Memory Safe Network Time (NTP) Has New Home, Seeks Early Adopters

Erik
Co-owner & Director of Open Source
Memory Safe Network Time (NTP) Has New Home, Seeks Early Adopters

This article is an adaptation of the original, published by Prossimo.

We're happy to announce that the Internet Security Research Group has officially made us the maintainers of the open-source memory-safe implementation of NTP, ntpd-rs. As such, we are now also looking for early adopters.

The implementation includes a server and client, as well as full support for Network Time Security (NTS), which brings encryption and greater integrity to time synchronization. Timing is precise and stable, as reflected by excellent performance in the NTP pool.

The project

ISRG's Prossimo project set out to develop a strategy, raise funds, and select a contractor for a memory-safe NTP implementation in early 2022. They did so because NTP is a critical network-based service and the most widely used implementations are written in C. This is a recipe for exploitable memory safety vulnerabilities, a class of issues critical system software should not suffer from.

During Q1 2022, they made a plan and selected us as the contractor. Funding was generously provided by Cisco and Amazon Web Service. Work started on April 1, 2022. A security audit, performed by Radically Open Security and funded by NLNet Foundation, was completed in April of 2023.

If the audit process interests you, stay tuned for an in-depth look at the findings by developer Folkert!

The road ahead

During the course of the work it was decided that we would become the long-term maintainer of ntpd-rs as part of our Pendulum Project. Since our team also wrote ntpd-rs and a lot of our work is open source, Prossimo fully supported our wish to continue our involvement in this project. Our continued work will be supported by soliciting contracts and sponsorship for features and maintenance.

Project Pendulum - ntpd-rs (NTP) and Statime (PTP) Project Pendulum: Sync your clocks with memory-safe NTP and PTP

If you're running NTP services you can help make your systems and the Internet as a whole safer by becoming an early adopter of ntpd-rs and providing feedback to our developers. Contact us via pendulum@tweedegolf.com if you are interested!

About ISRG

We encourage everyone to support ISRG and the Prossimo project in creating a safer internet for everyone. NTP is just one of their projects; TLS, Linux kernel, curl, AV1, and DNS are among their other open-source initiatives. ISRG is a 501(c)(3) nonprofit organization that is 100% supported through the generosity of those who share their vision for ubiquitous, open Internet security. If you'd like to support their work, please consider getting involved, donating, or encouraging your company to become a funder.

Stay up-to-date

Stay up-to-date with our work and blog posts?

Related articles

Sovereign Tech Fund will support our effort to build modern and memory-safe implementations of the Network Time Protocol (NTP) and the Precision Time Protocol (PTP).
The internet has a hole at the bottom of its trust stack, and we need to do something about it. In particular, the internet needs secure time synchronization to fortify the security of our digital world. In this article, we present a path towards the adoption of securely synchronized time.
In Dutch we have a saying 'meten is weten', which translates to 'to measure is to know'. That sentiment is frequently overlooked in setting up computers and networks.