Re: Network Security for the Systemtap Client/Server

["Frank Ch. Eigler" <fche at redhat dot com>]

Hi -

On Thu, Nov 06, 2008 at 01:33:06PM -0500, Dave Brolley wrote:
> [...]
> >>[...]
> >>If I understand correctly, the only way to ensure that the script has 
> >>not been modified on route is to have the client sign it with its own 
> >>certificate and private key. [...]
> >
> >That could well be an overkill.  Standard wire-level security like
> >TLS/SSL, without extra explicit signatures, should be sufficient for
> >protection against a hostile network.
> >  
> I'll let you make the call on sufficiency. However while a SSL/TLS 
> connection provides server authentication and encryption, I still don't 
> believe that it alone protects against tampering. Search for "tampering" 
> in the following page:
> 
> https://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography#Internet_Security_Issues

The overall SSL/TLS protocol (via encryption and other stuff) does just that:

# Once the server has been authenticated, the client and server use
# techniques of symmetric-key encryption, which is very fast, to
# encrypt all the information they exchange for the remainder of the
# session and to detect any tampering that may have occurred.


> >Yes, but the client (stap-client) cannot be trusted by staprun.
> >staprun need only care that the final module is built correctly.
>
> So are you preferring the option above over option 2 (staprun 
> re-verifies the entire response)?

No, I'm suggesting that stap-client need not verify the response at
all, assuming that wire-level security was in place.


- FChE