Bug 239724
| Summary: | The ping command doesn't randomize ICMP timestamps and allows system time detection | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Gordon Bergling <gbe> | ||||
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | New --- | ||||||
| Severity: | Affects Many People | CC: | cem, emaste, jlduran, vsasjason | ||||
| Priority: | --- | Keywords: | patch | ||||
| Version: | CURRENT | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Why not remove 'now' entirely and use purely fictitious values for tv_sec and tv_usec? The code would be more straightforward. I would think that "now" is necessary due to the calculation of the round trip time of the ICMP request and response packets. I would leave that patch as it is, also for the reason that OpenBSD is "running" with this change for a couple of years now. So the random data in this case is being used as a one-time pad in a message to ourself to provide privacy. The OTP is subject to forgery.
Since we're talking to ourselves, we have other options.
We could put a MAC on it to prevent forgery. Then we just have classic AEAD or EtM on the payload data ("now").
Or we could just keep a local association of random tokens to send times in the program (any map data structure), and just send the tokens and look up echo time on response.
The latter requires some modest memory use that doesn't seem to matter in typical ping use ("-i 1"). The former doesn't require the additional memory use.
@Conrad, thanks for your input. I rethink the current implementation based on your feedback and will come up with a new patch in a few days. I have seen that ping and ping6 are now merged together, so that the new implementation would cover both protocols. :) Gordon Gordon, rethinking it over, I don't find the OTP especially objectionable; it just seems like we could do something better if we're getting into the game of securing ping. Maybe that is an excessive demand for rigor? If someone else wants to commit the OTP patch as-is, they should not hold back on my account. |
Created attachment 206377 [details] ping(8) patch The current implementation of ping(8) doesn't randomized ICMP timestamps. The attached patch addresses this. Due to the applied randomized offset the system time isn't guessable for an attacker and OS detection is nearly impossible. This change was inspired by OpenBSDs ping(8) implementation.