Distributed Systems Security Overview

1
Distributed SystemsSecurity Overview

• Douglas C. Sicker
• Assistant Professor
• Department of Computer Science and
  Interdisciplinary Telecommunications Program

2
Network Security

• What well cover
• What is network security?
• What are the goals?
• What are the threats?
• What are the solutions?
• How do they operate?
• This is a lot of info and it might take a few
  reads to stick.

3
Network Security

• Some issues with the book
• Assumes malicious intent as the reason for
  needing security.
• Is this valid?
• Focus on the protocols (not surprising)
• However, the real problems with security are
  mostly outside of the technical space (see the
  Economist articles).
• What else should we consider?
• For example, more depth on security models,
  security policy, assurance, insurance, risk
  assessment
• Lastly, keep in mind that even the best protocols
  can be misapplied.

4
Network Security

• What do we seek?
• Confidentiality
• Integrity
• Availability
• Non-repudiation
• Accounting

5
Distributed Security and Electronic VotingThe
Perils of Polling, Steven Cherry, IEEE Spectrum,
October 2004, pp. 34-40

• ECEN 5053 Software Engineering of Distributed
  Systems
• University of Colorado, Boulder

6
Background

• Read Chapter 7 in text
• Read articles from The Economist
• Consider the issues of electronic voting
• To simplify one of your homework problems, make a
  list of security issues as you recognize them in
  the lecture.

7
Advent of electronic voting acceptance

• What is electronic voting for this unit?
• Use of equipment that directly records votes only
  on electronic media, such as chips, cartridges,
  or disks, with no paper or other tangible form of
  backup
• November 2004 election
• More than 25 of U. S. Ballots will be cast using
  electronic voting
• If we are ready for electronic voting, is the
  technology ready for us?

8
Pros Cons

• Advantages
• No hanging chads
• No paper ballots printed out of alignment so that
  optical scanners make too many errors (the bane
  of Boulder County in November 2004)
• Disadvantages for 2004
• Some deployed systems had known flaws
• Some poorly tested
• Some not tested at all

9
Basics

• Fundamental requirement for ensuring integrity of
  votes
• Ability to perform an independent recount
• Reconstruct the tally if contested
• Current systems
• No assurance that the vote was counted at all
• No assurance counted correctly
• Some machines will fail (as they have in recent
  elections)

10
The real issues of security

• Requirements
• voting machines must be robustly reliable
• independently verifiable counts
• Unfortunately, it may be a harder problem than is
  appreciated by those who developed products in
  use
• David Chaum is working on it ... ?
• cryptographer
• more later

11
Vision Document problem statement
12
Lets stop and list requirements

• What are some characteristics of elections?
• early voting
• absentee voting
• election day
• what else?

13
Are there standards in place?

• Yes and no
• Many installed for 2004 election comply with
  federal guidelines
• obsolete ... from 1990
• Replaced in 2002
• But many voting systems in use in 2004 were
  certified according to the 1990 standards

14
Domain challenges

• Elections run individually by each state
• State and local officials responsible for
  choosing and deploying equipment
• not skeptical enough of manufacturers claims
• sometimes rejected advice of engineers and
  specialists
• If states are willing to buy and federal
  government is willing to give money to do so ...

15
State differences

• Some states choose voting equipment at the state
  level
• Some leave it up to counties or even smaller
  municipalities
• Lots of decision makers leads to variety of
  decisions made
• Some other countries with electronic voting made
  the choice at the national level. See any
  problems with that?

16
Partially vs. wholly electronic

• Partially electronic systems
• Paper ballot to be optically scanned like
  standardized tests
• Scanners count
• If contested, ballots can be rescanned or counted
  by hand
• Wholly electronic
• Store the vote digitally, not on paper

17
Accu-Vote-TSX example

• Touch-screen system made by Diebold Inc
• Voter signs in at the polling station and
  receives an activated card similar to modern
  hotel-room key
• Voter inserts it into machine and makes
  selections
• When voter touches Cast Vote, vote is recorded
  on hard disk, access card is deactivated voter
  cannot vote a 2nd time
• Accu-Vote machine has built-in printer to record
  vote totals when polls close
• Accu-Vote machine has a modem for optional
  encryption and transmission of vote totals

18
80 of the market

• Diebold
• Election Systems Software, Inc.
• Sequoia Voting Systems, Inc.

