Part II : Computer Security and the VVSG

1
Part II Computer Security and the VVSG

• October 15-17, 2007
• Barbara Guttman
• Nelson Hastings
• National Institute of Standards and Technology
• barbara.guttman_at_nist.gov nelson.hastings_at_nist.gov

2
Agenda

• Security Requirements Overview
• Review of Chapter 4 Security and Audit
  Architecture
• Review of Chapter 5 General Security Requirements

3
Security Requirements Overview

• The security requirements of the next VVSG work
  together to support equipment security
• Difficult to understand security provided by a
  single requirement or set of requirements without
  understanding how requirements relate to each
  other

4
Security Requirements Overview

• For example,
• Cryptography section addresses how cryptography
  is implemented by equipment
• Software installation and electronic records
  sections address how cryptography, specifically
  digital signatures are use by equipment to
  support security

5
Security Requirements Overview

• Documentation requirements related to security
• Part 2 Documentation Requirements
• System Security Specification
• Section 3.5 of the Technical Data Package (TDP)
• Section 4.3 of the user documentation

6
Security Requirements Overview

• Section 3.5 System Security Specification (TDP)
• Provided to test lab to assist in the testing
  campaign
• General documentation about security including
• Security Architecture
• Security Threat Controls
• Security Testing and vulnerability analysis
• Detailed implementation specification for each
  security mechanism

7
Security Requirements Overview

• Section 4.3 System Security Specification (User
  documentation)
• Provided to user of the voting system including
  test labs
• How security mechanism are to be used
• Information needed to support a features use such
  as a list of software to be installed

8
Chapter 4 Security and Audit Architecture

• Section 4.2 Requirements to support auditing
• Section 4.3 Electronic Records
• Section 4.4 Independent Voter Verifiable Records
  (IVVR)
• VVPAT
• PCOS

9
Software Independence

• TGDC Resolution 06-06 requires software
  independence (SI)
• Software Independence means that changes must be
  detectable
• Detectable, in practice, means auditable
• SI Auditable

10
Why Does the TGDC Want SI?

• With software, it is pretty easy to make a screen
  say one thing, but record another thing inside
  the computer.
• The hard part is making plausible, directed
  changes.

11
Auditing Records

• Two types of records Electronic Independent
• 4.3 address electronic records
• 4.4 addresses independent records

12
Wont a Test Lab Catch This?

• No, software, especially the software that runs
  the user interface, is really complicated.

13
Famous Software that wasnt doing what we thought
it was doing

• Some trojan horse (or 2)
• NC voting example
• Therac 25
• phishing

14
Therac 25

• After this second Tyler accident, the ETCC
  physicist immediately took the machine out of
  service and called AECL to alert the company to
  this second apparent overexposure. The Tyler
  physicist then began his own careful
  investigation. He worked with the operator, who
  remembered exactly what she had done on this
  occasion. After a great deal of effort, they were
  eventually able to elicit the Malfunction 54
  message. They determined that data-entry speed
  during editing was the key factor in producing
  the error condition If the prescription data was
  edited at a fast pace (as is natural for someone
  who has repeated the procedure a large number of
  times), the overdose occurred.
• http//courses.cs.vt.edu/cs3604/lib/Therac_25/The
  rac_2.html

15
How Does the VVSG Address Auditability?

• Requires equipment to have features that can be
  used for various types of audits
• Requires documentation
• NOTE The VVSG itself does not require auditing
  This is procedural and outside the scope.

