@elizaos/skills 2.0.0-alpha.3

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/bn_excerpt.js

@@ -0,0 +1,205 @@
+/**
+ * Excerpt from bn.js - BigNumber library
+ * https://github.com/indutny/bn.js
+ *
+ * This excerpt demonstrates common timing vulnerability patterns
+ * in JavaScript cryptographic libraries.
+ */
+
+// Division operations - use hardware division which has variable timing
+BN.prototype.div = function div(num) {
+  return this.divmod(num, 'div', false).div;
+};
+
+BN.prototype.mod = function mod(num) {
+  return this.divmod(num, 'mod', false).mod;
+};
+
+BN.prototype.umod = function umod(num) {
+  return this.divmod(num, 'mod', true).mod;
+};
+
+// Comparison function - early-exit on sign differences leaks timing
+BN.prototype.cmp = function cmp(num) {
+  if (this.negative !== 0 && num.negative === 0) return -1;
+  if (this.negative === 0 && num.negative !== 0) return 1;
+
+  var res = this.ucmp(num);
+  if (this.negative !== 0) return -res | 0;
+  return res;
+};
+
+// Unsigned comparison - iterates until difference found (timing leak)
+BN.prototype.ucmp = function ucmp(num) {
+  if (this.length > num.length) return 1;
+  if (this.length < num.length) return -1;
+
+  var res = 0;
+  for (var i = this.length - 1; i >= 0; i--) {
+    var a = this.words[i] | 0;
+    var b = num.words[i] | 0;
+    if (a === b) continue;  // Early exit - timing leak!
+    if (a < b) {
+      res = -1;
+    } else if (a > b) {
+      res = 1;
+    }
+    break;
+  }
+  return res;
+};
+
+// Modular exponentiation - windowed method with data-dependent branches
+Red.prototype.pow = function pow(a, num) {
+  if (num.isZero()) return new BN(1).toRed(this);
+  if (num.cmpn(1) === 0) return a.clone();
+
+  var windowSize = 4;
+  var wnd = new Array(1 << windowSize);
+  wnd[0] = new BN(1).toRed(this);
+  wnd[1] = a;
+  for (var i = 2; i < wnd.length; i++) {
+    wnd[i] = this.mul(wnd[i - 1], a);
+  }
+
+  var res = wnd[0];
+  var current = 0;
+  var currentLen = 0;
+  var start = num.bitLength() % 26;
+  if (start === 0) {
+    start = 26;
+  }
+
+  for (i = num.length - 1; i >= 0; i--) {
+    var word = num.words[i];
+    for (var j = start - 1; j >= 0; j--) {
+      var bit = (word >> j) & 1;
+      if (res !== wnd[0]) {
+        res = this.sqr(res);
+      }
+      // Data-dependent branch on secret exponent bit!
+      if (bit === 0 && current === 0) {
+        currentLen = 0;
+        continue;
+      }
+      current <<= 1;
+      current |= bit;
+      currentLen++;
+      if (currentLen !== windowSize && (i !== 0 || j !== 0)) continue;
+      res = this.mul(res, wnd[current]);
+      currentLen = 0;
+      current = 0;
+    }
+    start = 26;
+  }
+
+  return res;
+};
+
+// Division with remainder - internally uses variable-time division
+BN.prototype.divmod = function divmod(num, mode, positive) {
+  if (num.isZero()) {
+    throw new Error('division by zero');
+  }
+
+  if (this.isZero()) {
+    return {
+      div: new BN(0),
+      mod: new BN(0)
+    };
+  }
+
+  var div, mod, res;
+  if (this.negative !== 0 && num.negative === 0) {
+    res = this.neg().divmod(num, mode);
+    if (mode !== 'mod') {
+      div = res.div.neg();
+    }
+    if (mode !== 'div') {
+      mod = res.mod.neg();
+      if (positive && mod.negative !== 0) {
+        mod.iadd(num);
+      }
+    }
+    return { div: div, mod: mod };
+  }
+
+  // Uses division internally
