discussion in attacking system clock Win10

[drpalpatine]

inside win10 uses the PTP to sync the clock with reference time
what approach to take for time based attack in the system clock?
for a replay/rollback attack against hardware and software components that affect system clock accuracy

then avoiding the anti tamper like integrity checks inside the kernel code

 

[drpalpatine]

please clean the title 'discussion in attacking system clock Win10" weaver

 

[weaver]

I have never done this, but the topic is very interesting. Which approach to use is up to you. Will it be a replay attack or a rollback attack. In the first case, you will have to bypass the synchronization protocols and replace the clock sources with your own + NTP. For example, raise your fake server. (similar to evilgrade) or intercept a valid time synchronization message and then retransmit it at a later time (mitm). In the second case, look for unsafe processes. Or resort to kernel modification

 

[drpalpatine]

intercept a valid time synchronization message and then retransmit it at a later time (mitm).

mitm != 2023 windows kernel

there is a technique to time jacking for a replay/rollback attack without bypass synchronization protocols or intercept message

some technique give the use of exploiting the windows time service by changing the time adjustment parameters to time jack the sysclock and perform replay attack against the kerberos auth. finally made attacked the time synchronization against itself. funny

also new techniques to manipulate the system time by exploiting the interplay between hardware performance counters the CPU TSC --> you can carefully adjust the TSC value, if the situation is correct --> it will cause a time dependent event to occur at arbitrary moments

or use physics like einstein theory in relativity to perform time dilation attack modifying the local time reference frame of a process

to modify the kernel data structures that store the time information, such as the jiffies or time interrupt handler, need some kind of buffer overflow or use-after-free vulnerability
--> after modify the time reference frame, attacks like bypassing time based defenses or trick the kernel for think the order of some events
--> bypassing spectre v2 was killed by IBRS. but luck for us IBRS have problems and is bad implementation because it flushes the CPU pipeline when it finds a potential branch target --> so it gives performance overhead


create a small time window where CPU pipeline is not flushed --> speculative exec attack --> extract sensitive data inside from CPU cache

Prime+Probe or Flush+Reload

i try to implement the technique on old intel processor --> it is so specific and requires a vulnerable process which use IBRS but possible with self written vulnerable process

new mitigations --> intel TME, AMD SEV bastards bring hardware level memory encryption
but theoretically you can measure various system metrics --> example clock cycles, instructions executed
such counters can be modified to bypass SEV etc but i donot personally implemented such work still



i recommend man to read such interesting paper
ieeexplore.ieee.org/document/9499918

 

[weaver]

mitm != 2023 windows kernel

There is a trusted server that is queried to check the time to sync. (mitm) This is just my guess.
As I said earlier, I was not interested in such attacks.
Special thanks for the document, I will read it, but it will not be soon ...

 

[h1z1]

very interesting thread

There is a trusted server that is queried to check the time to sync. (mitm) This is just my guess.
As I said earlier, I was not interested in such attacks.
Special thanks for the document, I will read it, but it will not be soon ...

if the windows use domain and in some how we change the ip for domain on local like hosts file maybe it will work , its just imagination not tested

 

[drpalpatine]

There is a trusted server that is queried to check the time to sync. (mitm) This is just my guess.
As I said earlier, I was not interested in such attacks.
Special thanks for the document, I will read it, but it will not be soon ...

W32Time uses TSA for integrity validation of time received from the server
--> he attaches a digital signature to each sample by create a hash from info like time stamp, source IP etc and encrypt using a private key
TSA public key already preconfig inside the W32Time client

if the windows use domain and in some how we change the ip for domain on local like hosts file maybe it will work , its just imagination not tested

while it is technically possible to modify the host file to redirection --> TSA will block you in integrity check

 

[h1z1]

W32Time uses TSA for integrity validation of time received from the server
--> he attaches a digital signature to each sample by create a hash from info like time stamp, source IP etc and encrypt using a private key
TSA public key already preconfig inside the W32Time client


while it is technically possible to modify the host file to redirection --> TSA will block you in integrity check

Maybe can be bypassed

 

[drpalpatine]

Maybe can be bypassed

+ why not?

2023 kernel mode rootkit can manipulate such sources or attack the NTP or a vulnerability inside the motherboard firmware or hardware that modify the hardware clock directly or modify MBR --> but such is not easy inside 2023


only idea i am think --> leak the private keys
--> a side channel analysis can extract from HSM
--> fault injections inside the HSM are rare now --> the module is not a stupid after years
personally i donot try such yet because of unnecessary hardvar + crypto complexity


but i think NTP is best way in my opinion
or even better --> if there is a custom firmware with bad security that modify the hardware clock