distributed systems security overview douglas c. sicker assistant professor department of computer...

Distributed SystemsSecurity Overview

Douglas C. SickerAssistant Professor Department of Computer Science and Interdisciplinary Telecommunications Program

Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder

2

Network Security

What we’ll cover:– What is network security?– What are the goals?– What are the threats?– What are the solutions?– How do they operate?

This is a lot of info and it might take a few reads to stick.


3

Network Security Some issues with the book… Assumes malicious intent as the reason for needing

security.– Is this valid?

Focus on the protocols (not surprising) – However, the real problems with security are mostly

outside of the technical space (see the Economist articles).

– What else should we consider? • For example, more depth on security models, security policy,

assurance, insurance, risk assessment…

– Lastly, keep in mind that even the best protocols can be misapplied.


4

Network Security

What do we seek?– Confidentiality

– Integrity

– Availability

– Non-repudiation

– Accounting

Distributed Security and Electronic Voting

“The Perils of Polling”, Steven Cherry, IEEE Spectrum, October 2004, pp. 34-40

ECEN 5053 Software Engineering of Distributed Systems

University of Colorado, Boulder


6

Background

Read Chapter 7 in text Read articles from The Economist Consider the issues of electronic voting To simplify one of your homework

problems, make a list of security issues as you recognize them in the lecture.


7

Advent of electronic voting acceptance

What is “electronic voting” for this unit?– Use of equipment that directly records votes

only on electronic media, such as chips, cartridges, or disks, with no paper or other tangible form of backup

November 2004 election – More than 25% of U. S. Ballots will be cast

using electronic voting

If we are ready for electronic voting, is the technology ready for us?


8

Pros & Cons

Advantages: – No hanging chads– No paper ballots printed out of alignment so

that optical scanners make too many errors (the bane of Boulder County in November 2004)

Disadvantages for 2004– Some deployed systems had known flaws– Some poorly tested– Some not tested at all


9

Basics

Fundamental requirement for ensuring integrity of votes– Ability to perform an independent recount– Reconstruct the tally if contested

Current systems– No assurance that the vote was counted at all– No assurance counted correctly– Some machines will fail (as they have in recent

elections)


10

The real issues of security

Requirements:– voting machines must be robustly reliable– independently verifiable counts

Unfortunately, it may be a harder problem than is appreciated by those who developed products in use

David Chaum is working on it ... – cryptographer– more later


11

Vision Document problem statement

The problem of [describe the problem]

affects [the stakeholders affected by the problem]

the impact of which is

[what is the impact of the problem?]

A successful solution would be

[list some key benefits of a successful solution]


12

Let’s stop and list requirements

What are some characteristics of elections?– early voting– absentee voting– election day– what else?


13

Yes and no– Many installed for 2004 election comply with

federal guidelines– obsolete ... from 1990– Replaced in 2002 – But many voting systems in use in 2004 were

certified according to the 1990 standards

Are there standards in place?


14

Domain challenges

Elections run individually by each state State and local officials responsible for

choosing and deploying equipment– not skeptical enough of manufacturers’ claims– sometimes rejected advice of engineers and

specialists

If states are willing to buy and federal government is willing to give money to do so ...


15

State differences

Some states choose voting equipment at the state level

Some leave it up to counties or even smaller municipalities

Lots of decision makers leads to variety of decisions made

Some other countries with electronic voting made the choice at the national level. See any problems with that?


16

Partially vs. wholly electronic

Partially electronic systems– Paper ballot to be optically scanned like

standardized tests– Scanners count – If contested, ballots can be rescanned or

counted by hand

Wholly electronic– Store the vote digitally, not on paper


17

Accu-Vote-TSX example Touch-screen system made by Diebold Inc Voter signs in at the polling station and receives

an activated card similar to modern hotel-room “key”

Voter inserts it into machine and makes selections When voter touches “Cast Vote”, vote is recorded

on hard disk, access card is deactivated – voter cannot vote a 2nd time

Accu-Vote machine has built-in printer to record vote totals when polls close

Accu-Vote machine has a modem for optional encryption and transmission of vote totals


18

80 % of the market

Diebold Election Systems & Software, Inc. Sequoia Voting Systems, Inc.