16
4.2 Requirements for Supporting Audits

• Types of Audits
• Pollbook Audit
• Hand Audit of Independent Record
• Ballot Count and Vote Total Audit
• Observational Testing
• Note Parallel Testing is another type of audit,
  but it is not included because it does not levy
  requirements on the equipment

17
Audit Records

• Two types of records
• Electronic records
• Independent Voter Verifiable Records (IVVR)
• 4.3 address electronic records
• 4.4 addresses independent records

18
4.3 Electronic Records

• General Requirements
• Open Format
• Printable
• Digitally signed for Integrity Authenticity

19
4.3 Electronic Records

• Information/data requirements
• Contain all relevant data
• List for Tabulator (4.3.2)
• List for EMS (4.3.3)
• Generally
• Totals
• Read ballots
• Counted ballots
• Rejected ballots
• Overvotes/undervotes
• Write-ins

20
4.4 Independent Voter Verifiable Records (IVVR)

• What is an independent voter verifiable record?
  (4.4.1)
• Direct verification by voter
• Support for hand auditing
• Various security and operational properties (can
  be rejected/durable)
• Doesnt this mean paper?

21
4.4 Independent Voter Verifiable Records (IVVR)

• Direct review (by voter election official)
• Can support a hand audit
• Can support a recount
• Durable
• Tamper evidence
• Support for Privacy

22
4.4 Independent Voter Verifiable Records (IVVR)

• Public Format
• Sufficient Information (ballot configuration, not
  just selections)
• No codebook required
• Support for multiple physical media
• Able to be accepted or reject (per media)
• Non-human readable allowed (public format)

23
4.4 Independent Voter Verifiable Records (IVVR)

• Two current types of IVVR
• VVPAT
• Optical Scan

24
4.4.2 VVPAT

• VVPAT Accessibility addressed by Sharon.
• Note need for observational testing
• Many operational requirements
• Paper rolls allowed

25
4.4.3 PCOS

• Few additional security requirements
• Allow non-human readable marks (record
  identifiers, batch information, integrity checks)

26
Chapter 5 General Security Requirements

• Section 5.1 Cryptography
• Section 5.2 Setup Inspection
• Section 5.3 Software Installation
• Section 5.4 Access Control
• Section 5.5 System Integrity Management
• Section 5.6 Communication Security
• Section 5.7 System Event Logging
• Section 5.8 Physical Security for Voting Devices

27
5.1 Cryptography

• Powerful basic security control
• Integrity of information
• Authentication of information
• Requirements developed to provide easy use and
  maintenance
• Use strength of existing federal standards

28
5.1 Cryptography

• Implementation of cryptography
• Public and Secret Key cryptography
• Not cryptographic voting protocols (a.k.a
  End-to-End voting systems)
• Many sections of the next VVSG leverage the
  security features supported by cryptography

29
5.1 Cryptography

• FIPS 140-2 validated cryptographic module
• A cryptographic module is hardware, firmware,
  and/or software that implements cryptographic
  functions (such as encryption, decryption, and
  key generation).
• Minimum strength of cryptography

30
5.1 Cryptography

• Signature Module
• A hardware cryptographic module
• FIPS 140-2 Level 2 (out of 4) with physical
  security being Level 3
• Generates digital signatures
• Generates and stores private signature keys
• Permanently attached the equipment

31
5.1 Cryptography

• Types of keys within a Signature Module (SM)
• Device Signature Key (DSK)
• Associated with a device for its lifetime
• Signatures traceable to specific pieces of
  equipment
• Election Signature Key (ESK)
• Generated once per election cycle
• Associated with a devices specific election
  cycle
• Signatures traceable to electronic records for a
  given election

32
5.1 Cryptography

• Device Signature Key (DSK)
• Generate using a nondeterministic random number
  generator
• Public Key certificate - self signed or CA
• Unique identifier on an external surface of the
  equipment and in certificate
• Signing of
• Election signature key certificate
• Election key closeout records
• Device signature key certificates

33
5.1 Cryptography

• Election Signature Key (ESK)
• Generate using a nondeterministic random number
  generator
• Used to digitally sign electronic records for an
  election cycle
• Destroyed as part of election close out
• Counters to keep track of the number of ESKs
  generated and signatures generated by a given ESK

34
5.1 Cryptography

• Election Signature Key (ESK) Certificates are
  signed by Device Signature Key (DSK)

