380 likes | 534 Views
Distributed Systems Security Overview. Douglas C. Sicker Assistant Professor Department of Computer Science and Interdisciplinary Telecommunications Program. Network Security. What we’ll cover: What is network security? What are the goals? What are the threats? What are the solutions?
E N D
Distributed SystemsSecurity Overview Douglas C. Sicker Assistant Professor Department of Computer Science and Interdisciplinary Telecommunications Program
Network Security • What we’ll cover: • What is network security? • What are the goals? • What are the threats? • What are the solutions? • How do they operate? • This is a lot of info and it might take a few reads to stick. Distributed Security, ECEN 5053, U of Colo, Boulder
Network Security • Some issues with the book… • Assumes malicious intent as the reason for needing security. • Is this valid? • Focus on the protocols (not surprising) • However, the real problems with security are mostly outside of the technical space (see the Economist articles). • What else should we consider? • For example, more depth on security models, security policy, assurance, insurance, risk assessment… • Lastly, keep in mind that even the best protocols can be misapplied. Distributed Security, ECEN 5053, U of Colo, Boulder
Network Security • What do we seek? • Confidentiality • Integrity • Availability • Non-repudiation • Accounting Distributed Security, ECEN 5053, U of Colo, Boulder
Distributed Security and Electronic Voting“The Perils of Polling”, Steven Cherry, IEEE Spectrum, October 2004, pp. 34-40 ECEN 5053 Software Engineering of Distributed Systems University of Colorado, Boulder
Background • Read Chapter 7 in text • Read articles from The Economist • Consider the issues of electronic voting • To simplify one of your homework problems, make a list of security issues as you recognize them in the lecture. Distributed Security, ECEN 5053, U of Colo, Boulder
Advent of electronic voting acceptance • What is “electronic voting” for this unit? • Use of equipment that directly records votes only on electronic media, such as chips, cartridges, or disks, with no paper or other tangible form of backup • November 2004 election • More than 25% of U. S. Ballots will be cast using electronic voting • If we are ready for electronic voting, is the technology ready for us? Distributed Security, ECEN 5053, U of Colo, Boulder
Pros & Cons • Advantages: • No hanging chads • No paper ballots printed out of alignment so that optical scanners make too many errors (the bane of Boulder County in November 2004) • Disadvantages for 2004 • Some deployed systems had known flaws • Some poorly tested • Some not tested at all Distributed Security, ECEN 5053, U of Colo, Boulder
Basics • Fundamental requirement for ensuring integrity of votes • Ability to perform an independent recount • Reconstruct the tally if contested • Current systems • No assurance that the vote was counted at all • No assurance counted correctly • Some machines will fail (as they have in recent elections) Distributed Security, ECEN 5053, U of Colo, Boulder
The real issues of security • Requirements: • voting machines must be robustly reliable • independently verifiable counts • Unfortunately, it may be a harder problem than is appreciated by those who developed products in use • David Chaum is working on it ... • cryptographer • more later Distributed Security, ECEN 5053, U of Colo, Boulder
The problem of [describe the problem] affects [the stakeholders affected by the problem] the impact of which is [what is the impact of the problem?] A successful solution would be [list some key benefits of a successful solution] Vision Document problem statement Distributed Security, ECEN 5053, U of Colo, Boulder
Let’s stop and list requirements • What are some characteristics of elections? • early voting • absentee voting • election day • what else? Distributed Security, ECEN 5053, U of Colo, Boulder
Are there standards in place? • Yes and no • Many installed for 2004 election complied with federal guidelines • obsolete ... from 1990 • A lot of legislation since then at state and federal level – not all systems comply Distributed Security, ECEN 5053, U of Colo, Boulder
Domain challenges • Elections run individually by each state • State and local officials responsible for choosing and deploying equipment • not skeptical enough of manufacturers’ claims • sometimes rejected advice of engineers and specialists • If states are willing to buy and federal government is willing to give money to do so ... Distributed Security, ECEN 5053, U of Colo, Boulder
