tacet 0.4.2

Detect timing side channels in cryptographic code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

//! Example comparing constant-time vs non-constant-time implementations.
//!
//! This demonstrates the CORRECT way to test operations:
//! - Pre-generate all inputs before measurement using InputPair
//! - The test closure receives a reference to the input
//! - Only the input data differs between fixed and random classes

use std::time::Duration;
use tacet::{helpers::InputPair, timing_test_checked, AttackerModel, Outcome, TimingOracle};

#[allow(clippy::redundant_closure)]
fn main() {
    println!("Comparing constant-time vs variable-time implementations\n");

    let secret = [0xABu8; 32];

    // Test 1: Variable-time comparison (should detect leak)
    println!("Testing variable-time comparison...");
    let outcome = timing_test_checked! {
        oracle: TimingOracle::for_attacker(AttackerModel::AdjacentNetwork)
            .time_budget(Duration::from_secs(30)),
        baseline: || [0xABu8; 32],  // Matches secret (early exit on first byte)
        sample: || rand_bytes(),   // Likely differs early
        measure: |data| {
            variable_time_compare(&secret, data);
        },
    };

    match outcome {
        Outcome::Pass {
            leak_probability, ..
        } => {
            println!("  Result: PASS (unexpected!)");
            println!("  Leak probability: {:.1}%\n", leak_probability * 100.0);
        }
        Outcome::Fail {
            leak_probability,
            exploitability,
            ..
        } => {
            println!("  Result: FAIL (expected)");
            println!("  Leak probability: {:.1}%", leak_probability * 100.0);
            println!("  Exploitability: {:?}\n", exploitability);
        }
        Outcome::Inconclusive {
            leak_probability, ..
        } => {
            println!("  Result: INCONCLUSIVE");
            println!("  Leak probability: {:.1}%\n", leak_probability * 100.0);
        }
        Outcome::Unmeasurable { recommendation, .. } => {
            println!("  Could not measure: {}\n", recommendation);
        }
        Outcome::Research(research) => {
            println!("  Result: RESEARCH MODE");
            println!("  Status: {:?}\n", research.status);
        }
    }

    // Test 2: Constant-time comparison (should not detect leak)
    println!("Testing constant-time comparison...");
    let inputs = InputPair::new(|| [0xABu8; 32], rand_bytes);

    let outcome = TimingOracle::for_attacker(AttackerModel::AdjacentNetwork)
        .time_budget(Duration::from_secs(30))
        .test(inputs, |data| {
            constant_time_compare(&secret, data);
        });

    match outcome {
        Outcome::Pass {
            leak_probability, ..
        } => {
            println!("  Result: PASS (expected)");
            println!("  Leak probability: {:.1}%", leak_probability * 100.0);
        }
        Outcome::Fail {
            leak_probability,
            exploitability,
            ..
        } => {
            println!("  Result: FAIL (unexpected!)");
            println!("  Leak probability: {:.1}%", leak_probability * 100.0);
            println!("  Exploitability: {:?}", exploitability);
        }
        Outcome::Inconclusive {
            leak_probability, ..
        } => {
            println!("  Result: INCONCLUSIVE");
            println!("  Leak probability: {:.1}%", leak_probability * 100.0);
        }
        Outcome::Unmeasurable { recommendation, .. } => {
            println!("  Could not measure: {}", recommendation);
        }
        Outcome::Research(research) => {
            println!("  Result: RESEARCH MODE");
            println!("  Status: {:?}", research.status);
        }
    }
}

/// Variable-time comparison with early exit (leaky).
fn variable_time_compare(a: &[u8], b: &[u8]) -> bool {
    if a.len() != b.len() {
        return false;
    }
    for i in 0..a.len() {
        if a[i] != b[i] {
            return false;
        }
    }
    true
}

/// Constant-time comparison using XOR accumulator.
fn constant_time_compare(a: &[u8], b: &[u8]) -> bool {
    if a.len() != b.len() {
        return false;
    }
    let mut acc = 0u8;
    for i in 0..a.len() {
        acc |= a[i] ^ b[i];
    }
    acc == 0
}

fn rand_bytes() -> [u8; 32] {
    let mut arr = [0u8; 32];
    for byte in &mut arr {
        *byte = rand::random();
    }
    arr
}