+  if (this.length > num.length || this.cmp(num) >= 0) {
+    // Variable-time long division algorithm
+    var shift = num.bitLength() - this.bitLength();
+    // ... implementation uses / and % operators
+  }
+
+  return { div: div, mod: mod };
+};
+
+// Montgomery reduction - uses modular operations
+Mont.prototype.mul = function mul(a, b) {
+  if (a.isZero() || b.isZero()) return new BN(0)._forceRed(this);
+
+  var t = a.mul(b);
+  // Uses mod operation internally
+  var c = t.maskn(this.shift).mul(this.minv).imaskn(this.shift).mul(this.m);
+  var u = t.isub(c).iushrn(this.shift);
+  var res = u;
+
+  if (u.cmp(this.m) >= 0) {
+    res = u.isub(this.m);
+  } else if (u.cmpn(0) < 0) {
+    res = u.iadd(this.m);
+  }
+
+  return res._forceRed(this);
+};
+
+// Modular inverse - uses extended Euclidean algorithm with data-dependent iterations
+BN.prototype.invm = function invm(num) {
+  return this.egcd(num).a.umod(num);
+};
+
+BN.prototype._invmp = function _invmp(p) {
+  var a = this;
+  var b = p.clone();
+
+  if (a.negative !== 0) {
+    a = a.umod(p);
+  } else {
+    a = a.clone();
+  }
+
+  var x1 = new BN(1);
+  var x2 = new BN(0);
+
+  // Iterations depend on input values - timing leak
+  while (a.cmpn(1) > 0 && b.cmpn(1) > 0) {
+    // ... iteration count reveals information about inputs
+  }
+
+  return res;
+};
+
+// Test function to prevent dead code elimination
+function runBnOperations() {
+  var a = new BN('deadbeef', 16);
+  var b = new BN('cafebabe', 16);
+
+  // These operations have timing leaks
+  var divResult = a.div(b);
+  var modResult = a.mod(b);
+  var cmpResult = a.cmp(b);
+
+  console.log('Division:', divResult.toString(16));
+  console.log('Modulo:', modResult.toString(16));
+  console.log('Comparison:', cmpResult);
+}
+
+// Stub for BN constructor
+function BN(number, base) {
+  this.words = [];
+  this.length = 0;
+  this.negative = 0;
+}
+
+function Red() {}
+function Mont() {}

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_constant_time.c

@@ -0,0 +1,181 @@
+/**
+ * Constant-time implementation of ML-DSA Decompose (Algorithm 36)
+ *
+ * This implementation avoids hardware division by using Barrett reduction
+ * and branchless conditional selection, ensuring constant-time execution.
+ *
+ * Based on Trail of Bits' ML-DSA implementation.
+ */
+
+#include <stdint.h>
+#include <stddef.h>
+
+// ML-DSA parameters
+#define Q 8380417
+#define GAMMA2_87 ((Q - 1) / 32)  // 261888 for ML-DSA-87
+#define GAMMA2_44 ((Q - 1) / 88)  // 95232 for ML-DSA-44/65
+
+// Barrett reduction constants for different gamma2 values
+// These allow division by 2*gamma2 without using DIV instruction
+// Computed as: ceil(2^32 / (2 * gamma2))
+#define BARRETT_MU_87 0x2081ULL      // For gamma2 = 261888 (ML-DSA-87): 2^32 / 523776
+#define BARRETT_MU_44 0x5A1DULL      // For gamma2 = 95232 (ML-DSA-44/65): 2^32 / 190464
+
+// Constant-time helper: returns 1 if x != 0, 0 otherwise
+static inline uint32_t ct_is_nonzero(uint32_t x) {
+    return (x | (uint32_t)(-(int32_t)x)) >> 31;
+}
+
+// Constant-time helper: returns 1 if x == 0, 0 otherwise
+static inline uint32_t ct_is_zero(uint32_t x) {
+    return 1 ^ ct_is_nonzero(x);
+}
+
+// Constant-time helper: returns 1 if x < y (unsigned), 0 otherwise
+static inline uint32_t ct_lt(uint32_t x, uint32_t y) {
+    return (x ^ ((x ^ y) | ((x - y) ^ y))) >> 31;
+}
+
+// Constant-time helper: returns 1 if x > y (unsigned), 0 otherwise
