Traceability loss - Server's clock - Java

Traceability loss - Server's clock - Java

Need

Ensuring accurate time synchronization with NTP servers

Context

  • Usage of Java for building robust and scalable applications
  • Usage of java.time.LocalDateTime for handling date and time in Java

Description

Non compliant code

        import java.time.LocalDateTime;

public class ServerTime {
    public void printServerTime() {
        LocalDateTime serverTime = LocalDateTime.now();
        System.out.println("Server time: " + serverTime);
    }
}
        
        

The above code is a simple Java class named ServerTime with a method printServerTime(). This method fetches the current date and time from the system's internal clock using the LocalDateTime.now() method and prints it out.

The vulnerability lies in the fact that the system's internal clock is used to fetch the current date and time. This can lead to traceability loss if the system's clock is not synced with NTP (Network Time Protocol) servers.

NTP servers provide a reliable source of time data, and it is important for systems to sync their clocks with NTP servers to maintain accurate timekeeping. This is especially crucial in distributed systems where accurate time synchronization between different systems is required for correct functioning.

In the current scenario, if the system's clock drifts or is manually set to an incorrect time, it will lead to incorrect time data being printed and used in the application. This can cause a variety of issues including incorrect data logging and timestamping, dysfunctional scheduled tasks, and more.

Therefore, it's a vulnerability that the system's clock is not being synced with an NTP server, leading to potential traceability loss.

Steps

  • Synchronize the server's clock with NTP servers.
  • Update the code to use the synchronized server time instead of the local system time.

Compliant code

        import java.net.InetAddress;
import org.apache.commons.net.ntp.NTPUDPClient;
import org.apache.commons.net.ntp.TimeInfo;

public class ServerTime {
    public void printServerTime() {
        String TIME_SERVER = "time.nist.gov";
        NTPUDPClient timeClient = new NTPUDPClient();
        InetAddress inetAddress = InetAddress.getByName(TIME_SERVER);
        TimeInfo timeInfo = timeClient.getTime(inetAddress);
        long returnTime = timeInfo.getMessage().getTransmitTimeStamp().getTime();
        System.out.println("Server time: " + returnTime);
    }
}
        
        

The above code fixes the vulnerability by synchronizing the server's clock with an NTP server.

The NTPUDPClient class from the Apache Commons Net library is used to create a client that can communicate with NTP servers. The getTime() method is used to retrieve the time from the NTP server. The time is then printed to the console.

The TIME_SERVER constant is set to "time.nist.gov", which is a public NTP server provided by the National Institute of Standards and Technology in the United States.

Please note that you need to add the Apache Commons Net library to your project's dependencies to use the NTPUDPClient class. You can add it to your Maven project by adding the following lines to your pom.xml file:

                <dependency>
    <groupId>commons-net</groupId>
    <artifactId>commons-net</artifactId>
    <version>3.8.0</version>
</dependency>

            


This solution ensures that the server's clock is always synchronized with a reliable source, preventing traceability loss due to time discrepancies.

References