Constant Time Analysis
Skill Verified ActiveDetects timing side-channel vulnerabilities in cryptographic code. Use when implementing or reviewing crypto code, encountering division on secrets, secret-dependent branches, or constant-time programming questions in C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JavaScript, TypeScript, Python, or Ruby.
To help developers and security auditors identify and fix timing side-channel vulnerabilities in cryptographic code, ensuring secrets are not leaked through execution time variations.
Features
- Detects variable-time instructions (division, branches) in assembly/bytecode.
- Analyzes code for multiple languages and platforms.
- Supports cross-architecture and optimization level testing for compiled code.
- Provides guidance on constant-time fixes and secure coding patterns.
- Offers JSON output for CI integration.
Use Cases
- Reviewing new or existing cryptographic code for potential timing attacks.
- Implementing constant-time programming practices for sensitive operations.
- Auditing libraries and frameworks for side-channel leakage.
- Debugging issues related to secret handling in crypto implementations.
Non-Goals
- Detecting microarchitectural side-channels (e.g., cache timing, Spectre).
- Performing runtime analysis or dynamic instrumentation.
- Analyzing code for vulnerabilities other than timing side-channels.
- Providing cryptographic primitives; it only analyzes existing code.
Trust
- info:Issues AttentionIn the last 90 days, 13 issues were opened and 4 were closed. The closure rate is low (approx. 24%), but the number of open issues is not excessively high.
Installation
First, add the marketplace
/plugin marketplace add trailofbits/skills/plugin install constant-time-analysis@trailofbitsQuality Score
VerifiedTrust Signals
Similar Extensions
Semgrep Rule Creator
100Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections.
Safe Mode
100Prevent destructive operations using Claude Code hooks. Three modes — cautious (warn on dangerous commands), lockdown (restrict edits to one directory), and clear (remove restrictions). Uses PreToolUse matchers for Bash, Edit, and Write.
Fixflow
100Execute coding tasks with a strict delivery workflow: build a full plan, implement one step at a time, run tests continuously, and commit by default after each step (`per_step`). Support explicit commit policy overrides (`final_only`, `milestone`) and optional BDD (Given/When/Then) when users ask for behavior-driven delivery or requirements are unclear.
Ship Gate
100Pre-production audit that scans a codebase for security, database, deployment, code quality, AI/LLM, dependency, frontend, and observability issues. Intercepts deploy commands and blocks until critical items pass. Stack-agnostic. Use for "run ship gate", "am I ready to ship", "pre-launch audit", "can I deploy", "push to production", "go live checklist", "preflight check". Not for CI/CD setup or infra provisioning.
CodeQL Static Analysis
99Scans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis. Triggers on "run codeql", "codeql scan", "codeql analysis", "build codeql database", or "find vulnerabilities with codeql". Supports "run all" (security-and-quality + security-experimental suites) and "important only" (high-precision security findings) scan modes. Also handles creating data extension models and processing CodeQL SARIF output.
Migrate Validate
100Validate pending migrations for foreign key consistency, rollback safety, and best practices