Much ado about time — UTC and NTP: Part 1

This will be a two part blog as the topic’s breadth is quite vast. The first part will be a report breaking down the history of computer timekeeping along with a focus on modern security issues emerging from older protocols. The second part will be a hands-on look at building, breaking down and finding further security issues within NTP, UTC and associated risks both theoretical and on-the-radar tools in the modern software industry.

Time is the topic for the blog posts this week, and what better way to roll in 2022 than remembering part of technology’s timekeeping history. One can browse the internet to find all kinds of simple machines, interlocking gears of a watch, timepieces projected on a wall. Clocks are debatably some of the earliest analog computation machines in existence dating back to the mid 1200’s. [https://www.scientificamerican.com/article/a-chronicle-of-timekeeping-2006-02/]

No longer is humanity reliant on sundials to measure the days and nights. Technology advanced from the 12th century, and the digital revolution brought along just that, a digital system for keeping records including and not limited to time. By the 1980’s, computers such as later revision Apple II’s succeeded in bringing to the masses all in one devices with a plethora useful functionality such as timekeeping. [https://datasheets.maximintegrated.com/en/ds/DS1216-DS1216H.pdf] Devices such as PDA’s and video game consoles slowly integrated timekeeping mechanisms. Today, any modern computer from Mainframes to Internet of Things microcontrollers likely have built in timekeeping aspects.

Modern computers use a number of techniques, scripts and programs for timekeeping both locally and over networks. One such mechanism at the hardware level is found through a computers Basic Input Output System (BIOS). A cell battery powers the internal clock in case the system loses power completely, allowing the machine’s clock and volatile, temporary memory chips to continue with a working clock even without power. [https://www.hp.com/us-en/shop/tech-takes/what-is-cmos-battery-how-to-remove-and-replace]

Modern computers also have access to a technique known as the cron. This is a time based system to routinely execute scripts or functions on a system at a given date and time. The cron itself it a UNIX command dating back to the late 70’s, but is a key part of many modern OS’s from Apple and Microsoft in this day and age. [https://www.hostinger.com/tutorials/cron-job] While not a part of the timekeeping process, it’s a good segway into how computers and timekeeping accuracy can work together to achieve tasks automatically alongside software.

Timing is a vastly important topic to everything computing in our daily lives. In the context of information technology and security, time provides context such that logging, auditing and telemetry are kept in an order. Time in this context is useful as a label or tag to both data and metadata describing the information’s nature. If a digital event such as a system login can be matched to a time and a place with a high level of oversight and accuracy, you have created an essential system for security; Accountability. The Triple-A model of secure access covers Authentication, Authorization and Accounting. Time as you may have guessed plays the most significant role in Accounting.

The method that chosen that computers use for timekeeping is a digital binary system called Universal Coordinated Time (UTC). UTC replaced the previous timekeeping systems in place in the year 1967. [https://www.space.com/what-is-utc.html] UTC is, in a nutshell, a group of machines counting up in a digital, binary manner. Once a number goes up, it does not go back down. Timekeeping in the real world continues until time stops, which is why the digital system in place here makes sense. The software in charge of parsing the time then puts it through the region’s timezone, giving you a clock on your computer’s taskbar or widget on your smartphone device.

However there are some significant flaws with UTC in computing. Namely the 32 bit binary system which the standard is based on. One well known issue with UTC is that once the digital counter reaches the year 2038, all machines may potentially cease to function or cause major computer timekeeping errors. The problem doesn’t have an obvious solution other than supporting 64 bit binaries for UTC protocols, which has been implemented in frameworks such as java as time has went on (no pun intended).