+static inline uint32_t ct_gt(uint32_t x, uint32_t y) {
+    return ct_lt(y, x);
+}
+
+// Constant-time helper: returns mask (0xFFFFFFFF if bit != 0, 0 otherwise)
+static inline uint32_t ct_mask(uint32_t bit) {
+    return (uint32_t)(-(int32_t)ct_is_nonzero(bit));
+}
+
+// Constant-time helper: select x if bit != 0, y otherwise
+static inline uint32_t ct_select(uint32_t x, uint32_t y, uint32_t bit) {
+    uint32_t m = ct_mask(bit);
+    return (x & m) | (y & ~m);
+}
+
+// Constant-time helper: select x if bit != 0, y otherwise (signed version)
+static inline int32_t ct_select_signed(int32_t x, int32_t y, uint32_t bit) {
+    return (int32_t)ct_select((uint32_t)x, (uint32_t)y, bit);
+}
+
+/**
+ * Barrett reduction to compute r / (2 * gamma2) without DIV instruction
+ *
+ * For gamma2 = 261888 (ML-DSA-87):
+ *   2 * gamma2 = 523776
+ *   mu = ceil(2^32 / 523776) = 8192 + some correction
+ *
+ * q = (r * mu) >> 32
+ */
+static inline uint32_t barrett_div(uint32_t r, uint64_t mu, uint32_t divisor) {
+    uint64_t q = ((uint64_t)r * mu) >> 32;
+    // Correction: if r - q*divisor >= divisor, add 1
+    uint32_t remainder = r - (uint32_t)q * divisor;
+    uint32_t correction = ct_gt(remainder, divisor - 1) | ct_is_zero(remainder - divisor + divisor);
+    return (uint32_t)q + (correction & ct_lt(remainder, r + 1));
+}
+
+/**
+ * CONSTANT-TIME: Decompose using Barrett reduction
+ *
+ * Decomposes r into (r1, r0) such that r = r1 * (2 * gamma2) + r0
+ * where -gamma2 < r0 <= gamma2.
+ *
+ * This implementation:
+ * 1. Uses Barrett reduction instead of hardware division
+ * 2. Uses branchless conditional selection instead of if statements
+ */
+void decompose_constant_time(uint32_t r, uint32_t gamma2, uint32_t *r1, int32_t *r0) {
+    uint32_t two_gamma2 = 2 * gamma2;
+
+    // Barrett reduction: compute r1 = r / (2 * gamma2)
+    // Using precomputed constants - select the right one using constant-time selection
+    // This avoids any runtime division
+    uint64_t mu_87 = BARRETT_MU_87;
+    uint64_t mu_44 = BARRETT_MU_44;
+
+    // Constant-time selection of mu based on gamma2
+    // Note: We use bit operations to select without branching
+    uint32_t is_87 = ct_is_zero(gamma2 - GAMMA2_87);
+    uint64_t mu = (mu_87 & (uint64_t)ct_mask(is_87)) |
+                  (mu_44 & (uint64_t)ct_mask(ct_is_zero(is_87)));
+
+    // Compute quotient using multiplication and shift (no DIV)
+    uint64_t q64 = ((uint64_t)r * mu) >> 32;
+    uint32_t q = (uint32_t)q64;
+
+    // Compute remainder: r0 = r - q * (2 * gamma2)
+    int32_t r0_temp = (int32_t)(r - q * two_gamma2);
+
+    // Correction: handle case where Barrett underestimates
+    // If r0_temp >= 2*gamma2, increment q and adjust r0
+    uint32_t needs_correction = ct_gt((uint32_t)r0_temp, two_gamma2 - 1);
+    q += needs_correction;
+    r0_temp = ct_select_signed(r0_temp - (int32_t)two_gamma2, r0_temp, needs_correction);
+
+    // Center r0 around 0: if r0 > gamma2, subtract 2*gamma2 and increment r1
+    // This is done branchlessly using constant-time selection
+    uint32_t needs_centering = ct_gt((uint32_t)r0_temp, gamma2);
+
+    *r0 = ct_select_signed(r0_temp - (int32_t)two_gamma2, r0_temp, needs_centering);
+    *r1 = q + needs_centering;
+}
+
+/**
+ * CONSTANT-TIME: UseHint using branchless selection
+ *
+ * All conditional logic is replaced with constant-time bit operations.
