Category Archives: ntp

23:59:60, the cyberisland and the leap second that we forgot



The US is busy planning for the leap second transition


Please see my previous blog post if you are not familiar with the leap second issue.


The US has a document for "Best Practices" (URL: http://www.gps.gov/news/2015/05/leap-second/2015-best-practices-for-leap-second.pdf) which has been published by the Department of Homeland Security. I'm going to quote a few sections from it: Sponsored by the National Cybersecurity and Communications Integration Center in coordination with the United States Naval Observatory, National Institute of Standards and Technology, the USCG Navigation Center, and the Nation al Coordination Office for Space - Based Positioni ng, Navigation and Timing . This product is intended to assist federal, state, local, and private sector organizations with preparations for the 30 - June 2 015 Leap Second event.

Below the introduction part of the document are a list of well detailed steps to prepare for the transition for the leap second that will occure on the 30th of June.

Meanwhile in Mauritius

I immediately went to look for the same information for Mauritius. My first choice is the Mauritius Standards Bureau. Looking at the relevant pages show nothing about Time (url: http://msb.intnet.mu/).

My 2nd choice is thus CERT-MU, which is the Mauritian equivalent of CyberSecurity, expecting to find a document for "Best Practices" for the Leap Second. Result of the search on CERT-MU website : Zero.

At this I start wondering what could be impacted by leap second in Mauritius. Websites crashes have been reported when previous leap seconds were added. Quote from a website: Sites such as Reddit, Gawker, LinkedIn, Foursquare and Yelp crashed after a "leap second" was added to the universal clock in order to keep up with the Earth's rotation. So, A few critical websites might crash. This is important to everyday users.

Other problems ?

Wikipedia says that: Older versions of Motorola Oncore VP, UT, GT, and M12 GPS receivers had a software bug that would cause a single timestamp to be off by a day if no leap second was scheduled for 256 weeks. How many companies are relying on GPS for their operation: Car fleets, Car drivers, boats, and people with smartphones, and The Amadeus airline reservation system was disrupted for more than two hours which affects plane fights.

Conclusion

Important information such as leap second transition should have been available on CERT-MU website so that people and organizations can better prepare themselves, and avoid disruptive problems across the Mauritian Infrastructure.

23:59:60, the cyberisland and the leap second that we forgot



The US is busy planning for the leap second transition


Please see my previous blog post if you are not familiar with the leap second issue.


The US has a document for "Best Practices" (URL: http://www.gps.gov/news/2015/05/leap-second/2015-best-practices-for-leap-second.pdf) which has been published by the Department of Homeland Security. I'm going to quote a few sections from it: Sponsored by the National Cybersecurity and Communications Integration Center in coordination with the United States Naval Observatory, National Institute of Standards and Technology, the USCG Navigation Center, and the Nation al Coordination Office for Space - Based Positioni ng, Navigation and Timing . This product is intended to assist federal, state, local, and private sector organizations with preparations for the 30 - June 2 015 Leap Second event.

Below the introduction part of the document are a list of well detailed steps to prepare for the transition for the leap second that will occure on the 30th of June.

Meanwhile in Mauritius

I immediately went to look for the same information for Mauritius. My first choice is the Mauritius Standards Bureau. Looking at the relevant pages show nothing about Time (url: http://msb.intnet.mu/).

My 2nd choice is thus CERT-MU, which is the Mauritian equivalent of CyberSecurity, expecting to find a document for "Best Practices" for the Leap Second. Result of the search on CERT-MU website : Zero.

At this I start wondering what could be impacted by leap second in Mauritius. Websites crashes have been reported when previous leap seconds were added. Quote from a website: Sites such as Reddit, Gawker, LinkedIn, Foursquare and Yelp crashed after a "leap second" was added to the universal clock in order to keep up with the Earth's rotation. So, A few critical websites might crash. This is important to everyday users.

Other problems ?

Wikipedia says that: Older versions of Motorola Oncore VP, UT, GT, and M12 GPS receivers had a software bug that would cause a single timestamp to be off by a day if no leap second was scheduled for 256 weeks. How many companies are relying on GPS for their operation: Car fleets, Car drivers, boats, and people with smartphones, and The Amadeus airline reservation system was disrupted for more than two hours which affects plane fights.

Conclusion

Important information such as leap second transition should have been available on CERT-MU website so that people and organizations can better prepare themselves, and avoid disruptive problems across the Mauritian Infrastructure.

Havoc on the 30th of june

Big news: The earth is not rotating uniformly !

Planet earth does not rotate uniformly. They are some subtle changes that affect its rotation. Those subtle changes affect the reference clocks that are used to keep time accurate on your computer, your smartphone, and the servers at Google, Yahoo!,Facebook, and instagram. If you think that time is not important, Have a look at your facebook posts, and see the time-stamp attached to each facebook post. Time is used everywhere on the internet :)

A Leap second

To account for those subtle changes in rotation, a leap second was introduced. A second is introduced each time those subtle changes occur. However, that insertion can cause issues on systems such as GPS. Some systems might not be able to handle the additional second, and crash and/or overload. The next leap second will occur on the 30th of June at midnight.

Keep your time in sync

The solution consists of using an NTP client on your servers, and correctly sync with a reliable Time Source, such as pool.ntp.org. So, please make sure that your servers are properly configured with NTP :)



--Logan

Improving NTP security against overflows

Saving the world ... on time !

ntp_intro

The Network time protocol is a standard which is used to keep our computer's time accurate. The science involved in keeping clocks ticking on computers is far more complex than most people would assume.

As a comparison: The number of lines of code for University of Delaware NTP implementation -- which is the most widely deployed NTP software -- is slightly less than the source code of Internet Software Consortium's BIND product. I will spare us the details of the hair-pulling mathematics involved :)

Security record of Delaware NTP

I do not want to criticise the work of the past NTP developers. I am merely looking at the list of past vulnerabilities:

  • Buffer overflow in crypto_recv()
  • Buffer overflow in ctl_putdata()
  • Buffer overflow in configure()

So what is a buffer overflow ? Let's use a picture to illustrate this:

buffer_overflow

As we can see here: The attacker keeps putting more sugar in the pan until it literally overflows. In computers, you can do the same thing. You can put more input than the storage location can accept, and you essentially overflow its content to the next adjcent storage location. There's one difference however: if you are smart, you can use the overflowing "sugar" to take control of the remote computer ! This is one of the classic ways to crack into a remote computer such as an NTP server, a Mac OS X laptop, or even a windows laptop. For geeks, you can put some "magic" in the overflowing sugar that executes "/bin/bash" and you can then run whatever you want on the NTP service.

Defeating overflows

I have extended the NTP memory allocator -- a manager which is in charge of allocating storage space in live memory -- and added an additional function that checks for buffer overflows that occur under certain conditions, namely multiplication. As I said previously, a lot of NTP involves complex mathematical calculations that can lead to vulnerabilities. This defeats an entire class of buffer overflows in NTP. Due to the large number of products that use University of Delaware NTP software, this is a significant step towards improving the Internet Security at large !

To put it in more simpler terms: We prevent the attacker from overflowing the pan with sugar. We have detectors in place that signal to the chef that something went wrong in the kitchen.

List of products using University of Delaware NTP software

I have attempted to list a few well known products which use University of Delaware NTP software. This is by no means, exhaustive:

  • Various CISCO products.
  • RedHat/CentOS Linux.
  • Ubuntu Linux.
  • Apple Macbooks.
  • And many others


--Logan