CP
cyberpings
VulnerabilitiesHIGH

LLVM Gains Constant-Time Support to Secure Cryptographic Code

TOTrail of Bits Blog
LLVMconstant-timeTrail of Bitstiming attackscryptography
🎯

Basically, LLVM now helps developers write safer code that protects secrets from timing attacks.

Quick Summary

Trail of Bits has developed constant-time support for LLVM, enhancing security for cryptographic code. This affects developers using LLVM, ensuring their implementations are safe from timing attacks. With this update, you can write more secure code with confidence. Stay tuned for LLVM 22 to take advantage of these improvements!

What Happened

In a significant development for cryptographic security, Trail of Bits has introduced constant-time coding support for LLVM. This new feature aims to protect cryptographic implementations from timing attacks that exploit variations in execution time. The upcoming LLVM 22 release will include this support, which utilizes a new family of intrinsics called __builtin_ct_select.

Timing attacks can be a serious threat. They occur when an attacker measures how long it takes a program to execute certain operations. If a program behaves differently based on secret values, attackers can infer those secrets based on timing differences. For example, if a program checks a secret index and takes longer for certain values, an attacker can exploit this to reveal the secret. The new LLVM features are designed to prevent such vulnerabilities by ensuring that cryptographic code remains constant-time, regardless of how the compiler optimizes it.

Why Should You Care

If you use cryptographic functions in your applications, this development is crucial. Your sensitive data, like passwords and personal information, could be at risk if the code isn't properly secured against timing attacks. Think of it like a safe that opens differently based on how you turn the dial; if someone can time your movements, they might crack the code.

For developers, this means you can now write cryptographic code with more confidence. The new intrinsics act like a safety net, ensuring that your code behaves predictably, no matter how much optimization the compiler tries to apply. This is especially important in industries where security is paramount, such as finance and healthcare.

What's Being Done

The Trail of Bits team is actively reviewing and finalizing these changes for the LLVM 22 release. Here’s what you can do if you’re a developer:

  • Start using the __builtin_ct_select intrinsic in your cryptographic code to ensure constant-time execution.
  • Review your existing libraries for potential vulnerabilities that could arise from compiler optimizations.
  • Stay informed about updates from Trail of Bits and LLVM to understand how these changes can impact your work.

Experts are closely monitoring the adoption of these intrinsics in production environments to see how effectively they mitigate timing attack risks. Expect more discussions and studies around this topic as developers begin to implement these new features in their projects.

🔒 Pro insight: The introduction of `__builtin_ct_select` could significantly reduce timing attack vectors in cryptographic libraries, but widespread adoption will be key.

Original article from

Trail of Bits Blog

Read Full Article

Share

Related Pings

HIGHVulnerabilities

Vulnerabilities - CodeBreach Exposes AWS Console Supply Chain

A critical vulnerability in AWS CodeBuild has been uncovered, allowing attackers to hijack GitHub repositories. This flaw poses a significant risk of credential theft and malicious code injection. AWS has addressed the issue, but organizations must remain vigilant against similar vulnerabilities.

CyberWire Daily·
HIGHVulnerabilities

Trivy Vulnerability Scanner - Backdoored with Credential Stealer

A serious breach has compromised the Trivy vulnerability scanner, injecting malware into its official releases. Thousands of developers are at risk as the attack targets CI/CD workflows. Immediate action is needed to rotate secrets and secure environments against potential supply chain attacks.

CSO Online·
CRITICALVulnerabilities

Chrome Vulnerabilities - Critical Update Released

Google has released a critical update for Chrome, fixing 26 vulnerabilities. Users must update to avoid remote code execution risks. Stay secure with the latest version.

Cyber Security News·
CRITICALVulnerabilities

Oracle Vulnerability - Urgent RCE Flaw Update Issued

Oracle has announced a critical RCE vulnerability affecting Identity Manager and Web Services Manager. This flaw could allow attackers to take full control of systems. Immediate patching is essential to protect sensitive data and infrastructure.

Cyber Security News·
CRITICALVulnerabilities

Critical Langflow RCE Vulnerability Exploited Within 20 Hours

A critical vulnerability in Langflow was exploited within 20 hours of disclosure. Attackers can execute arbitrary code, risking sensitive data. Immediate updates and monitoring are essential for protection.

SC Media·
CRITICALVulnerabilities

Ubiquiti - Critical Vulnerabilities in UniFi Patched

Ubiquiti has patched critical vulnerabilities in its UniFi Network Application that could allow account takeovers. Users need to update their software immediately to protect sensitive data and configurations. Ignoring these updates could lead to severe security risks.

SC Media·