Work plan prpoosal for the next year

Eric S. Raymond esr at thyrsus.com
Thu Jun 24 19:54:05 UTC 2021 

Developers, please weigh in on this so we can finalize it.

The final version will become part of a grant proposal which may
get us money for a hardware test lab and code bounties.

= NTPsec work plan

This is a rough-draft work plan for the NTPsec project over the period
July 1st 2021 to July 1st 2022.

== Major objective: 

Our major objective for this year will be to move the NTPsec codebase
from C and Python to a single memory-safe language.

=== Rationale

NTPsec is a security-focused project.  As with other large, mature C
programs, effectively all of its securty issues are consequences of
the fact that C is memory-unsafe, it is very easy to accidentally
write code with wild-pointer bugs that create exploitable
vulnerabilities, and it is very difficult to detect such bugs.

Historically the mitigation strategy for this problem has been a
combination of tight code discipline with application of code
analyzers designed to detect vulnerabilities.  This approach is
known to be leaky and inadequate, but has long been accepted for
lack of a better alternative.

There is now a better alternative: the Go language.  Go is
sufficiently like C and Python to make the code move feasible,
but does pointer bounds checking, eliminating pointer-overrun
bugs and thus preventing the creation of exploitable security
bugs through these overruns.

Go does not make the related problem of denial-of-service attacks
through null-pointer errors outright impossible, but static type
checking and Go's own validation tools will make suvch bugs much
easier to prevent.

It is expected that this code move would reduce NTPsec's vulnarability
to exploits by a large factor, an order of magnitude or more.

=== Personnel

The NTPsec technical lead (Eric Raymond) and his apprentice (Ian
Bruene) are expert Go programmers. Other team members (notably Hal
Murray, Gary Miller, James Browning, and Richard Laager) are expert C
programmers who can be confidently expected to come up to speed in Go
very rapidly.

=== Key performance indicators for this effort

An entire port will not be achievable in 12 months. Finishing
it is probably an 18-month to 2-year project for the personnel on
hand.  Nor, due to the Brooks's Law effect, can adding more
people be expected to shorten the project.  However, we can define
milestones that should be achivable within a year and demonstrate
the achievability of the entire effort.

Milestone PYPACKET: Port and unit-test the NTP packet handling from the
client code (pylib/packet.py and pylib/util.py). Estimate: 1 month.

Milestone NTPQ: Port ntpq, the principal client, from Python to Go.
Test interoperability with ntpd. Estimate: 3 months.

Milestone CLIENTS: Port the remaining clients (ntpdig, ntpkeygen, ntpmon,
ntpsweep, and ntpwait) from Python to Go.  Estimate: 4 months.

At completion of milestone CLIENTS (8 months out) we will have a
working packet layer and client suite in Go that interoperates not
just with ntpd but can be tested for conformance with other NTP
implementations.

Milestone CONFIG: Configuration parsing for ntpd. Build and test a
workalike parser in Go for NTP configuration files.  Estimate: 2
months.

Milestone FAKED: Build a demonstration fake ntpd that does everything
but the actual time-sync and clock driver code, collecting clock
samples from upstream NTP servers.  Estimate: 4 months.

Milestone SYNC: Port the time-synchronization and clock setting
code. Estimate: 3 monts.

Milestone NTPSHM:  This is the most important clock driver for
production use. Estimate: 1 month.
 
Milestone LEGACY: Port the legacy clock drivers to Go.  This one is is
big and messy and difficult to scope, as the driver code is old and
crufty and difficult to test.  It is probably not achievable in year
one and may require budgeting for and building a hardware test lab.
Tentative estimate: 5 months, with an unfortunately high probability
of being blocked on the availability of test hardware.

== Minor goals

* Resolve all CVEs rapidly and completely

* Reduce outstanding issue count from 38 to less than 20.

* Improve unit-test coverage

* Maintain a regular point-release schedule
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

"Today, we need a nation of Minutemen, citizens who are not only prepared to
take arms, but citizens who regard the preservation of freedom as the basic
purpose of their daily life and who are willing to consciously work and
sacrifice for that freedom."	-- John F. Kennedy

More information about the devel mailing list