Bug 239724 - The ping command doesn't randomize ICMP timestamps and allows system time detection
Summary: The ping command doesn't randomize ICMP timestamps and allows system time det...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2019-08-08 19:13 UTC by Gordon Bergling
Modified: 2019-08-10 15:18 UTC (History)
1 user (show)

See Also:


Attachments
ping(8) patch (2.56 KB, patch)
2019-08-08 19:13 UTC, Gordon Bergling
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gordon Bergling 2019-08-08 19:13:30 UTC
Created attachment 206377 [details]
ping(8) patch

The current implementation of ping(8) doesn't randomized ICMP timestamps. The attached patch addresses this. Due to the applied randomized offset the system time isn't guessable for an attacker and OS detection is nearly impossible.

This change was inspired by OpenBSDs ping(8) implementation.
Comment 1 Conrad Meyer freebsd_committer 2019-08-09 00:59:55 UTC
Why not remove 'now' entirely and use purely fictitious values for tv_sec and tv_usec?  The code would be more straightforward.
Comment 2 Gordon Bergling 2019-08-10 12:49:21 UTC
I would think that "now" is necessary due to the calculation of the round trip time of the ICMP request and response packets. I would leave that patch as it is, also for the reason that OpenBSD is "running" with this change for a couple of years now.
Comment 3 Conrad Meyer freebsd_committer 2019-08-10 15:18:10 UTC
So the random data in this case is being used as a one-time pad in a message to ourself to provide privacy.  The OTP is subject to forgery.

Since we're talking to ourselves, we have other options.

We could put a MAC on it to prevent forgery.  Then we just have classic AEAD or EtM on the payload data ("now").

Or we could just keep a local association of random tokens to send times in the program (any map data structure), and just send the tokens and look up echo time on response.

The latter requires some modest memory use that doesn't seem to matter in typical ping use ("-i 1").  The former doesn't require the additional memory use.