490 likes | 690 Views
Distributed Systems Security Overview. Douglas C. Sicker Assistant Professor Department of Computer Science and Interdisciplinary Telecommunications Program. Network Security. What we’ll cover: What is network security? What are the goals? What are the threats? What are the solutions?
E N D
Distributed SystemsSecurity Overview Douglas C. Sicker Assistant Professor Department of Computer Science and Interdisciplinary Telecommunications Program
Network Security • What we’ll cover: • What is network security? • What are the goals? • What are the threats? • What are the solutions? • How do they operate? • This is a lot of info and it might take a few reads to stick. Distributed Security, ECEN 5053, U of Colo, Boulder
Network Security • Some issues with the book… • Assumes malicious intent as the reason for needing security. • Is this valid? • Focus on the protocols (not surprising) • However, the real problems with security are mostly outside of the technical space (see the Economist articles). • What else should we consider? • For example, more depth on security models, security policy, assurance, insurance, risk assessment… • Lastly, keep in mind that even the best protocols can be misapplied. Distributed Security, ECEN 5053, U of Colo, Boulder
Network Security • What do we seek? • Confidentiality • Integrity • Availability • Non-repudiation • Accounting Distributed Security, ECEN 5053, U of Colo, Boulder
Distributed Security and Electronic Voting“The Perils of Polling”, Steven Cherry, IEEE Spectrum, October 2004, pp. 34-40 ECEN 5053 Software Engineering of Distributed Systems University of Colorado, Boulder
Background • Read Chapter 7 in text • Read articles from The Economist • Consider the issues of electronic voting • To simplify one of your homework problems, make a list of security issues as you recognize them in the lecture. Distributed Security, ECEN 5053, U of Colo, Boulder
Advent of electronic voting acceptance • What is “electronic voting” for this unit? • Use of equipment that directly records votes only on electronic media, such as chips, cartridges, or disks, with no paper or other tangible form of backup • November 2004 election • More than 25% of U. S. Ballots will be cast using electronic voting • If we are ready for electronic voting, is the technology ready for us? Distributed Security, ECEN 5053, U of Colo, Boulder
Pros & Cons • Advantages: • No hanging chads • No paper ballots printed out of alignment so that optical scanners make too many errors (the bane of Boulder County in November 2004) • Disadvantages for 2004 • Some deployed systems had known flaws • Some poorly tested • Some not tested at all Distributed Security, ECEN 5053, U of Colo, Boulder
Basics • Fundamental requirement for ensuring integrity of votes • Ability to perform an independent recount • Reconstruct the tally if contested • Current systems • No assurance that the vote was counted at all • No assurance counted correctly • Some machines will fail (as they have in recent elections) Distributed Security, ECEN 5053, U of Colo, Boulder
The real issues of security • Requirements: • voting machines must be robustly reliable • independently verifiable counts • Unfortunately, it may be a harder problem than is appreciated by those who developed products in use • David Chaum is working on it ... • cryptographer • more later Distributed Security, ECEN 5053, U of Colo, Boulder
The problem of [describe the problem] affects [the stakeholders affected by the problem] the impact of which is [what is the impact of the problem?] A successful solution would be [list some key benefits of a successful solution] Vision Document problem statement Distributed Security, ECEN 5053, U of Colo, Boulder
Let’s stop and list requirements • What are some characteristics of elections? • early voting • absentee voting • election day • what else? Distributed Security, ECEN 5053, U of Colo, Boulder
Are there standards in place? • Yes and no • Many installed for 2004 election comply with federal guidelines • obsolete ... from 1990 • Replaced in 2002 • But many voting systems in use in 2004 were certified according to the 1990 standards Distributed Security, ECEN 5053, U of Colo, Boulder
Domain challenges • Elections run individually by each state • State and local officials responsible for choosing and deploying equipment • not skeptical enough of manufacturers’ claims • sometimes rejected advice of engineers and specialists • If states are willing to buy and federal government is willing to give money to do so ... Distributed Security, ECEN 5053, U of Colo, Boulder
