T 3.102 Improper time synchronisation on virtual IT systems

Commonly used operating systems have their own internal clock. Here, the time is usually determined by the operating system by counting the processor cycles and by means of the occasional comparison with a reliable time source such as a time server or an internal hardware clock. The time and frequency of the synchronisation with the time source depends on the operating system used.

Guest operating systems in virtual environments, however, do not have any control over or knowledge of the actually consumed processor capacity on the physical IT system. The calculation of the current time using the processed steps of calculation as time base is thus not reliable. Depending on which algorithm is used to determine the time based on the comparison between processor cycles and reliable time source, the clock of a virtual IT system can lag behind the actual time or be ahead of it. In extreme cases, this can even cause the clock of the operating system to run backwards. This can result in undesired effects which significantly affect the security of the virtual infrastructure under unfavourable conditions.

For example, time stamps such as in the file system of a virtual machine with a clock that runs incorrectly are not reliable. As a consequence, inconsistencies might occur in the data backup if it determines, using the time stamps of the file system, what files are to be backed up.

Troubleshooting in the event of problems is also sustainably impeded, as the chronology of the events which have caused the problem cannot be determined in a reliable manner. Moreover, evidentiary statements in the event of security incidents with incorrect time stamps in event logs are, at worst, impossible, since the correlation of events using the time stamps is not possible.

If procedures based on correct time stamps for the transmission of authentication keys (e.g. Kerberos) are used for authentication in virtual IT systems, logins might fail.

Different distributed database systems and directory services such as Active Directory use time stamps to check the consistency in the event of replication operations. If these time stamps are not reliable, inconsistencies might occur in these systems.

Example:

For the remote access for telecommuters, a company has opted for a token-based authentication method. On the token, new pass phrases that must be entered together with the user names and passwords are generated at specific time intervals. The tokens carried along by the users are equipped with an internal clock synchronised with the time of the authentication server.

After the authentication server has been virtualised, the users can no longer log in after a short period of time, since the one-time passwords displayed no longer match those on the authentication server. The accuracy of the clock in the virtual environment is not sufficient for this.

© Federal Office for Information Security. All rights reserved.