Trail of Bits Blog
Follow
Constant-time support coming to LLVM: Protecting cryptographic code at the compiler level
Trail of Bits developed constant-time coding support for LLVM 21, safeguarding cryptographic implementations against timing attacks by preventing compilers from introducing branching. This system introduces the __builtin_ct_select family of intrinsics, ensuring constant-time operations remain secure throughout the compilation process. Modern compilers' optimization can inadvertently introduce timing side channels, making cryptographic code vulnerable. The __builtin_ct_select intrinsic guarantees the selection operation compiles to constant-time machine code, acting as a barrier against unwanted optimizations. This addresses vulnerabilities found in production cryptographic libraries where compilers break constant-time guarantees. Community engagement, including feedback from Rust Crypto and LLVM developers, was crucial to this project's development. The implementation ensures __builtin_ct_select compiles to constant-time code across various architectures, including x86-64, i386, ARM, and AArch64. Benchmarking shows minimal performance overhead and 100% preservation of constant-time properties, with successful integration in major cryptographic libraries. Future plans include extending the implementation for arithmetic, string operations, and expressions, with potential adoption in Rust, Swift, and WebAssembly. This work was a collaboration with ETH Zürich and supported by DARPA.
