0

I have the need to detect if the clock of a PC is drifting or is being manipulated in a standalone Java application, in an offline situation. How can I detect this?

The application will be in the hands of the users for least of 3 hours in a crowded room, I don't expect them to be skilled attackers and able to setup hacking environments. Mostly I wish to detect jumps at least of the magnitude of seconds.

I need to find a technique to keep track of time in a Java application, on a standalone workstation, that allows to detect significative "jumps" in the system clock, but at the same time to don't cause "false positives" on casual slowdonws.

It's not necessary for the solution to be resistant to skilled manipulations of source code or of the system clock. The application will be installed in thousands of workstations, but for a very limited amount of time (hours) and in a public situation. It's just a computer based testing sofware.

In the past we tried to set up an internal measurement of time using the System.nanoTime() and calculating elapsed time from repeated periodic System.nanoTime() calls. In that way we tought we could completely ignore any clock modification or problem. But it was a failure because on some machines (multicores) subsequent requests of the API returned values from random cores, making the measure impossibile.

So, now we try just to detect a sudden change in time, because some workstations have faulty clocks that reset themselves (yes it happens), some other do doimain clock updates during tests (the workstations should be not be networked but someone doesn't listen to our indications), and maybe some candidates will try to change system time.

Brad Larson
  • 170,088
  • 45
  • 397
  • 571
Maxvader
  • 115
  • 7

3 Answers3

0

You can keep checking the PC's clock against a trusted NTP server using the Apache Commons Net's NTP client.

UPDATE 1

The workstations are offline.

This is then not solvable purely in Java. You could use GPS or radio clock hardware to check the PC clock against real time.

wilx
  • 17,697
  • 6
  • 59
  • 114
0

You cannot do it reliably in an application, Java or otherwise1.

For example, if your application uses an external NTP time source, the bad guys can block access to the NTP server, or sneakily redirect you to a fake NTP server.

Edit: in an offline situation.

That makes it even harder. You can't distinguish an apparent slow down or speed up of the system clock from the effects of CPU clock-rate scaling that happens automatically on a lot of modern machines.

1 - I'm not talking about totally lame attempts ... like warping the clock backwards while your application is running. That is simple to detect. It is easy for the bad guys to be more subtle than that. Always assume that the bad guys are at least as smart as you are. Also, assume that they can decompile your code and figure out how you are trying to detect clock diddling and try to defeat it. Or just disable the checks.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • Well no, if I keep tracking of the flow of time and detect a jump backwards I surely can. The forward moving could be avoided measuring the ticks, but it's error prone, so the library question.... – Maxvader May 20 '16 at 14:13
  • Yest, I was looking for a timer implementation or algorithm that reliably counts millisecs between on sleep and the other, with some tolerance, or something like that. To be able to raise an exception when a threshold is met. – Maxvader May 20 '16 at 14:28
  • @Maxvader but clocks do jump backwards for legitimate reasons in some systems. You can detect a backwards jump, yes, but that's not the same as detecting an illegitimate backwards jump. – R. Martinho Fernandes May 20 '16 at 14:44
  • Well just read your latest edit, you are really right but my scenario is not that hard, the application doesn't have to resist to so skilled adversaries. If they are smart enough to decompile it they deserve to succed. Mostly I need to track faulty hardware and clumsy hackers. It will be in the hands of the users for just a handful of hours at time. – Maxvader May 20 '16 at 14:45
  • @R.MartinhoFernandes that is exactly my problem, I can obviously write a simple timestamp comparison every some milliseconds but it will fail, need some tolerance.... – Maxvader May 20 '16 at 14:47
  • About point #1: What if OP's workstations are online and 1) they use their own NTP server, and 2) the Java application explicitly enforces that it is communicating with the NTP server, by establishing an authentication scheme and enforcing that the Java application communicates with the NTP server? –  May 05 '22 at 19:52
  • For example, the server could encrypt its time signal with a private key, and the Java application could attempt to download the time signal. If the Java application does not receive a response, or if the application cannot decrypt the time signal with the NTP server's public key, then the Java application assumes foul play. –  May 05 '22 at 19:54
  • @MontanaBurr - If you think you have a solution, post your own answer explaining it in detail. (Be sure to include the assumptions that you are making ...) – Stephen C May 05 '22 at 22:46
0

There is no a 100% solution. But you can make it more difficult to manipulate the clock.

You could check some selected system files that are created when the computer starts up. They should never be in the future. This would at least require to restart the computer when manipulating the clock.

tak3shi
  • 2,305
  • 1
  • 20
  • 33