April 25, 2023

Memory Safe Network Time (NTP) Has New Home, Seeks Early Adopters

Memory Safe Network Time (NTP) Has New Home, Seeks Early Adopters

This article is an adaptation of the original, published by Prossimo.

We're happy to announce that the Internet Security Research Group has officially made us the maintainers of the open-source memory-safe implementation of NTP, ntpd-rs. As such, we are now also looking for early adopters.

The implementation includes a server and client, as well as full support for Network Time Security (NTS), which brings encryption and greater integrity to time synchronization. Timing is precise and stable, as reflected by excellent performance in the NTP pool.

The project

ISRG's Prossimo project set out to develop a strategy, raise funds, and select a contractor for a memory-safe NTP implementation in early 2022. They did so because NTP is a critical network-based service and the most widely used implementations are written in C. This is a recipe for exploitable memory safety vulnerabilities, a class of issues critical system software should not suffer from.

During Q1 2022, they made a plan and selected us as the contractor. Funding was generously provided by Cisco and Amazon Web Service. Work started on April 1, 2022. A security audit, performed by Radically Open Security and funded by NLNet Foundation, was completed in April of 2023.

If the audit process interests you, stay tuned for an in-depth look at the findings by developer Folkert!

The road ahead

During the course of the work it was decided that we would become the long-term maintainer of ntpd-rs as part of our Pendulum Project. Since our team also wrote ntpd-rs and a lot of our work is open source, Prossimo fully supported our wish to continue our involvement in this project. Our continued work will be supported by soliciting contracts and sponsorship for features and maintenance.

Project Pendulum - ntpd-rs (NTP) and Statime (PTP) Project Pendulum: Sync your clocks with memory-safe NTP and PTP

If you're running NTP services you can help make your systems and the Internet as a whole safer by becoming an early adopter of ntpd-rs and providing feedback to our developers. Contact us via pendulum@tweedegolf.com if you are interested!

About ISRG

We encourage everyone to support ISRG and the Prossimo project in creating a safer internet for everyone. NTP is just one of their projects; TLS, Linux kernel, curl, AV1, and DNS are among their other open-source initiatives. ISRG is a 501(c)(3) nonprofit organization that is 100% supported through the generosity of those who share their vision for ubiquitous, open Internet security. If you'd like to support their work, please consider getting involved, donating, or encouraging your company to become a funder.

Stay up-to-date

Stay up-to-date with our work and blog posts?

Related articles

For the last couple of months we at Tweede golf have been working on implementing a Network Time Protocol (NTP) client and server in Rust.

The project is a Prossimo initiative and is supported by their sponsors, Cisco and AWS. Our first short-term goal is to deploy our implementation at Let's Encrypt. The long-term goal is to develop an alternative fully-featured NTP implementation that can be widely used.

For the last couple of months, we've been working on a Rust implementation of the Precision Time Protocol called Statime ("statim" is Latin for immediately), and we're proud to announce the completion of the first phase of the project.
I’ve organized a couple of Rust meetups in The Netherlands this year, and last was not least. On Nov 30 we had four very interesting talks and a cool crowd at the Rust in critical infrastructure meetup in Amsterdam. A round-up.