Bug 239724 - The ping command doesn't randomize ICMP timestamps and allows system time detection
Summary: The ping command doesn't randomize ICMP timestamps and allows system time det...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2019-08-08 19:13 UTC by Gordon Bergling
Modified: 2019-09-20 14:11 UTC (History)
1 user (show)

See Also:


Attachments
ping(8) patch (2.56 KB, patch)
2019-08-08 19:13 UTC, Gordon Bergling
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gordon Bergling 2019-08-08 19:13:30 UTC
Created attachment 206377 [details]
ping(8) patch

The current implementation of ping(8) doesn't randomized ICMP timestamps. The attached patch addresses this. Due to the applied randomized offset the system time isn't guessable for an attacker and OS detection is nearly impossible.

This change was inspired by OpenBSDs ping(8) implementation.
Comment 1 Conrad Meyer freebsd_committer 2019-08-09 00:59:55 UTC
Why not remove 'now' entirely and use purely fictitious values for tv_sec and tv_usec?  The code would be more straightforward.
Comment 2 Gordon Bergling 2019-08-10 12:49:21 UTC
I would think that "now" is necessary due to the calculation of the round trip time of the ICMP request and response packets. I would leave that patch as it is, also for the reason that OpenBSD is "running" with this change for a couple of years now.
Comment 3 Conrad Meyer freebsd_committer 2019-08-10 15:18:10 UTC
So the random data in this case is being used as a one-time pad in a message to ourself to provide privacy.  The OTP is subject to forgery.

Since we're talking to ourselves, we have other options.

We could put a MAC on it to prevent forgery.  Then we just have classic AEAD or EtM on the payload data ("now").

Or we could just keep a local association of random tokens to send times in the program (any map data structure), and just send the tokens and look up echo time on response.

The latter requires some modest memory use that doesn't seem to matter in typical ping use ("-i 1").  The former doesn't require the additional memory use.
Comment 4 Gordon Bergling 2019-09-20 13:11:34 UTC
@Conrad, thanks for your input. 

I rethink the current implementation based on your feedback and will come up with a new patch in a few days. I have seen that ping and ping6 are now merged together, so that the new implementation would cover both protocols. :)

Gordon
Comment 5 Conrad Meyer freebsd_committer 2019-09-20 14:11:52 UTC
Gordon, rethinking it over, I don't find the OTP especially objectionable; it just seems like we could do something better if we're getting into the game of securing ping.  Maybe that is an excessive demand for rigor?  If someone else wants to commit the OTP patch as-is, they should not hold back on my account.