Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fix/lock-bypass-prevention] Detect attempts to bypass a lock timeout by changing the clock #1347

Merged
merged 5 commits into from
Apr 29, 2024

Conversation

felix-schwarz
Copy link
Contributor

@felix-schwarz felix-schwarz commented Apr 18, 2024

Description

Related Issue

https://github.com/owncloud/security-tracker/issues/413

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

	- code cleanup (changing variable names, removing unnecessary self references and if let constructs, fix indentation, group code that belongs together, avoid repetitions)
	- move computation of lock timeout duration to lockTimeoutDuration property
	- add new methods to reset/start and remove the lock countdown
	- add new properties lockedSinceDate and lockedSinceSystemUptime to track the moment in time the lock timeout started
	- add new property timeHasBeenTamperedWith that uses lockedSinceDate and lockedSinceSystemUptime to determine if the clock time has been tampered with, a reboot has been performed, etc.
	- add new method that allows to check for clock time tampering and, if detected, reset the timer in a single call
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

…iled, would have prevented the significant time change notification from triggering a reset of the lock countdown
… new one. The old one will be no longer fire and will be dropped from memory at that point.
@felix-schwarz felix-schwarz requested a review from hosy April 24, 2024 10:42
@hosy hosy mentioned this pull request Apr 25, 2024
10 tasks
@felix-schwarz felix-schwarz changed the base branch from milestone/12.2 to milestone/12.2.1 April 29, 2024 07:12
@jesmrec
Copy link
Contributor

jesmrec commented Apr 29, 2024

Checks over the fix:

After three failed attempts and locking condition:

  • Time forward -> countdown restarted
  • Time back -> countdown restarted
  • Date forward -> countdown restarted
  • Date back -> countdown restarted

With open keyboard

  • Time forward -> keyboard not locked
  • Time back -> keyboard not locked
  • Date forward -> keyboard not locked
  • Date back -> keyboard not locked

Checked other arbitrary cases, just to know if the brute force protection can be broken. Result is OK

From my side this is approved @hosy @felix-schwarz

@jesmrec jesmrec added the Approved by QA Approved by QA label Apr 29, 2024
@felix-schwarz felix-schwarz merged commit c7bdac6 into milestone/12.2.1 Apr 29, 2024
2 of 3 checks passed
@delete-merged-branch delete-merged-branch bot deleted the fix/lock-bypass-prevention branch April 29, 2024 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Approved by QA Approved by QA
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants