy-Überschreibungen (`final_only`, `milestone`) und optional BDD (Given/When/Then), wenn Benutzer verhaltensgesteuerte Bereitstellung anfordern oder Anforderungen unklar sind.
Ship Gate
100Pre-production audit that scans a codebase for security, database, deployment, code quality, AI/LLM, dependency, frontend, and observability issues. Intercepts deploy commands and blocks until critical items pass. Stack-agnostic. Use for "run ship gate", "am I ready to ship", "pre-launch audit", "can I deploy", "push to production", "go live checklist", "preflight check". Not for CI/CD setup or infra provisioning.
CodeQL Static Analysis
99Scans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis. Triggers on "run codeql", "codeql scan", "codeql analysis", "build codeql database", or "find vulnerabilities with codeql". Supports "run all" (security-and-quality + security-experimental suites) and "important only" (high-precision security findings) scan modes. Also handles creating data extension models and processing CodeQL SARIF output.
Migrate Validate
100Validate pending migrations for foreign key consistency, rollback safety, and best practices