+ */
+uint32_t use_hint_constant_time(uint32_t r, uint32_t hint, uint32_t gamma2) {
+    uint32_t r1;
+    int32_t r0;
+
+    // Decompose (constant-time)
+    decompose_constant_time(r, gamma2, &r1, &r0);
+
+    // m = (Q - 1) / (2 * gamma2)
+    // Precomputed values to avoid runtime division
+    // For gamma2 = 261888: m = 8380416 / 523776 = 16 - 1 = 15
+    // For gamma2 = 95232: m = 8380416 / 190464 = 44 - 1 = 43
+    uint32_t m_87 = 15;
+    uint32_t m_44 = 43;
+    uint32_t is_87_hint = ct_is_zero(gamma2 - GAMMA2_87);
+    uint32_t m = ct_select(m_87, m_44, is_87_hint);
+
+    // If hint == 0, return r1
+    // If hint != 0:
+    //   If r0 > 0, return (r1 + 1) mod (m + 1)
+    //   Else return (r1 - 1 + (m + 1)) mod (m + 1)
+
+    // Compute both branches
+    uint32_t m_plus_1 = m + 1;
+
+    // r1_inc = (r1 + 1) mod (m + 1)
+    // Since r1 < m+1, we just need to check if r1 + 1 == m + 1
+    uint32_t r1_plus_1 = r1 + 1;
+    uint32_t r1_inc = ct_select(0, r1_plus_1, ct_is_zero(r1_plus_1 - m_plus_1));
+
+    // r1_dec = (r1 - 1 + (m + 1)) mod (m + 1) = (r1 + m) mod (m + 1)
+    uint32_t r1_plus_m = r1 + m;
+    uint32_t r1_dec = ct_select(r1_plus_m - m_plus_1, r1_plus_m,
+                                 ct_gt(r1_plus_m, m_plus_1 - 1));
+
+    // Select based on r0 > 0 (constant-time)
+    // r0 > 0 is equivalent to r0 being positive and non-zero
+    uint32_t r0_positive = ct_gt((uint32_t)((r0 >> 31) ^ r0), 0) & ct_is_zero((uint32_t)(r0 >> 31));
+    uint32_t adjusted = ct_select(r1_inc, r1_dec, r0_positive);
+
+    // Final selection based on hint
+    return ct_select(adjusted, r1, ct_is_zero(hint));
+}
+
+// Test functions to ensure code is not dead-code eliminated
+uint32_t test_decompose_ct(uint32_t r) {
+    uint32_t r1;
+    int32_t r0;
+    decompose_constant_time(r, GAMMA2_87, &r1, &r0);
+    return r1 + (uint32_t)r0;
+}
+
+uint32_t test_use_hint_ct(uint32_t r, uint32_t hint) {
+    return use_hint_constant_time(r, hint, GAMMA2_87);
+}

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.c

@@ -0,0 +1,74 @@
+/**
+ * Vulnerable implementation of ML-DSA Decompose (Algorithm 36)
+ *
+ * This implementation uses hardware division which has data-dependent timing,
+ * making it vulnerable to timing side-channel attacks like KyberSlash.
+ *
+ * DO NOT use this in production - for testing purposes only.
+ */
+
+#include <stdint.h>
+
+// ML-DSA parameters
+#define Q 8380417
+#define GAMMA2_87 ((Q - 1) / 32)  // 261888 for ML-DSA-87
+#define GAMMA2_44 ((Q - 1) / 88)  // 95232 for ML-DSA-44/65
+
+/**
+ * VULNERABLE: Decompose using hardware division
+ *
+ * Decomposes r into (r1, r0) such that r = r1 * (2 * gamma2) + r0
+ * where -gamma2 < r0 <= gamma2.
+ *
+ * This uses the / and % operators which compile to DIV/IDIV instructions
+ * on x86, which have data-dependent timing.