State differences • Some states choose voting equipment at the state level • Some leave it up to counties or even smaller municipalities • Lots of decision makers leads to variety of decisions made • Some other countries with electronic voting made the choice at the national level. See any problems with that? Distributed Security, ECEN 5053, U of Colo, Boulder
Partially vs. wholly electronic • Partially electronic systems • Paper ballot to be optically scanned like standardized tests • Scanners count • If contested, ballots can be rescanned or counted by hand • Wholly electronic • Store the vote digitally, not on paper Distributed Security, ECEN 5053, U of Colo, Boulder
Accu-Vote-TSX example • Touch-screen system made by Diebold Inc • Voter signs in at the polling station and receives an activated card similar to modern hotel-room “key” • Voter inserts it into machine and makes selections • When voter touches “Cast Vote”, vote is recorded on hard disk, access card is deactivated – voter cannot vote a 2nd time • Accu-Vote machine has built-in printer to record vote totals when polls close • Accu-Vote machine has a modem for optional encryption and transmission of vote totals Distributed Security, ECEN 5053, U of Colo, Boulder
80 % of the market • Diebold • Election Systems & Software, Inc. • Sequoia Voting Systems, Inc. Distributed Security, ECEN 5053, U of Colo, Boulder
Advantages of Electronic Voting • Machines can be programmed to keep the voter from voting for two candidates for a single office • Text on the screen can be read by voice-synthesis software • Other features Distributed Security, ECEN 5053, U of Colo, Boulder
Current disadvantages • Early-generation equipment was flawed • Hard for local governments to keep track • Shifting cast of companies • Testing is time-consuming • Certification requirements can’t keep up • New machines, many workers are volunteers with short term training appropriate for a 1 or 2-day job Distributed Security, ECEN 5053, U of Colo, Boulder
Examples of problems • 2002 a Florida gubernatorial (governor) primary • in two counties, some of the new equipment would not boot in time for the start of the election • 2003, Boone County, Indiana • 5,352 voters • 144,000 votes reported • 2004 primaries in California – catastrophes throughout the state across wide variety of different machines • San Diego County – some opened 4 hrs late • Some Diebold machines spontaneously rebooted presenting Microsoft Windows generic screen instead of ballot Distributed Security, ECEN 5053, U of Colo, Boulder
Reliability Concerns • The Diebold spontaneous reboot problem • Voter access card encoders • Power switches had faults that drained them of battery power • In northern Alameda County, 1 in 5 Diebold encoders had similar problems • Hearings held, California Sec’y of State Kevin Shelley released a report charging • Diebold marketed, sold, and installed AccuVote systems in Kern, San Diego, San Joaquin, and Solano counties • prior to full testing and federal qualification • without complying with state certification requirements Distributed Security, ECEN 5053, U of Colo, Boulder
Reliability Consequences • April 30, Calif Sec’y of State withdrew approval for all direct-recording electronic voting systems in California • State required nearly 16,000 AccuVote machines in the 4 counties to be recertified • this time, complying with tighter security and auditability measures or • replaced with optically scanned balloting in time for the November election • Based on your knowledge of software, what are the implications of complying with new requirements within a tight deadline? Distributed Security, ECEN 5053, U of Colo, Boulder
Other problems • Installation of uncertified components and coverup of malfunctioning products • Earlier in 2004, “a June 2003 ES&S memo came to light that indicated flaws in the auditing software for a $24.5 million installation of its iVotronic voting machines in Miami-Dade County” • ES&S also manufactured voting systems previously used in Venezuela that suffered a 6% malfunction rate in actual use. Distributed Security, ECEN 5053, U of Colo, Boulder
State of Maryland hired SAIC ... We recommend that SBE immediately implement the following mitigation strategies to address the identified risks with a rating of high: • Bring the AccuVote-TS voting system into compliance with the State of Maryland Information Security Policy and Standards. • Consider the creation of a Chief Information Systems Security Officer (CISSO) position at SBE. This individual would be responsible for the secure operations of the AccuVote-TS voting system. • Develop a formal, documented, complete, and integrated set of standard policies and procedures. Apply these standard policies and procedures consistently through the LBEs in all jurisdictions. Distributed Security, ECEN 5053, U of Colo, Boulder