Device Signature (private) key
Election Signature (Public) Key
35
5.1 Cryptography

• Election key closeout record
• Electronic record
• Public key of Election Signature Key (ESK)
  (certificate or message digest/hash???)
• Number of signatures generated by Election
  Signature Key (ESK)
• Election Signature Key (ESK) number of the device
• Signed by the Device Signature Key (DSK)

36
5.1 Cryptography

• Technical Date Package (TDP) requirements
• Certificate fields for Device Signature Key (DSK)
  and Election Signature Key (ESK)
• Specific cryptographic algorithms used
• Election Closeout Record format specification

37
5.2 Setup Inspection

• Requirements related to the capabilities to
  inspect properties of voting devices
• Improves voting device management and maintenance
• Reflects new focus of requirements in light of
  software independence (SI) approach
• Called Setup Validation in VVSG 2005

38
5.2 Setup Inspection

• Inspections generate system event log entries
• Time and date
• Information related to the specific inspection
• Location of software files
• Component calibration
• Result of inspection
• Voting device unique identification
• Individual (or role) that performed inspection

39
5.2 Setup Inspections

• Software identification verification
• Ability to query/inspect the voting device to
  determine what software is installed
• Software integrity verification
• Using digital signatures and hash
• Designated repositories such as National Software
  Reference Library (NSRL)
• Voting Device Owner - Jurisdiction
• SI approach allows for internal verification
• NO external interface requirement like in VVSG
  2005

40
5.2 Setup Inspection

• Voting device election information inspection
• Ability to query/inspect the storage locations
  containing information that changes during an
  election
• Number of ballots cast
• Totals for a given contest
• Generalized register and variable terminology
  from VVSG 2005
• Support zero total inspections prior to use in
  election

41
5.2 Setup Inspection

• Inspection of properties of voting device
  components
• Backup power supply level
• Cabling connectivity indicator
• Communications operational status and on/off
  indicators
• Consumables remaining indicator
• Calibration determination and adjustments

42
5.2 Setup Inspection

• User documentation requirements
• Model setup inspection process supported by
  voting device
• Minimally includes items mentioned previously
• Manufacturer provided
• Model inspection check list of other properties
  supported by the voting device
• Manufacturer provided
• Risks related to not performing a given inspection

43
5.3 Software Installation

• Requirements related to the installation of
  software on voting devices
• Also covers access and modification of
  configuration files
• Uses digital signatures to provide the ability to
  verify the authentication and integrity of the
  software
• National Software Reference Library (NSRL)
• Designated repositories

44
5.3 Software Installation

• Software installation only when in pre-voting
  state
• Only individuals with an administrator or central
  election official role can install software
• Central Election Officials limited to election
  specific software or data files

45
5.3 Software Installation

• Digital signature verification of software before
  installation
• Externally visible alert when software
  installation fails
• Software to only be able to be installed using
  documented procedures

46
5.3 Software Installation

• Software installation generates system event log
  entries
• Time and date
• Software name and version
• Location of installation - directory path
• Digital signature verification - result and
  signature source
• Result of software installation

47
5.3 Software Installation

• Technical Data Package (TDP) requirements
• List of all software to be installed on voting
  system
• Name and version
• Manufacturer contract information
• Type of software
• Software documentation
• Location software is to be installed
• Functionality provided by the software
• Dependences and interactions between the software

48
5.3 Software Installation

• User documentation
• List of all software to be installed on voting
  system particularly election specific software
• Hardware and software need to install software

49
5.3 Software Installation

• Procedures used to perform software installation
• No use of compilers
• COTS software to be obtained via open market
• How to create a baseline binary image for
  replication
• Preparations of erasable media
• Software from unalterable media - CDs
• Record resulting from the installation procedure

50
5.4 Access Control

• The management of three basic elements
• Identification
• Authentication
• Authorization
• Supports the ability of the voting system to
• Account for users actions
• Limits use of resources
• Applies to individuals, applications, and
  processes of the voting system

51
5.4 Access Control

• Management of identification information
• Creating and disabling identities or roles
• Failed attempts lock out
• Number of failures within in a time period
• Length of lockout time

52
5.4 Access Control

• Role identification
• Required for voting devices and election
  management systems
• Roles specified Voter, Election Judge, Poll
  Worker, Central Election Official, and
  Administrator
• Individual identification
• Required by election management systems

53
5.4 Access Control

• Management of authentication information
• Setting and changing authentication information
• Protection of authentication data by system
• Password management - strength, reuse, and
  expiration.

