Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Breaking Precision Time: OS Vulnerability Exploits Against IEEE 1588

Muhammad Abdullah Soomro, Fatima Muhammad Anwar

TL;DR

The paper addresses a blind spot in precision time protocols by showing that kernel-level attackers within an IEEE 1588 host can secretly disrupt clock synchronization without touching PTP network traffic. It introduces three in-kernel attack primitives—constant offset, progressive skew, and randomized disturbances—implemented as in-kernel payloads and evaluates their effects on ptp4l and phc2sys. The study provides the first systematic demonstration of kernel-rooted time attacks, revealing that a privileged adversary can induce a persistent bias (e.g., $3\,\mu s$ residual), cumulative drift (up to $10\,\mu s$ in short windows), or destabilizing jitter, bypassing existing cryptographic protections and anomaly detectors. The findings underscore the urgency of integrating kernel integrity into the secure timing stack and motivate kernel-aware defenses or TEEs to harden timekeeping in critical infrastructure.

Abstract

The Precision Time Protocol (PTP), standardized as IEEE 1588, provides sub-microsecond synchronization across distributed systems and underpins critical infrastructure in telecommunications, finance, power systems, and industrial automation. While prior work has extensively analyzed PTP's vulnerability to network-based attacks, prompting the development of cryptographic protections and anomaly detectors, these defenses presume an uncompromised host. In this paper, we identify and exploit a critical blind spot in current threat models: kernel-level adversaries operating from within the host running the PTP stack. We present the first systematic study of kernel-rooted attacks on PTP, demonstrating how privileged attackers can manipulate system time by corrupting key interfaces without altering PTP network traffic. We implement three attack primitives, constant offset, progressive skew, and random jitter, using in-kernel payloads, and evaluate their impact on the widely used ptp4l and phc2sys daemons. Our experiments reveal that these attacks can silently destabilize clock synchronization, bypassing existing PTP security extensions. These findings highlight the urgent need to reconsider host-level trust assumptions and integrate kernel integrity into the design of secure time synchronization systems.

Breaking Precision Time: OS Vulnerability Exploits Against IEEE 1588

TL;DR

The paper addresses a blind spot in precision time protocols by showing that kernel-level attackers within an IEEE 1588 host can secretly disrupt clock synchronization without touching PTP network traffic. It introduces three in-kernel attack primitives—constant offset, progressive skew, and randomized disturbances—implemented as in-kernel payloads and evaluates their effects on ptp4l and phc2sys. The study provides the first systematic demonstration of kernel-rooted time attacks, revealing that a privileged adversary can induce a persistent bias (e.g., residual), cumulative drift (up to in short windows), or destabilizing jitter, bypassing existing cryptographic protections and anomaly detectors. The findings underscore the urgency of integrating kernel integrity into the secure timing stack and motivate kernel-aware defenses or TEEs to harden timekeeping in critical infrastructure.

Abstract

The Precision Time Protocol (PTP), standardized as IEEE 1588, provides sub-microsecond synchronization across distributed systems and underpins critical infrastructure in telecommunications, finance, power systems, and industrial automation. While prior work has extensively analyzed PTP's vulnerability to network-based attacks, prompting the development of cryptographic protections and anomaly detectors, these defenses presume an uncompromised host. In this paper, we identify and exploit a critical blind spot in current threat models: kernel-level adversaries operating from within the host running the PTP stack. We present the first systematic study of kernel-rooted attacks on PTP, demonstrating how privileged attackers can manipulate system time by corrupting key interfaces without altering PTP network traffic. We implement three attack primitives, constant offset, progressive skew, and random jitter, using in-kernel payloads, and evaluate their impact on the widely used ptp4l and phc2sys daemons. Our experiments reveal that these attacks can silently destabilize clock synchronization, bypassing existing PTP security extensions. These findings highlight the urgent need to reconsider host-level trust assumptions and integrate kernel integrity into the design of secure time synchronization systems.

Paper Structure

This paper contains 14 sections, 5 figures.

Table of Contents

  1. Introduction
  2. Background
  3. Linux PTP Software Stack
  4. Kernel Timekeeping and Vulnerability Surface
  5. PTP Kernel Vulnerabilities
  6. Attack Surface
  7. Vulnerability types
  8. Attack Strategies
  9. Constant Offset Injection
  10. Progressive Clock Skew
  11. Randomized Time Disturbances
  12. Evaluation
  13. Related Work
  14. Conclusion

Figures (5)

  • Figure 1: Architecture of the Linux PTP Stack
  • Figure 2: PTP Servo Offset under Constant Offset Attack.
  • Figure 3: PTP Servo Offset under Progressive Skew Attack.
  • Figure 4: PTP Servo Offset under Random Disturbance Attack.
  • Figure 5: PTP Servo Offset under Skew Attack with Multiple Skew Rates.