19

Advantages of Electronic Voting

Machines can be programmed to keep the voter from voting for two candidates for a single office

Text on the screen can be read by voice-synthesis software

Other features


20

Current disadvantages

Early-generation equipment was flawed Hard for local governments to keep track Shifting cast of companies Testing is time-consuming Certification requirements can’t keep up New machines, many workers are

volunteers with short term training appropriate for a 1 or 2-day job


21

Examples of problems 2002 a Florida gubernatorial (governor) primary

– in two counties, some of the new equipment would not boot in time for the start of the election

2003, Boone County, Indiana– 5,352 voters– 144,000 votes reported

2004 primaries in California – catastrophes throughout the state across wide variety of different machines– San Diego County – some opened 4 hrs late– Some Diebold machines spontaneously rebooted

presenting Microsoft Windows generic screen instead of ballot


22

Reliability Concerns The Diebold spontaneous reboot problem

– Voter access card encoders– Power switches had faults that drained them of battery

power In northern Alameda County, 1 in 5 Diebold

encoders had similar problems Hearings held, California Sec’y of State Kevin

Shelley released a report charging– Diebold marketed, sold, and installed AccuVote

systems in Kern, San Diego, San Joaquin, and Solano counties

– prior to full testing and federal qualification– without complying with state certification requirements


23

Reliability Consequences April 30, Calif Sec’y of State withdrew approval

for all direct-recording electronic voting systems in California– State required nearly 16,000 AccuVote machines in the

4 counties to be recertified– this time, complying with tighter security and

auditability measures or– replaced with optically scanned balloting in time for the

November election Based on your knowledge of software, what are

the implications of complying with new requirements within a tight deadline?


24

Other problems

Installation of uncertified components and coverup of malfunctioning products– Earlier in 2004, “a June 2003 ES&S memo

came to light that indicated flaws in the auditing software for a $24.5 million installation of its iVotronic voting machines in Miami-Dade County”

– ES&S also manufactured voting systems previously used in Venezuela that suffered a 6% malfunction rate in actual use.


25

State of Maryland hired SAIC ...

We recommend that SBE immediately implement the following mitigation strategies to address the identified risks with a rating of high: • Bring the AccuVote-TS voting system into compliance with the State of Maryland Information Security Policy and Standards. • Consider the creation of a Chief Information Systems Security Officer (CISSO) position at SBE. This individual would beresponsible for the secure operations of the AccuVote-TS voting system. • Develop a formal, documented, complete, and integrated set of standard policies and procedures. Apply these standard policies and procedures consistently through the LBEs in all jurisdictions.


26

State of Maryland

• Create a formal, System Security Plan. The plan should be consistent with the State of Maryland Information Security

Policy and Standards, Code of Maryland Regulations (COMAR), Federal Election Commission (FEC) standards, and industry best practices.

• Apply cryptographic protocols to protect transmission of vote tallies.

• Require 100 percent verification of results transmitted to the media through separate count of PCMCIA cards containing the original votes cast.

• Establish a formal process requiring the review of audit trails at both the application and operating system levels.

• Provide formal information security awareness, training, and education program appropriate to each user’s level of access.


27

State of Maryland - 2

• Review any system modifications through a formal, documented, risk assessment process to ensure that changes do not negate existing security controls. Perform a formal risk assessment following any major system modifications, or at least every three years. • Implement a formal, documented process to detect and respond to unauthorized transaction attempts by authorized and/or unauthorized users.

• Establish a formal, documented set of procedures describing how the general support system identifies access to the system.

And my personal favorite:Change default passwords and passwords printed in documentation immediately


28

Elsewhere

Ireland scuttled plans to use electronic voting in local and European parliamentary elections in June 2004– partly over concerns about lack of independent

auditability

– constant software updates from the vendors* – software could not be reviewed in time

Same vendor (Nedap NV) made some of its online e-voting software** available as open source– Won’t compile and run

– What else?


29

Physical security

1 % of Fairfax County, Virginia’s new WINvote touch-screen machines (Advanced Voting Solutions)– repaired outside the polling place– returned and put back into use– with broken or removed security seals– in apparent violation of state law


30

Distributed systems bandwidth issue Again, Fairfax

– About half of the vote totals (not the national election) couldn’t be electronically transmitted

– System flooded itself with messages

– They had inadvertently designed in their own denial of service attack on the server

A number of machines apparently subtracted votes at random from the Republican school board candidate (Rita Thompson) resulting in a possible miscount of 1 to 2 percent of her votes – close to the margin by which she lost the election.