19
Advantages of Electronic Voting

• Machines can be programmed to keep the voter from
  voting for two candidates for a single office
• Text on the screen can be read by voice-synthesis
  software
• Other features

20
Current disadvantages

• Early-generation equipment was flawed
• Hard for local governments to keep track
• Shifting cast of companies
• Testing is time-consuming
• Certification requirements cant keep up
• New machines, many workers are volunteers with
  short term training appropriate for a 1 or 2-day
  job

21
Examples of problems

• 2002 a Florida gubernatorial (governor) primary
• in two counties, some of the new equipment would
  not boot in time for the start of the election
• 2003, Boone County, Indiana
• 5,352 voters
• 144,000 votes reported
• 2004 primaries in California catastrophes
  throughout the state across wide variety of
  different machines
• San Diego County some opened 4 hrs late
• Some Diebold machines spontaneously rebooted
  presenting Microsoft Windows generic screen
  instead of ballot

22
Reliability Concerns

• The Diebold spontaneous reboot problem
• Voter access card encoders
• Power switches had faults that drained them of
  battery power
• In northern Alameda County, 1 in 5 Diebold
  encoders had similar problems
• Hearings held, California Secy of State Kevin
  Shelley released a report charging
• Diebold marketed, sold, and installed AccuVote
  systems in Kern, San Diego, San Joaquin, and
  Solano counties
• prior to full testing and federal qualification
• without complying with state certification
  requirements

23
Reliability Consequences

• April 30, Calif Secy of State withdrew approval
  for all direct-recording electronic voting
  systems in California
• State required nearly 16,000 AccuVote machines in
  the 4 counties to be recertified
• this time, complying with tighter security and
  auditability measures or
• replaced with optically scanned balloting in time
  for the November election
• Based on your knowledge of software, what are the
  implications of complying with new requirements
  within a tight deadline?

24
Other problems

• Installation of uncertified components and
  coverup of malfunctioning products
• Earlier in 2004, a June 2003 ESS memo came to
  light that indicated flaws in the auditing
  software for a 24.5 million installation of its
  iVotronic voting machines in Miami-Dade County
• ESS also manufactured voting systems previously
  used in Venezuela that suffered a 6 malfunction
  rate in actual use.

25
State of Maryland hired SAIC ...
We recommend that SBE immediately implement the
following mitigation strategies to address the
identified risks with a rating of high Bring
the AccuVote-TS voting system into compliance
with the State of Maryland Information Security
Policy and Standards. Consider the creation of
a Chief Information Systems Security Officer
(CISSO) position at SBE. This individual would
be responsible for the secure operations of the
AccuVote-TS voting system. Develop a formal,
documented, complete, and integrated set of
standard policies and procedures. Apply these
standard policies and procedures consistently
through the LBEs in all jurisdictions.
26
State of Maryland

• Create a formal, System Security Plan. The plan
  should be
• consistent with the State of Maryland Information
  Security Policy and Standards, Code of Maryland
  Regulations (COMAR), Federal Election Commission
  (FEC) standards, and industry best practices.
• Apply cryptographic protocols to protect
  transmission of vote tallies.
• Require 100 percent verification of results
  transmitted to the media through separate count
  of PCMCIA cards containing the original votes
  cast.
• Establish a formal process requiring the review
  of audit trails at both the application and
  operating system levels.
• Provide formal information security awareness,
  training, and education program appropriate to
  each users level of access.

27
State of Maryland - 2

• Review any system modifications through a
  formal, documented, risk assessment process to
  ensure that changes do not negate existing
  security controls. Perform a formal risk
  assessment following any major system
  modifications, or at least every three years.
  Implement a formal, documented process to detect
  and respond to unauthorized transaction attempts
  by authorized and/or unauthorized users.
• Establish a formal, documented set of
  procedures describing how the general support
  system identifies access to the system.
• And my personal favorite

Change default passwords and passwords printed in
documentation immediately
28
Elsewhere

• Ireland scuttled plans to use electronic voting
  in local and European parliamentary elections in
  June 2004
• partly over concerns about lack of independent
  auditability
• constant software updates from the vendors
  software could not be reviewed in time
• Same vendor (Nedap NV) made some of its online
  e-voting software available as open source
• Wont compile and run
• What else?

29
Physical security

• 1 of Fairfax County, Virginias new WINvote
  touch-screen machines (Advanced Voting Solutions)
• repaired outside the polling place
• returned and put back into use
• with broken or removed security seals
• in apparent violation of state law

30
Distributed systems bandwidth issue

• Again, Fairfax
• About half of the vote totals (not the national
  election) couldnt be electronically transmitted
• System flooded itself with messages
• They had inadvertently designed in their own
  denial of service attack on the server
• A number of machines apparently subtracted votes
  at random from the Republican school board
  candidate (Rita Thompson) resulting in a possible
  miscount of 1 to 2 percent of her votes close
  to the margin by which she lost the election.