State of Maryland • Create a formal, System Security Plan. The plan should be consistent with the State of Maryland Information Security Policy and Standards, Code of Maryland Regulations (COMAR), Federal Election Commission (FEC) standards, and industry best practices. • Apply cryptographic protocols to protect transmission of vote tallies. • Require 100 percent verification of results transmitted to the media through separate count of PCMCIA cards containing the original votes cast. • Establish a formal process requiring the review of audit trails at both the application and operating system levels. • Provide formal information security awareness, training, and education program appropriate to each user’s level of access. Distributed Security, ECEN 5053, U of Colo, Boulder
State of Maryland - 2 • Review any system modifications through a formal, documented, risk assessment process to ensure that changes do not negate existing security controls. Perform a formal risk assessment following any major system modifications, or at least every three years. • Implement a formal, documented process to detect and respond to unauthorized transaction attempts by authorized and/or unauthorized users. • Establish a formal, documented set of procedures describing how the general support system identifies access to the system. And my personal favorite: Change default passwords and passwords printed in documentation immediately Distributed Security, ECEN 5053, U of Colo, Boulder
Elsewhere • Ireland scuttled plans to use electronic voting in local and European parliamentary elections in June 2004 • partly over concerns about lack of independent auditability • constant software updates from the vendors* – software could not be reviewed in time • Same vendor (Nedap NV) made some of its online e-voting software** available as open source • Won’t compile and run • What else? Distributed Security, ECEN 5053, U of Colo, Boulder
Physical security • 1 % of Fairfax County, Virginia’s new WINvote touch-screen machines (Advanced Voting Solutions) • repaired outside the polling place • returned and put back into use • with broken or removed security seals • in apparent violation of state law Distributed Security, ECEN 5053, U of Colo, Boulder
Distributed systems bandwidth issue • Again, Fairfax • About half of the vote totals (not the national election) couldn’t be electronically transmitted • System flooded itself with messages • They had inadvertently designed in their own denial of service attack on the server • A number of machines apparently subtracted votes at random from the Republican school board candidate (Rita Thompson) resulting in a possible miscount of 1 to 2 percent of her votes – close to the margin by which she lost the election. Distributed Security, ECEN 5053, U of Colo, Boulder
Warnings • Web site for Arlington County told poll workers what to do if • the voting machine freezes during boot-up • master unit does not “pick up” one of the units in the polling place when opening the polls • when closing, “if tally fails to pick up a machine” • Jeremy Epstein, an information-security expert, attended a pre-election training session • submitted a 3-page list of questions to Fairfax officials • then electoral board sec’y couldn’t respond on the grounds that “release of that information could jeopardize the security of that voting equipment” • treat that as a requirement ... Distributed Security, ECEN 5053, U of Colo, Boulder
Complexity is generally not understood • “Here are the candidates, pick one” • What other situations occur? • Anonymity is a potentially bigger problem • Requirements? Distributed Security, ECEN 5053, U of Colo, Boulder
Complexity continued • Independent verifiability • California audits elections by requiring 1% of all paper ballots be manually recounted whether or not an election is contested • Requirements? • Focus on adding paper back into the process • Requirements re paper ballot? • California: newly purchased direct-recording must have accessible, voter-verified paper audit trail • retrofit required for existing ones by July 2006 Distributed Security, ECEN 5053, U of Colo, Boulder
Complexity summary • The vote • Complexity of selection possibilities • Count correctly • Robust hardware and software • Accurate LAN communication at polling place • Accurate WAN communication to central server, if used • ETC • how to verify electronic votes • how to test electronic voting hw and sw • how to maintain security and integrity Distributed Security, ECEN 5053, U of Colo, Boulder