Bugs resulting from UTC go beyond this glaring oversight. Interaction with other key programs such as the Global Positioning System (GPS) standard previously have had error causation traced back to rollover issues not unlike the 2038 bug. Issues in GPS can cause critical inaccuracies of locations from as small scale as delivery service logistics to as large scale as military missile guidance systems. The most recent issue surfaced in October 2021 with the UNIX GPSD daemon. The US Cybersecurity and Infrastructure Security (CISA) agency issues a warning of the effects of the bug and offered mitigation through applying appropriate patching. [https://www.cisa.gov/uscert/ncas/current-activity/2021/10/21/gps-daemon-gpsd-rollover-bug]

Various online cloud based software services are yet another service susceptible to issues with UTC based software bugs. In some instances, differing local client times and server times can prevent access to services entirely. This issue occurred with a cloud hosted multiplayer video game in 2021, stemming from the timekeeping implementation in the game’s digital rights management software. [https://www.dsogaming.com/news/star-wars-jedi-fallen-order-wwe-2k20-and-other-games-are-not-launching-due-to-a-denuvo-2020-bug/]

Larger organizations such as Microsoft have also grappled with the odd behavior of UTC rollover in the past. A distribution of Windows XP, Vista and Server 2003 and 2008 contained a bug where if machines are active for a certain extent of time, they will fail to create TCP connections and thus cease to perform critical system functions. For servers running production-facing infrastructure such as domain controllers, this poses a realistic risk component to Microsoft customers in charge of maintaining business-critical computing infrastructure. [https://support.microsoft.com/en-us/topic/all-the-tcp-ip-ports-that-are-in-a-time-wait-status-are-not-closed-after-497-days-from-system-startup-in-windows-vista-in-windows-7-in-windows-server-2008-and-in-windows-server-2008-r2-38c81adc-d990-c6f7-3689-91cca5d19a20]

UTC is also susceptible to mistakes from real world occurrences. Computers have to account for time adjustments depending on world location, geography, traditions such as daylight savings time and british summer time, leap seconds, leap years, and manual timekeeping oddities of real world physicist natures.

In the scope of computer security, these low level issues are critical to understand and mitigate discrepancies in times between two different points in vastly different states or continents. Timekeeping is key to numerous compliance documents, such as the upcoming Cybersecurity Maturity Model Certification required for all United States government contractors by 2025. [https://blog.rsisecurity.com/overview-of-cmmc-level-2-requirements/]

UTC is manageable on its own, however if it needs to jump a long distance, it needs to be formatted into a new protocol to move from software based system to system, or over the internet. To get there, the Network Time Protocol (NTP) was the standard created to convert and communicate information from UTC time to software. Projects have been created as part of distributed computing networks online. One such project is dedicated to providing timekeeping services through a pooled collection of clocks. The project is called the NTP Pool and has been around as an open source project for many decades. As the NTP Pool project describes on their making a server page “A person with a watch always knows the time, a person with two watches is never sure.”[https://www.pool.ntp.org/join.html] Multiple UTC measurements are collected remotely and compared to each other. Conclusions are drawn on what machines have the right time, and adjustments are made based on other factors, such as distance known as “Stratum”.

Understanding the concept of a Stratum is straightforward. Each level of a stratum is represented by a hop between NTP devices connected on the network. Many of the servers used for timekeeping as stratum 0’s online are either hard coded, highly tuned to fault tolerance, and require specialized equipment .A stratum 0 device is considered such a device, capable of keeping time-accuracy compatible to atomic clocks. These devices when outfitted with modern computer technologies are ready to communicate to neighbors over local networks and through the internet. At this point we find stratum-1 devices. These are devices located in geographic regions tasked with referencing time for a large number of systems. The numbers increase with each hop from here. Participants in the NTP pool project include open source software providers, military groups and government bodies, along with various worldwide volunteers. Access is open to anyone with a valid URI name schema and connection to UDP port 123 over the internet.

With that we reach the modern use of UTC and NTP in software. Later this month we’ll be looking at some independent research and guides on creating an NTP connected and configured device in the modern age, what each device is fit for, and some potential attacks and vulnerabilities with the NTP system as it exists. Tune in for the second part coming soon. Thanks for reading.

Stay safe.