Constant Time Analysis
技能 已验证 活跃Detects timing side-channel vulnerabilities in cryptographic code. Use when implementing or reviewing crypto code, encountering division on secrets, secret-dependent branches, or constant-time programming questions in C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JavaScript, TypeScript, Python, or Ruby.
To help developers and security auditors identify and fix timing side-channel vulnerabilities in cryptographic code, ensuring secrets are not leaked through execution time variations.
功能
- Detects variable-time instructions (division, branches) in assembly/bytecode.
- Analyzes code for multiple languages and platforms.
- Supports cross-architecture and optimization level testing for compiled code.
- Provides guidance on constant-time fixes and secure coding patterns.
- Offers JSON output for CI integration.
使用场景
- Reviewing new or existing cryptographic code for potential timing attacks.
- Implementing constant-time programming practices for sensitive operations.
- Auditing libraries and frameworks for side-channel leakage.
- Debugging issues related to secret handling in crypto implementations.
非目标
- Detecting microarchitectural side-channels (e.g., cache timing, Spectre).
- Performing runtime analysis or dynamic instrumentation.
- Analyzing code for vulnerabilities other than timing side-channels.
- Providing cryptographic primitives; it only analyzes existing code.
Trust
- info:Issues AttentionIn the last 90 days, 13 issues were opened and 4 were closed. The closure rate is low (approx. 24%), but the number of open issues is not excessively high.
安装
请先添加 Marketplace
/plugin marketplace add trailofbits/skills/plugin install constant-time-analysis@trailofbits质量评分
已验证类似扩展
Semgrep Rule Creator
100Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections.
Safe Mode
100Prevent destructive operations using Claude Code hooks. Three modes — cautious (warn on dangerous commands), lockdown (restrict edits to one directory), and clear (remove restrictions). Uses PreToolUse matchers for Bash, Edit, and Write.
Fixflow
100使用严格的交付工作流执行编码任务:构建完整计划、分步实现、持续运行测试,并默认在每一步 (`per_step`) 后提交。当用户要求行为驱动交付或需求不明确时,支持显式提交策略覆盖 (`final_only`, `milestone`) 和可选的 BDD(给定/当/则)。
Ship Gate
100Pre-production audit that scans a codebase for security, database, deployment, code quality, AI/LLM, dependency, frontend, and observability issues. Intercepts deploy commands and blocks until critical items pass. Stack-agnostic. Use for "run ship gate", "am I ready to ship", "pre-launch audit", "can I deploy", "push to production", "go live checklist", "preflight check". Not for CI/CD setup or infra provisioning.
CodeQL Static Analysis
99Scans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis. Triggers on "run codeql", "codeql scan", "codeql analysis", "build codeql database", or "find vulnerabilities with codeql". Supports "run all" (security-and-quality + security-experimental suites) and "important only" (high-precision security findings) scan modes. Also handles creating data extension models and processing CodeQL SARIF output.
Migrate Validate
100Validate pending migrations for foreign key consistency, rollback safety, and best practices