Without voter-verified paper audit trail • Certification process necessary • Compliance verification • Is the system in place, the one that was certified? • Current federal guidelines (2002) don’t require digital signature to track software from certification to installation to end of voting day • IEEE Standards Association formed a working group on voting standards Distributed Security, ECEN 5053, U of Colo, Boulder
Design question • Is it possible to provide sufficient auditability without paper? • Consider electronic funds transactions • Encryption techniques • David Chaum, cryptographer • Lets election officials post electronic ballots to the internet • Voters can check that their votes were included in the election tally • Still needs paper but his electronic tallies are as reliable as a count of paper ballots • Still provides voter anonymity • Great, right? Distributed Security, ECEN 5053, U of Colo, Boulder
Suppose all crypto-graphy issues settled ... • If all mathematical problems are solved, what remains? • Voting is a complicated social phenomenon and the solution must be perceived socially to be a solution. • Machines need to be physically secure before, during, after • Workers well trained, able to deal with technological problems that can occur • www.OpenVotingConsortium.org Distributed Security, ECEN 5053, U of Colo, Boulder
Article’s conclusion • At the trailhead of electronic voting systems • “Election officials underestimated the problems of deploying the technology.” • “Computer scientists underestimated the long-standing difficulties of conducting traditional all-paper ballots.” (requirements elicitation!) • “Election officials now seem to be coming to understand the merits and demerits of electronic voting systems.” • “The current debate over electronic voting systems has certainly raised the bar for election equipment.” • “And every year, we get a chance to do better.” Distributed Security, ECEN 5053, U of Colo, Boulder
Chaum’s approach Distributed Security, ECEN 5053, U of Colo, Boulder
SSL and the human element • A drop-in replacement for standard network sockets? • SSL’s intent: provide an authenticated, encrypted communications channel, where the attacker cannot tamper with data in transit without being detected on the receiving end. • What’s the easy part? • What’s the hard part? Distributed Security, ECEN 5053, U of Colo, Boulder
Mutual Authentication • Client wants to know it is talking to correct server (precinct and county, for example) • Server wants to know which user is on the other end • Expect: authenticate the server to the client and once an encrypted data channel is established, implement an authentication mechanism over it so the server can establish the client’s identity. Distributed Security, ECEN 5053, U of Colo, Boulder
How SSL authenticates • Party-to-be-validated (server) presents the other party (client) its certificate • Public key, identifying information, dates of validity, endorsing digital signatures from a Certification authority (CA) • The CA responsible to make sure it endorses only those certificates that really do belong to the intended owners Distributed Security, ECEN 5053, U of Colo, Boulder
The client’s responsibility • Assume CA never makes a mistake • Companies we are to do business with are good at protecting their private key • Client must make sure the certificate is the right one. • certificate is signed by a known CA • certificate is current • certificate is bound to entity you want Distributed Security, ECEN 5053, U of Colo, Boulder
Validate the data in the certificate • Certificate is bound to a domain name • None of the major SSL libraries performs any of this validation for the developer by default. • When a user asks to open a client socket the SSL library could easily perform every reasonable check on the server certificate including whether the certificate is bound to the domain supplied by the user. Distributed Security, ECEN 5053, U of Colo, Boulder
Vulnerability • Most applications using SSL are subject to man-in-the-middle attacks • Only a theoretical problem? • Yes, you can exploit the Internet’s router infrastructure • But if you couldn’t, still ... one can launch a man-in-the-middle attack from machines on the same underlying medium as either of the two endpoints. Distributed Security, ECEN 5053, U of Colo, Boulder
Resources • Viega and McGraw, Building Secure Software, Addison Wesley Professional, 2001. • Howard and LeBlanc, Writing Secure Code, Microsoft Press, 2002, 2nd edition. • Viega and Messier, Secure Programming Cookbook for C and C++, O’Reilly, 2003. Distributed Security, ECEN 5053, U of Colo, Boulder
Distributed System Issues? In addition to the security issues you listed, what distributed system issues do we have to address to have an acceptable system? Distributed Security, ECEN 5053, U of Colo, Boulder