fre 2011-12-23 klockan 19:33 +0100 skrev Philip Homburg:
On 12/23/11 19:10 , Simon Josefsson wrote:
One way to deal with that is to let the probes send in the hash value of its firmware or something similar, which can be used to detect problems like that. And you could prepare "official" reports based only on the probes running "official" firmware. You want untrusted firmware to send a hash value of itself? How do you know it is not lying?
I really think this is orthogonal to releasing source code though. If you haven't built in any security mechanism, people can already do what you appear to be afraid of today.
(From a technical point of view) releasing the source is not an issue. The probes come with key material that allows them to connect to the Atlas infrastructure. In theory you can get that out of the probe. But, you would violate the agreement as a probe host and it would be quite tricky to do. And, you can take over only one probe at a time which has to be in your physical possession.
If we would allow 'third party' probes to connect to the Atlas infrastructure then all of that changes. No need to physically obtain a probe. Just download the source, request a key. And start hacking away.
How does this keying work today? I haven't seen this documented anywhere. If you embed a symmetric or asymmetric key in the probes, which sounds like what you are suggesting (and is more advanced than what I expected), there shouldn't be any threat to publish source code for the firmware: people will not have access to any private key that you will trust. I was assuming that your current threat model was that you aren't concerned about fake probes, but if you have embedded keys in the probes, that suggests a different threat model. Solving that is relatively complicated, and describing your setup would be a useful contribution. My proposed solution to send a hash of the firmware was to be able to diagnose on the server side which firmware sent what information and to do larger-scale data mining. It is not a solution to malicious probes. Sorry if anything I said implied that. Cheers, /Simon