The Threat of Covert Channels in Network Time Synchronisation Protocols

Abstract: Synchronized clocks are vital for most communication scenarios in networks of Information Technology (IT) and Operational Technology (OT). The process of time synchronisation requires transmission of high-precision timestamps often originating from external sources. In this paper, we analyze how time synchronization protocols impose a threat by being leveraged as carrier for network covert channels.

This paper is an extended version version of our open-access paper [15] in which we performed an in-depth analysis of the Network Time Protocol (NTP) in regards to covert channels. In this extended version, we broaden the view and take a look and time synchronisation in a more general way as we provide two comprehensive threat scenarios regarding covert channels and discuss the applicability of such covert channels to another time synchronisation protocol, namely the Precision Time Protocol, PTP. While the Network Time Protocol (NTP) is the most prevalent protocol for synchronizing clocks in IT networks, the Precision Time Protocol (PTP) is mostly found in networks of Industrial Control Systems (ICS) due to higher demands regarding accuracy and resolution. To illustrate the threat of covert channels in such protocols we describe two threat scenarios, one for the Network Time Protocol and one for the Precision Time Protocol. For NTP we perform a systematic in-depth analysis of covert channels. Our analysis results in the identification of 49 covert channels, by applying a covert channel pattern-based taxonomy. The summary and comparison based on nine selected key attributes show that NTP proofs itself as a plausible carrier for covert channels. The analysis results are evaluated in regards to common behavior of NTP implementations in six major operating systems. Two channels are selected and implemented to be evaluated in network test-beds. By hiding encrypted high entropy data in a high entropy field of NTP we show in our first assessment that practically undetectable channels can be implemented in NTP, motivating the required further research. In our evaluation, we analyze 40,000 NTP server responses from public NTP server providers and discuss potential countermeasures. Finally, we discuss the relevance, applicability and resulting threat of these findings for the Precision Time Protocol.

https://journals.riverpublishers.com/index.php/JCSANDM/article/view/12759

Kevin Lamshöft Otto-von-Guericke University Magdeburg, Germany

Jonas Hielscher Otto-von-Guericke University Magdeburg, Germany

Christian Krätzer Otto-von-Guericke University Magdeburg, Germany

Jana Dittmann Otto-von-Guericke University Magdeburg, Germany