+ */
+void decompose_vulnerable(int32_t r, int32_t gamma2, int32_t *r1, int32_t *r0) {
+    int32_t two_gamma2 = 2 * gamma2;
+
+    // VULNERABLE: Hardware division with data-dependent timing
+    *r1 = r / two_gamma2;
+    *r0 = r % two_gamma2;
+
+    // Center r0 around 0
+    if (*r0 > gamma2) {
+        *r0 -= two_gamma2;
+        *r1 += 1;
+    }
+}
+
+/**
+ * VULNERABLE: UseHint using branches on potentially secret data
+ *
+ * The hint values may be derived from secret data in some contexts,
+ * making these branches potentially exploitable.
+ */
+int32_t use_hint_vulnerable(int32_t r, int32_t hint, int32_t gamma2) {
+    int32_t r1, r0;
+
+    // This decompose call is also vulnerable
+    decompose_vulnerable(r, gamma2, &r1, &r0);
+
+    // VULNERABLE: Branch on hint which may depend on secret data
+    if (hint == 0) {
+        return r1;
+    }
+
+    // VULNERABLE: Branch on r0's sign
+    if (r0 > 0) {
+        return (r1 + 1) % ((Q - 1) / (2 * gamma2) + 1);
+    } else {
+        return (r1 - 1 + ((Q - 1) / (2 * gamma2) + 1)) % ((Q - 1) / (2 * gamma2) + 1);
+    }
+}
+
+// Test functions to ensure code is not dead-code eliminated
+int32_t test_decompose(int32_t r) {
+    int32_t r1, r0;
+    decompose_vulnerable(r, GAMMA2_87, &r1, &r0);
+    return r1 + r0;
+}
+
+int32_t test_use_hint(int32_t r, int32_t hint) {
+    return use_hint_vulnerable(r, hint, GAMMA2_87);
+}

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.go

@@ -0,0 +1,78 @@
+// Package decompose contains vulnerable implementations of ML-DSA decompose
+// for testing the constant-time analyzer.
+//
+// DO NOT use this in production - for testing purposes only.
+package main
+
+// ML-DSA parameters
+const (
+	Q       = 8380417
+	Gamma87 = (Q - 1) / 32  // 261888 for ML-DSA-87
+	Gamma44 = (Q - 1) / 88  // 95232 for ML-DSA-44/65
+)
+
+// DecomposeVulnerable uses hardware division which has data-dependent timing.
+// This is vulnerable to timing side-channel attacks like KyberSlash.
+//
+// VULNERABLE: Uses / and % operators which compile to DIV instructions
+// that have variable execution time based on operand values.
+func DecomposeVulnerable(r int32, gamma2 int32) (r1 int32, r0 int32) {
+	twoGamma2 := 2 * gamma2
+
+	// VULNERABLE: Hardware division with data-dependent timing
+	r1 = r / twoGamma2
+	r0 = r % twoGamma2
+
+	// Center r0 around 0
+	// VULNERABLE: Branch on r0 which may depend on secret data
+	if r0 > gamma2 {
+		r0 -= twoGamma2
+		r1 += 1
+	}
+
+	return r1, r0
+}
+
+// UseHintVulnerable uses branches on potentially secret-derived data.
+//
+// VULNERABLE: Contains conditional branches that may leak timing information
+// when the hint or r values are derived from secret data.
+func UseHintVulnerable(r int32, hint int32, gamma2 int32) int32 {
+	r1, r0 := DecomposeVulnerable(r, gamma2)
+
+	m := (Q - 1) / (2 * gamma2)
+
+	// VULNERABLE: Branch on hint which may depend on secret data
+	if hint == 0 {
+		return r1
+	}
+
+	// VULNERABLE: Branch on r0's sign
+	if r0 > 0 {
+		return (r1 + 1) % (m + 1)
+	}
+	return (r1 - 1 + m + 1) % (m + 1)
+}
+
+// PowerDecomposeVulnerable demonstrates another vulnerable pattern:
+// using division for power-of-2 decomposition instead of bit shifts.
