Monday, November 14, 2016

NTP Rescue: one year later

Over the past two weeks I've gotten to take a look back at one of CTSC's 2015 projects, the rescue of the Network Time Protocol reference implementation, and see how far-reaching its impact has been and will be. It began with a presentation titled "Saving Time" at O'Reilly Security Conference. In this presentation I talked about the rescue and what it meant as a model for saving other failing infrastructure software.

I told the story of how NTP had become a liability not just to the science projects that depend on accurate time, but to the internet as a whole.  CTSC had a chance to make a difference in a failing system by partnering with nonprofit ICEI in a short, intense intervention. About a year later the work we made possible has been carried on by others. The NTP Security Project (NTPSec) has taken the lead, resulting in a new life for this critical infrastructure:
  • NTPSec's code base is down to 75kloc (75,000 lines of code) from the original 227klok.  That 2/3 reduction in attack surface has paid off: NTPSec has been immune to about half of old NTP's vulnerabilities before discovery, and 84% in the past year.
  • NTPSec's code is now stored in a standard git repository, accessible to all.  Its documentation has been brought up to date, and the project has begun onboarding and training new developers.
  • NTPSec's success has helped increase awareness of critical infrastructure in need, and made fixing it approachable.  Recent articles by Brady Dale of the NY Observer and the (in)famous Cory Doctorow helped spread the story.
At the time it felt like a scurrying few months amid a busy year. It seemed like a last ditch effort to ensure that our friends in science could get accurate time signals without taking on a security nightmare.  It's nice to see how much more it became.