Memory Safe Network Time (NTP) Has New Home, Seeks Early Adopters
This article is an adaptation of the original, published by Prossimo.
We're happy to announce that the Internet Security Research Group has officially made us the maintainers of the open-source memory-safe implementation of NTP, ntpd-rs. As such, we are now also looking for early adopters.
The implementation includes a server and client, as well as full support for Network Time Security (NTS), which brings encryption and greater integrity to time synchronization. Timing is precise and stable, as reflected by excellent performance in the NTP pool.
The project
ISRG's Prossimo project set out to develop a strategy, raise funds, and select a contractor for a memory-safe NTP implementation in early 2022. They did so because NTP is a critical network-based service and the most widely used implementations are written in C. This is a recipe for exploitable memory safety vulnerabilities, a class of issues critical system software should not suffer from.
During Q1 2022, they made a plan and selected us as the contractor. Funding was generously provided by Cisco and Amazon Web Service. Work started on April 1, 2022. A security audit, performed by Radically Open Security and funded by NLNet Foundation, was completed in April of 2023.
If the audit process interests you, stay tuned for an in-depth look at the findings by developer Folkert!
The road ahead
During the course of the work it was decided that we would become the long-term maintainer of ntpd-rs as part of our Pendulum Project. Since our team also wrote ntpd-rs and a lot of our work is open source, Prossimo fully supported our wish to continue our involvement in this project. Our continued work will be supported by soliciting contracts and sponsorship for features and maintenance.
Project Pendulum: Sync your clocks with memory-safe NTP and PTP
If you're running NTP services you can help make your systems and the Internet as a whole safer by becoming an early adopter of ntpd-rs and providing feedback to our developers. Contact us via pendulum@tweedegolf.com if you are interested!
About ISRG
We encourage everyone to support ISRG and the Prossimo project in creating a safer internet for everyone. NTP is just one of their projects; TLS, Linux kernel, curl, AV1, and DNS are among their other open-source initiatives. ISRG is a 501(c)(3) nonprofit organization that is 100% supported through the generosity of those who share their vision for ubiquitous, open Internet security. If you'd like to support their work, please consider getting involved, donating, or encouraging your company to become a funder.