31
Warnings

• Web site for Arlington County told poll workers
  what to do if
• the voting machine freezes during boot-up
• master unit does not pick up one of the units
  in the polling place when opening the polls
• when closing, if tally fails to pick up a
  machine
• Jeremy Epstein, an information-security expert,
  attended a pre-election training session
• submitted a 3-page list of questions to Fairfax
  officials
• then electoral board secy couldnt respond on
  the grounds that release of that information
  could jeopardize the security of that voting
  equipment
• treat that as a requirement ...

32
Complexity is generally not understood

• Here are the candidates, pick one
• What other situations occur?
• Anonymity is a potentially bigger problem
• Requirements?

33
Complexity continued

• Independent verifiability
• California audits elections by requiring 1 of
  all paper ballots be manually recounted whether
  or not an election is contested
• Requirements?
• Focus on adding paper back into the process
• Requirements re paper ballot?
• California newly purchased direct-recording must
  have accessible, voter-verified paper audit trail
• retrofit required for existing ones by July 2006

34
Complexity summary

• The vote
• Complexity of selection possibilities
• Count correctly
• Robust hardware and software
• Accurate LAN communication at polling place
• Accurate WAN communication to central server, if
  used
• ETC
• how to verify electronic votes
• how to test electronic voting hw and sw
• how to maintain security and integrity

35
Without voter-verified paper audit trail

• Certification process necessary
• Compliance verification
• Is the system in place, the one that was
  certified?
• Current federal guidelines (2002) dont require
  digital signature to track software from
  certification to installation to end of voting
  day
• IEEE Standards Association formed a working group
  on voting standards

36
Design question

• Is it possible to provide sufficient auditability
  without paper?
• Consider electronic funds transactions
• Encryption techniques
• David Chaum, cryptographer
• Lets election officials post electronic ballots
  to the internet
• Voters can check that their votes were included
  in the election tally
• Still needs paper but his electronic tallies are
  as reliable as a count of paper ballots
• Still provides voter anonymity
• Great, right?

37
Suppose all crypto-graphy issues settled ...

• If all mathematical problems are solved, what
  remains?
• Voting is a complicated social phenomenon and the
  solution must be perceived socially to be a
  solution.
• Machines need to be physically secure before,
  during, after
• Workers well trained, able to deal with
  technological problems that can occur
• www.OpenVotingConsortium.org

38
Articles conclusion

• At the trailhead of electronic voting systems
• Election officials underestimated the problems
  of deploying the technology.
• Computer scientists underestimated the
  long-standing difficulties of conducting
  traditional all-paper ballots. (requirements
  elicitation!)
• Election officials now seem to be coming to
  understand the merits and demerits of electronic
  voting systems.
• The current debate over electronic voting
  systems has certainly raised the bar for election
  equipment.
• And every year, we get a chance to do better.

39
(No Transcript)
40
Chaums approach
41
SSL and the human element

• A drop-in replacement for standard network
  sockets?
• SSLs intent provide an authenticated,
  encrypted communications channel, where the
  attacker cannot tamper with data in transit
  without being detected on the receiving end.
• Whats the easy part?
• Whats the hard part?

42
Mutual Authentication

• Client wants to know it is talking to correct
  server (precinct and county, for example)
• Server wants to know which user is on the other
  end
• Expect authenticate the server to the client
  and once an encrypted data channel is
  established, implement an authentication
  mechanism over it so the server can establish the
  clients identity.

43
How SSL authenticates

• Party-to-be-validated (server) presents the other
  party (client) its certificate
• Public key, identifying information, dates of
  validity, endorsing digital signatures from a
  Certification authority (CA)
• The CA responsible to make sure it endorses only
  those certificates that really do belong to the
  intended owners

44
The clients responsibility

• Assume CA never makes a mistake
• Companies we are to do business with are good at
  protecting their private key
• Client must make sure the certificate is the
  right one.
• certificate is signed by a known CA
• certificate is current
• certificate is bound to entity you want

45
Validate the data in the certificate

• Certificate is bound to a domain name
• None of the major SSL libraries performs any of
  this validation for the developer by default.
• When a user asks to open a client socket the SSL
  library could easily perform every reasonable
  check on the server certificate including whether
  the certificate is bound to the domain supplied
  by the user.

46
Vulnerability

• Most applications using SSL are subject to
  man-in-the-middle attacks
• Only a theoretical problem?
• Yes, you can exploit the Internets router
  infrastructure
• But if you couldnt, still ... one can launch a
  man-in-the-middle attack from machines on the
  same underlying medium as either of the two
  endpoints.

47
Resources

• Viega and McGraw, Building Secure Software,
  Addison Wesley Professional, 2001.
• Howard and LeBlanc, Writing Secure Code,
  Microsoft Press, 2002, 2nd edition.
• Viega and Messier, Secure Programming Cookbook
  for C and C, OReilly, 2003.

48
Distributed System Issues?
In addition to the security issues you listed,
what distributed system issues do we have to
address to have an acceptable system?