31

Warnings

Web site for Arlington County told poll workers what to do if – the voting machine freezes during boot-up– master unit does not “pick up” one of the units in the

polling place when opening the polls– when closing, “if tally fails to pick up a machine”

Jeremy Epstein, an information-security expert, attended a pre-election training session– submitted a 3-page list of questions to Fairfax officials– then electoral board sec’y couldn’t respond on the

grounds that “release of that information could jeopardize the security of that voting equipment”

– treat that as a requirement ...


32

Complexity is generally not understood

“Here are the candidates, pick one”– What other situations occur?

Anonymity is a potentially bigger problem– Requirements?


33

Complexity continued Independent verifiability

– California audits elections by requiring 1% of all paper ballots be manually recounted whether or not an election is contested

– Requirements?

– Focus on adding paper back into the process• Requirements re paper ballot?

– California: newly purchased direct-recording must have accessible, voter-verified paper audit trail

• retrofit required for existing ones by July 2006


34

Complexity summary The vote

– Complexity of selection possibilities– Count correctly– Robust hardware and software– Accurate LAN communication at polling place– Accurate WAN communication to central

server, if used ETC

– how to verify electronic votes– how to test electronic voting hw and sw– how to maintain security and integrity


35

Without voter-verified paper audit trail

Certification process necessary– Compliance verification– Is the system in place, the one that was

certified?– Current federal guidelines (2002) don’t require

digital signature to track software from certification to installation to end of voting day

IEEE Standards Association formed a working group on voting standards


36

Design question Is it possible to provide sufficient auditability without

paper?– Consider electronic funds transactions– Encryption techniques

David Chaum, cryptographer– Lets election officials post electronic ballots to the

internet– Voters can check that their votes were included in the

election tally– Still needs paper but his electronic tallies are as reliable

as a count of paper ballots – Still provides voter anonymity– Great, right?


37

Suppose all crypto-graphy issues settled ...

If all mathematical problems are solved, what remains?

Voting is a complicated social phenomenon and the solution must be perceived socially to be a solution.– Machines need to be physically secure before,

during, after– Workers well trained, able to deal with

technological problems that can occur– www.OpenVotingConsortium.org


38

Article’s conclusion At the trailhead of electronic voting systems

– “Election officials underestimated the problems of deploying the technology.”

– “Computer scientists underestimated the long-standing difficulties of conducting traditional all-paper ballots.” (requirements elicitation!)

“Election officials now seem to be coming to understand the merits and demerits of electronic voting systems.”

“The current debate over electronic voting systems has certainly raised the bar for election equipment.”

“And every year, we get a chance to do better.”


39


40

Chaum’s approach


41

SSL and the human element

A drop-in replacement for standard network sockets?

SSL’s intent: provide an authenticated, encrypted communications channel, where the attacker cannot tamper with data in transit without being detected on the receiving end.

What’s the easy part? What’s the hard part?


42

Mutual Authentication

Client wants to know it is talking to correct server (precinct and county, for example)

Server wants to know which user is on the other end

Expect: authenticate the server to the client and once an encrypted data channel is established, implement an authentication mechanism over it so the server can establish the client’s identity.


43

How SSL authenticates

Party-to-be-validated (server) presents the other party (client) its certificate– Public key, identifying information, dates of

validity, endorsing digital signatures from a Certification authority (CA)

– The CA responsible to make sure it endorses only those certificates that really do belong to the intended owners


44

The client’s responsibility

Assume CA never makes a mistake Companies we are to do business with are

good at protecting their private key Client must make sure the certificate is the

right one.– certificate is signed by a known CA– certificate is current– certificate is bound to entity you want


45

Validate the data in the certificate

Certificate is bound to a domain name None of the major SSL libraries performs

any of this validation for the developer by default.

When a user asks to open a client socket the SSL library could easily perform every reasonable check on the server certificate including whether the certificate is bound to the domain supplied by the user.


46

Vulnerability

Most applications using SSL are subject to man-in-the-middle attacks

Only a theoretical problem? Yes, you can exploit the Internet’s router

infrastructure But if you couldn’t, still ... one can launch a

man-in-the-middle attack from machines on the same underlying medium as either of the two endpoints.


47

Resources

Viega and McGraw, Building Secure Software, Addison Wesley Professional, 2001.

Howard and LeBlanc, Writing Secure Code, Microsoft Press, 2002, 2nd edition.

Viega and Messier, Secure Programming Cookbook for C and C++, O’Reilly, 2003.


48

Distributed System Issues?

In addition to the security issues you listed, what distributed system issues do we have to address to have an acceptable system?

distributed systems security overview douglas c. sicker assistant professor department of computer...

Documents