State differences • Some states choose voting equipment at the state level • Some leave it up to counties or even smaller municipalities • Lots of decision makers leads to variety of decisions made • Some other countries with electronic voting made the choice at the national level. See any problems with that? Distributed Security, ECEN 5053, U of Colo, Boulder
Partially vs. wholly electronic • Partially electronic systems • Paper ballot to be optically scanned like standardized tests • Scanners count • If contested, ballots can be rescanned or counted by hand • Wholly electronic • Store the vote digitally, not on paper Distributed Security, ECEN 5053, U of Colo, Boulder
Accu-Vote-TSX example • Touch-screen system made by Diebold Inc • Voter signs in at the polling station and receives an activated card similar to modern hotel-room “key” • Voter inserts it into machine and makes selections • When voter touches “Cast Vote”, vote is recorded on hard disk, access card is deactivated – voter cannot vote a 2nd time • Accu-Vote machine has built-in printer to record vote totals when polls close • Accu-Vote machine has a modem for optional encryption and transmission of vote totals Distributed Security, ECEN 5053, U of Colo, Boulder
80 % of the market • Diebold • Election Systems & Software, Inc. • Sequoia Voting Systems, Inc. Distributed Security, ECEN 5053, U of Colo, Boulder
Advantages of Electronic Voting • Machines can be programmed to keep the voter from voting for two candidates for a single office • Text on the screen can be read by voice-synthesis software • Other features Distributed Security, ECEN 5053, U of Colo, Boulder
Current disadvantages • Early-generation equipment was flawed • Hard for local governments to keep track • Shifting cast of companies • Testing is time-consuming • Certification requirements can’t keep up • New machines, many workers are volunteers with short term training appropriate for a 1 or 2-day job Distributed Security, ECEN 5053, U of Colo, Boulder
Examples of problems • 2002 a Florida gubernatorial (governor) primary • in two counties, some of the new equipment would not boot in time for the start of the election • 2003, Boone County, Indiana • 5,352 voters • 144,000 votes reported • 2004 primaries in California – catastrophes throughout the state across wide variety of different machines • San Diego County – some opened 4 hrs late • Some Diebold machines spontaneously rebooted presenting Microsoft Windows generic screen instead of ballot Distributed Security, ECEN 5053, U of Colo, Boulder
Reliability Concerns • The Diebold spontaneous reboot problem • Voter access card encoders • Power switches had faults that drained them of battery power • In northern Alameda County, 1 in 5 Diebold encoders had similar problems • Hearings held, California Sec’y of State Kevin Shelley released a report charging • Diebold marketed, sold, and installed AccuVote systems in Kern, San Diego, San Joaquin, and Solano counties • prior to full testing and federal qualification • without complying with state certification requirements Distributed Security, ECEN 5053, U of Colo, Boulder
Reliability Consequences • April 30, Calif Sec’y of State withdrew approval for all direct-recording electronic voting systems in California • State required nearly 16,000 AccuVote machines in the 4 counties to be recertified • this time, complying with tighter security and auditability measures or • replaced with optically scanned balloting in time for the November election • Based on your knowledge of software, what are the implications of complying with new requirements within a tight deadline? Distributed Security, ECEN 5053, U of Colo, Boulder
Other problems • Installation of uncertified components and coverup of malfunctioning products • Earlier in 2004, “a June 2003 ES&S memo came to light that indicated flaws in the auditing software for a $24.5 million installation of its iVotronic voting machines in Miami-Dade County” • ES&S also manufactured voting systems previously used in Venezuela that suffered a 6% malfunction rate in actual use. Distributed Security, ECEN 5053, U of Colo, Boulder
Elsewhere • Ireland scuttled plans to use electronic voting in local and European parliamentary elections in June 2004 • partly over concerns about lack of independent auditability • constant software updates from the vendors* – software could not be reviewed in time • Same vendor (Nedap NV) made some of its online e-voting software** available as open source • Won’t compile and run • What else? Distributed Security, ECEN 5053, U of Colo, Boulder
