Tobias Florek
hi,
Just wanted to say that what I posted might give hope for such "branchless" code (or in fact: code that may branch, but by construction not in a detectable way).
i don't have the papers handy, but on the same host you can observe cache line collisions. that means you cannot do something different that takes the same time and generates the same amount of heat. you will have to do _the same thing_.
For example Flush+Reload attack, https://eprint.iacr.org/2013/448.pdf. Or branch prediction attacks (see refs in the paper above). Absolutely beautiful stuff.
of course packages like vincent hanquez securemem provide that kind of equality checks (and other very useful properties). so some building blocks are there. interaction with the garbage collector is still something to worry about though. in some gcs you can observe whether a string is in use somewhere in the program or not. i am not intimate with ghc's gc but i don't expect that particular vulnerability is a problem when using securemem (or even bytestring or text), but there might (and i assume will) be many other opportunities to observe some state from outside the program.
don't let me discourage you though. every step to less side channels is a valuable step!
tob
-- lelf