To be secure, cryptographic algorithms crucially rely on the underlying hardwareto avoid inadvertent leakage of secrets through timing side channels.Unfortunately, such timing channels are ubiquitous in modern hardware, due toits labyrinthine fast-paths and optimizations. A promising way to avoid timingvulnerabilities is to devise—and verify—conditions under which a hardware designis free of timing variability, i.e., executes in constant-time. While there havebeen significant strides in verifying constant time execution for software,these efforts focus on sequential, cryptographic code. Unfortunately, this makesthem unsuitable for hardware designs which are inherently concurrent andlong-lived.First, we present Iodine: a clock-precise, constant-time approach to eliminatingtiming side channels in hardware. To realize Iodine, we first define a newnotion of constant-time execution that is suitable for concurrent and long livedcomputations. Our definition is based on the notion of influence sets containingall cycles whose inputs influenced the current computation. We then show how toreduce the problem of verifying constant time execution to the standard problemof verifying assertion validity.Second, we present Xenon, which extends Iodine and scales to realistic hardwaredesigns by exploiting modularity in VERILOG code via a notion of modulesummaries. Xenon drastically reduces the effort needed to localize the causes ofverification failure via a novel constant-time counterexamples which are used toautomatically synthesize minimal secrecy assumptions that enable constant-timeverification. We show how Xenon’s summaries and assumption synthesis enable theverification of a variety of circuits including a highly modular AES-256implementation where modularity cuts verification from six hours to under threeseconds, and ScarV, a timing channel hardened RISC-V micro-controller whose sizeexceeds previously verified designs by an order of magnitude.We find that Iodine and Xenon present a practical way to specify and verify theabsence of timing channels in hardware. They succeed in verifying various opensource hardware designs in seconds and with little developer effort thanks togenerated secrecy assumptions. They also discovered two constant-timeviolations: one in a floating-point unit and another one in an RSA encryptionmodule