Physical security • 1 % of Fairfax County, Virginia’s new WINvote touch-screen machines (Advanced Voting Solutions) • repaired outside the polling place • returned and put back into use • with broken or removed security seals • in apparent violation of state law Distributed Security, ECEN 5053, U of Colo, Boulder
Distributed systems bandwidth issue • Again, Fairfax • About half of the vote totals (not the national election) couldn’t be electronically transmitted • System flooded itself with messages • They had inadvertently designed in their own denial of service attack on the server • A number of machines apparently subtracted votes at random from the Republican school board candidate (Rita Thompson) resulting in a possible miscount of 1 to 2 percent of her votes – close to the margin by which she lost the election. Distributed Security, ECEN 5053, U of Colo, Boulder
Warnings • Web site for Arlington County told poll workers what to do if • the voting machine freezes during boot-up • master unit does not “pick up” one of the units in the polling place when opening the polls • when closing, “if tally fails to pick up a machine” • Jeremy Epstein, an information-security expert, attended a pre-election training session • submitted a 3-page list of questions to Fairfax officials • then electoral board sec’y couldn’t respond on the grounds that “release of that information could jeopardize the security of that voting equipment” • treat that as a requirement ... Distributed Security, ECEN 5053, U of Colo, Boulder
Complexity is generally not understood • “Here are the candidates, pick one” • What other situations occur? • Anonymity is a potentially bigger problem • Requirements? Distributed Security, ECEN 5053, U of Colo, Boulder
Complexity continued • Independent verifiability • California audits elections by requiring 1% of all paper ballots be manually recounted whether or not an election is contested • Requirements? • Focus on adding paper back into the process • Requirements re paper ballot? • California: newly purchased direct-recording must have accessible, voter-verified paper audit trail • retrofit required for existing ones by July 2006 Distributed Security, ECEN 5053, U of Colo, Boulder
Complexity summary • The vote • Complexity of selection possibilities • Count correctly • Robust hardware and software • Accurate LAN communication at polling place • Accurate WAN communication to central server, if used • ETC • how to verify electronic votes • how to test electronic voting hw and sw • how to maintain security and integrity Distributed Security, ECEN 5053, U of Colo, Boulder
Without voter-verified paper audit trail • Certification process necessary • Compliance verification • Is the system in place, the one that was certified? • Current federal guidelines (2002) don’t require digital signature to track software from certification to installation to end of voting day • IEEE Standards Association formed a working group on voting standards Distributed Security, ECEN 5053, U of Colo, Boulder
Design question • Is it possible to provide sufficient auditability without paper • Consider electronic funds transactions • Encryption techniques • David Chaum, cryptographer • Lets election officials post electronic ballots to the internet • Voters can check that their votes were included in the election tally • Still needs paper but his electronic tallies are as reliable as a count of paper ballots • Still provides voter anonymity • Great, right? Distributed Security, ECEN 5053, U of Colo, Boulder
Suppose all crypto-graphy issues settled ... • If all mathematical problems are solved, what remains? • Voting is a complicated social phenomenon and the solution must be perceived socially to be a solution. • Machines need to be physically secure before, during, after • Workers well trained, able to deal with technological problems that can occur Distributed Security, ECEN 5053, U of Colo, Boulder
Article’s conclusion • At the trailhead of electronic voting systems • “Election officials underestimated the problems of deploying the technology.” • “Computer scientists underestimated the long-standing difficulties of conducting traditional all-paper ballots.” • “Election officials now seem to be coming to understand the merits and demerits of electronic voting systems.” • “The current debate over electronic voting systems has certainly raised the bar for election equipment.” • “And every year, we get a chance to do better.” Distributed Security, ECEN 5053, U of Colo, Boulder
Chaum’s approach Distributed Security, ECEN 5053, U of Colo, Boulder
Distributed System Issues? In addition to the security issues you listed, what distributed system issues do we have to address to have an acceptable system? Distributed Security, ECEN 5053, U of Colo, Boulder