Trail of Bits Blog
Follow
Introducing constant-time support for LLVM to protect cryptographic code
Trail of Bits has introduced constant-time coding support to LLVM, aiming to secure cryptographic implementations against timing attacks. This new feature, expected in LLVM 22, includes the __builtin_ct_select intrinsic and supporting infrastructure. Compilers using this will prevent code optimizations that inadvertently introduce vulnerabilities. Modern compilers optimize for speed but can break the constant-time properties crucial for cryptography. A simple lookup function, for instance, could be optimized to include branches, creating timing side channels exploitable by attackers. The __builtin_ct_select intrinsic ensures that conditional selections remain constant-time regardless of optimization levels. This acts as a barrier, preserving security-critical operations from transformation. Research has shown that existing compilers introduce vulnerabilities into production cryptographic libraries. The new intrinsic allows developers to write safer constant-time code, exemplified by a revised lookup function. This work builds upon previous efforts and has generated strong interest from communities like Rust Crypto and BearSSL. The implementation ensures constant-time behavior across various architectures like x86-64, i386, and ARM. Initial benchmarking indicates minimal performance overhead and full preservation of constant-time properties. Future plans include extending support to arithmetic and string operations and enabling adoption in other LLVM-targeting languages.
