search

hammad93 / time_crypt

A cryptographic function that enables decryption based on units of time or a deadline.
Creative Commons Zero v1.0 Universal
1 stars 0 forks source link

System time exploit #11

Open hammad93 opened 7 months ago

hammad93 commented 7 months ago

currently, we get the current time using Python's built-in timestamp which uses the system time.

this app should work even if someone changes the system time on the machine.

this issue tracks the ability to use SSL and time providers to validate timestamps. this should be default but there must be methods to toggle between the two.

let's say you have something set to expire in a week. someone who has root access to the VM the API is running on can change the system time to unlock the code.

although this is a critical exploit, there are workarounds, and the original design was going to do this anyway (reference https://github.com/hammad93/time_crypt/tree/00509f375d70fee353c226d91c633baa32910ac4 ) plus this requires access to the VM.

because the intent of the secret is both others and yourself, and if you have access to the VM, then it conflicts with the intent.

hammad93 commented 6 months ago

sudo ntpdate pool.ntp.org to synchronize time. May need to install ntpdate first.

hammad93 commented 6 months ago

The hardware (RTC) clock is different from the system clock, here's how to synchronize. https://askubuntu.com/questions/175452/hwclock-not-in-sync-with-system-clock

hammad93 commented 6 months ago

Exploit works if it's running on a VM but not though a container because things like Docker don't let you change the system time inside the container.

hammad93 commented 6 months ago

Inside a container from things like Docker, we could use https://github.com/wolfcw/libfaketime but doing this on an already running process may not be possible.