54
5.4 Access Control

• Authentication requirements by role
• Voter in Section 7.5.1 Issuance of voting
  credentials and ballot activation
• Poll Worker - N/A
• Election Judge and Central
• Something you know
• Administrator
• Multi-factor authentication - smartcard,
  biometric
• Application or Process - Digital certificate or
  signature - ????

55
5.4 Access Control

• Authorization Management
• By voting system state, time interval, or
  specific time
• Dual person control
• Separation of duties
• Type of functionality and data accessed
• Explicitly allowed or disallowed
• Least privilege, Privilege escalation, prevent
  modification or tampering of software/firmware
  ???

56
5.4 Access Control

• Technical Date Package (TDP) requirements
• Descriptions and specifications of all access
  control mechanisms used
• Descriptions and specification of all voting
  system mechanisms that rely on access control
• Mapping of all voting system operations and
  default roles with permissions to perform
  operations

57
5.4 Access Control

• User documentation requirements
• Instructions for implementing, configuring, and
  managing
• Model access control policy
• Templates or instructions for custom access
  control policy creation
• Disclosure of all default privileged roles

58
5.5 System Integrity Management

• Security controls that do not fit into other
  sections of the VVSG
• Boot, load, and execute process protection
• Removable media interface protection
• Backup and recovery capabilities
• Malicious software protection

59
5.5 System Integrity Management

• Boot process process protection
• Process used when a system is powered on
• Integrity verification of software initialization
  components
• Hardware cryptographic module - digital
  signature/hashes

60
5.5 System Integrity Management

• Load and execute process protection
• Process used to load software into memory for
  execution
• Integrity verification of any software before
  loading into memory for execution
• Hardware cryptographic module - digital
  signature/hashes

61
5.5 System Integrity Management

• Removable media interface protection
• Other than physical security mechanisms
• Ability to disable removable media interfaces
  when not required
• CDs, Flash memory, PCIMIA, etc.
• May only need a CDs interface to be enabled
  during software installation

62
5.5 System Integrity Management

• Backup and recovery mechanisms
• Limited to election management systems
• Permitted only when not capturing votes
• Integrity verification information (digital
  signatures, hashes, MACs) created with backup
  information
• Backup information authentication and integrity
  verification before used for recovery

63
5.5 System Integrity Management

• Malicious software protection
• Limited to election management systems
• Use of malware detection software
• Ability to update as new threats appear over time
• Executed at least once every 24 hours and before
  loading and execution of software
• Executed against removable media

64
5.5 System Integrity Management

• Technical Date Package (TDP) requirements
• List of all software required to be executed

65
5.6 Communication Security

• Protection of voting system communications
• Transmission of information
• Communications based threats
• No use of wireless technology
• Except for infrared technology

66
5.6 Communication Security

• No remote communication to voting devices during
  election day
• Exceptions for devices used to transmit end of
  day results and communication with voter
  registration databases
• However, these devices cannot be connected to
  other polling place devices

67
5.6 Communication Security
Remote Locations
Polling Place
Accumulator
68
5.6 Communication Security

• Network interface protection
• Ability to disable physical network interfaces
  when not required
• Prohibit flow of network traffic from one
  interface to another on multiple interface
  devices
• Unique physical identifier (address) for each
  interface

69
5.6 Communication Security

• Limit communications to only devices that are
  required to communicate with each other
• Integrity information for data
• Generate integrity information for data sent
• Verify integrity information for data received
• Digital signature, hashes, MACs

