This paper addresses timing opacity—a security property requiring that an adversary cannot infer a system’s secret locations from its execution-time observations—in timed automata (TA). Unlike conventional offline verification approaches, we propose the first runtime-enforceable, decidable, and constructive real-time controller. Our method models the system as a clocked automaton, interprets control synthesis as a two-player game under timed semantics, and employs region abstraction to construct an explicit controller via backward induction. The synthesized controller dynamically enforces timing opacity under finite-precision observation, with polynomial complexity in the number of regions. We establish the decidability of timing opacity enforceability for TA and provide an algorithmic construction yielding a provably correct, implementable controller. This advances the state of the art by simultaneously overcoming theoretical undecidability barriers and practical deployment limitations—enabling direct integration into resource-constrained embedded systems.

Timing leaks in timed automata (TA) can occur whenever an attacker is able to deduce a secret by observing some timed behavior. In execution-time opacity, the attacker aims at deducing whether a private location was visited, by observing only the execution time. It can be decided whether a TA is opaque in this setting. In this work, we tackle control, and show that we are able to decide whether a TA can be controlled at runtime to ensure opacity. Our method is constructive, in the sense that we can exhibit such a controller. We also address the case when the attacker cannot have an infinite precision in its observations.