This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: Network Security for the Systemtap Client/Server
Hi -
On Thu, Nov 06, 2008 at 01:33:06PM -0500, Dave Brolley wrote:
> [...]
> >>[...]
> >>If I understand correctly, the only way to ensure that the script has
> >>not been modified on route is to have the client sign it with its own
> >>certificate and private key. [...]
> >
> >That could well be an overkill. Standard wire-level security like
> >TLS/SSL, without extra explicit signatures, should be sufficient for
> >protection against a hostile network.
> >
> I'll let you make the call on sufficiency. However while a SSL/TLS
> connection provides server authentication and encryption, I still don't
> believe that it alone protects against tampering. Search for "tampering"
> in the following page:
>
> https://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography#Internet_Security_Issues
The overall SSL/TLS protocol (via encryption and other stuff) does just that:
# Once the server has been authenticated, the client and server use
# techniques of symmetric-key encryption, which is very fast, to
# encrypt all the information they exchange for the remainder of the
# session and to detect any tampering that may have occurred.
> >Yes, but the client (stap-client) cannot be trusted by staprun.
> >staprun need only care that the final module is built correctly.
>
> So are you preferring the option above over option 2 (staprun
> re-verifies the entire response)?
No, I'm suggesting that stap-client need not verify the response at
all, assuming that wire-level security was in place.
- FChE