70
5.6 Communication Security

• Mutual authentication between devices before
  exchange of information
• Part of connection establishment
• Unique identifier for devices
• Limit amount of information needed for
  authentication
• Limit devices to only required network ports,
  active shares, and services

71
5.6 Communication Security

• Monitor network interfaces for evidence of attack
• When attacks are detected, devices need to
  respond to stop attack
• Shutting down network interface

72
5.6 Communication Security

• Documentation requirements
• List of all network communication processes and
  applications required for proper operation
• List of all network ports, shares, services, and
  protocols used

73
5.7 System Event Logging

• Provides accountability and supports the ability
  to reconstruct events and detect intrusions
• Electronic audit trail
• Information to be generated
• Integrity protection of the information
• Management of system event log

74
5.7 System Event Logging

• Log information must maintain voter privacy and
  ballot secrecy
• Basic log entry information
• System Identifier
• Event Identifier
• Time Stamp
• Result of event
• When applicable, user that triggered event and
  requested resource

75
5.7 System Event Logging

• Time Stamp requirements
• Clock drift - 1 minute within 15 hours
• Format of time stamp - give example
• ISO 8601
• Date
• Time - hours, minutes, and seconds
• Administrator role required to adjust clock

76
5.7 System Event Logging

• Minimum list of events to be logged
• General system functions events
• Changes to configuration
• Device startup and shutdown
• Addition and deletion files
• System readiness results
• Authentication and access control events
• Logon attempts
• Logout events
• Attempts to access system resources

77
5.7 System Event Logging

• Software events
• Installation, upgrades, and patches
• Changes to configuration settings
• Connection attempts to databases
• Cryptographic events
• Changes to cryptographic keys
• Voting events
• Opening and closing of polls
• Cast ballot
• Ballot definition and modification

78
5.7 System Event Logging

• Management of system event log
• Default setting of system event log
• Storage of log information in a publicly
  documented format such as XML
• Event logs separable on an election and device
  basis
• Retention of event log data from previous
  elections

79
5.7 System Event Logging

• Export of log information with digital signature
• Rotation of log information internally
• From primary file to new file
• Log capacity management
• Alert as it reaches configurable intervals
• Suspension of vote capturing when logs capacity
  reached

80
5.7 System Event Logging

• Ability to view, analyze, and search system event
  log while on device
• Halt vote capturing when system log malfunctions
  or is disabled
• Administrator role required to configure system
  event log and clear previous election event logs
  prior to new election cycle

81
5.7 System Event Logging

• Protection of log information
• Unauthorized access
• Read only for administrator roles
• Write or append only for processes
• Unauthorized modification
• Use of cryptography, append only media, operating
  system
• Unauthorized Deletion
• Integrity and availability protection of
  archived log information

82
5.8 Physical Security for Voting Devices

• Prevent undetected, unauthorized physical access
• Must be able to differentiate authorized from
  unauthorized access
• Unauthorized access must leave physical evidence
• Requirements recognize use of a combination of
  procedures and physical countermeasures without
  prescribing either

83
5.8 Physical Security for Voting Devices

• Unauthorized physical access must leave physical
  evidence
• Physical port access and least functionality
• Essential to operations, testing and auditing
• Boundary protection
• Broken connection ? port automatically disabled,
  alarm, event log, authorization to re-enable

84
5.8 Physical Security for Voting Devices

• Information flow
• Restricted access to ports with removable media
• Tamper evidence
• Manually disable
• Door covers and panels
• Monitor access
• Ballot boxes
• Tamper evident

85
5.8 Physical Security for Voting Devices

• Secure physical locks and keys
• Meet UL standards and be tamper evident
• Keyed per System Owners preference
• Physical encasement locks (fasteners)
• Must not compromise security
• Power supplies
• If the power goes out, physical countermeasures
  should not fail

86
Questions
End of Day One???