+func PowerDecomposeVulnerable(r int32, d int32) (r1 int32, r0 int32) {
+	// VULNERABLE: Should use bit shifts instead of division
+	// This compiles to IDIV even though it could be a simple shift
+	divisor := int32(1) << d
+	r1 = r / divisor
+	r0 = r % divisor
+	return r1, r0
+}
+
+func main() {
+	// Test calls to prevent dead code elimination
+	r1, r0 := DecomposeVulnerable(12345, Gamma87)
+	_ = r1 + r0
+
+	result := UseHintVulnerable(12345, 1, Gamma87)
+	_ = result
+
+	r1p, r0p := PowerDecomposeVulnerable(12345, 13)
+	_ = r1p + r0p
+}

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.rs

@@ -0,0 +1,92 @@
+//! Vulnerable implementations of ML-DSA decompose for testing the constant-time analyzer.
+//!
+//! DO NOT use this in production - for testing purposes only.
+
+/// ML-DSA modulus
+const Q: i32 = 8380417;
+
+/// Gamma2 for ML-DSA-87
+const GAMMA2_87: i32 = (Q - 1) / 32; // 261888
+
+/// Gamma2 for ML-DSA-44/65
+const GAMMA2_44: i32 = (Q - 1) / 88; // 95232
+
+/// VULNERABLE: Decompose using hardware division
+///
+/// This implementation uses the / and % operators which compile to IDIV
+/// instructions on x86, which have data-dependent timing.
+///
+/// This makes it vulnerable to timing side-channel attacks like KyberSlash.
+#[inline(never)]
+pub fn decompose_vulnerable(r: i32, gamma2: i32) -> (i32, i32) {
+    let two_gamma2 = 2 * gamma2;
+
+    // VULNERABLE: Hardware division with data-dependent timing
+    let mut r1 = r / two_gamma2;
+    let mut r0 = r % two_gamma2;
+
+    // Center r0 around 0
+    // VULNERABLE: Branch on r0 which may depend on secret data
+    if r0 > gamma2 {
+        r0 -= two_gamma2;
+        r1 += 1;
+    }
+
+    (r1, r0)
+}
+
+/// VULNERABLE: UseHint using branches on potentially secret-derived data
+///
+/// The hint values may be derived from secret data in some contexts,
+/// making these branches potentially exploitable.
+#[inline(never)]
+pub fn use_hint_vulnerable(r: i32, hint: i32, gamma2: i32) -> i32 {
+    let (r1, r0) = decompose_vulnerable(r, gamma2);
+
+    let m = (Q - 1) / (2 * gamma2);
+
+    // VULNERABLE: Branch on hint which may depend on secret data
+    if hint == 0 {
+        return r1;
+    }
+
+    // VULNERABLE: Branch on r0's sign
+    if r0 > 0 {
+        (r1 + 1) % (m + 1)
+    } else {
+        (r1 - 1 + m + 1) % (m + 1)
+    }
+}
+
+/// VULNERABLE: Floating-point division
+///
+/// Uses floating-point division which has variable latency on most processors.
+#[inline(never)]
+pub fn fp_divide_vulnerable(a: f64, b: f64) -> f64 {
+    // VULNERABLE: FDIV/DIVSD has variable latency
+    a / b
+}
+
+/// VULNERABLE: Square root
+///
+/// Uses floating-point square root which has variable latency.
+#[inline(never)]
+pub fn fp_sqrt_vulnerable(x: f64) -> f64 {
+    // VULNERABLE: FSQRT/SQRTSD has variable latency
+    x.sqrt()
+}
+
+fn main() {
+    // Test calls to prevent dead code elimination
+    let (r1, r0) = decompose_vulnerable(12345, GAMMA2_87);
+    println!("Decompose: r1={}, r0={}", r1, r0);
+
+    let result = use_hint_vulnerable(12345, 1, GAMMA2_87);
+    println!("UseHint: {}", result);
+
+    let div_result = fp_divide_vulnerable(100.0, 3.0);
+    println!("FP Divide: {}", div_result);
+
+    let sqrt_result = fp_sqrt_vulnerable(2.0);
+    println!("FP Sqrt: {}", sqrt_result);
+}