1 Security Evaluation of the Sequoia Voting System Sandhya Jognipalli.
-
Upload
russell-ordiway -
Category
Documents
-
view
216 -
download
3
Transcript of 1 Security Evaluation of the Sequoia Voting System Sandhya Jognipalli.
1
Security Evaluation of the Sequoia Voting System
Sandhya Jognipalli
2
Outline
o Introduction
o Overview of Sequoia Voting System
o Known Issues
o Findings
o Attack Scenarios
o Conclusions
3
Introduction
o The use of computers in performing voting and tallying introduces serious concerns about the integrity and confidentiality of the voting process
o Testing assumes two classes of threats:
o Insiders
o Outsiderso System security depends upon proper application of procedures,
check the consequences of any failure to follow procedures
4
System Overview
o The Sequoia voting system collects votes in three ways: touchscreen machines, paper ballots scanned at polling places, and paper ballots scanned at election offices
o WinEDS, version 3.1.012o AVC Edge Model I, firmware version 5.0.24o AVC Edge Model II, firmware version 5.0.24o VeriVote Printero Optech 400-C/WinETP firmware version 1.12.4o Optech Insight, APX K2.10, HPX K1.42o Optech Insight Plus, APX K2.10, HPX K1.42o Card Activator, version 5.0.21o HAAT Model 50, version 1.0.69Lo Memory Pack Reader (MPR), firmware version 2.15o Various removable media:
o Results Cartridgeso USB flash driveso Voter Smartcardso Memory packs
5
Card Activator
InsightMemoryPackReceiver
Optech 400-C
Edge
HAAT
floppy disk
cartridge
MemoryPack
paper ballot
paper ballot
Voter Card
cartridge
Voter Card
USB stick
Voter
Voter
Voter
WinEDS
Polling placeElection Office
6
WinEDS
o WinEDS is the Election Database System
o WinEDS is a software program that runs on Windows PCs for entering, editing, collecting, and reporting on election information stored in a Microsoft SQL Server database
o Multiple computers running WinEDS all access a common database over a network on a computer running Microsoft SQL Server
7
WinEDS on a network
Microsoft SQL Server
WinEDS
WinEDS
WinEDS
? ?
Election Office Network
8
HAAT
o HAAT (Hybrid Activator, Accumulator and Transmitter) is a portable, shoe-box sized device, used primarily to activate Voter Cards used by the Edge DRE
o HAAT and Card Activator are devices used in polling places
9
Card Activator
o The Card Activator (CA) is a component of the AVC Edge, and serves as the voter’s access to the AVC Edge direct-record electronic touch-screen voting system
o A CA is used in place of the HAAT. The Card Activator is similar in size and shape to the HAAT
10
AVC Edge
o The Edge is a stand-alone Direct Recording Electronic (DRE).
o Edge is a touchscreen voting machine, accompanied by a Voter-Verified Paper Audit Trail (VVPAT) printer which provides a paper record of the vote for review by the voter
11
Optech 400-C
o Optech 400-C is a machine for quickly scanning large stacks of paper ballots at an election office
12
Optech Insight and Insight plus
o The Insight and Insight Plus are precinct-based optical scanners installed on top of a ballot box at a polling places
13
MemoryPack Receiver (MPR)
o MemoryPack Receiver is a device for reading and writing MemoryPacks
14
Removable Media
o SmartCards are simple, memory-constrained devices utilized as hardware tokens
o Authenticate a voter to an AVC Edgeo Authorize the voter to cast a single ballot
o Cartridges are used to carry election information and cast ballot records between WinEDS and the Edges
o MemoryPacks are used to carry ballot information and vote counts between WinEDS and the Insights
o Floppy disks are used to carry ballot information and vote counts between WinEDS and the Optech 400-Cs
o USB flash drives are used to transfer an election definition from WinEDS to a HAAT
15
Lines of code & languages in the Sequoia source code
Component Language Code Only Code and Comments
WinEDS 3.1
C
C++
PowerBuilder
SQL
Visual Basic
1038
121640
230027
86222
10260
1594
228765
355502
114249
16772
Edge (AVC Edge 5.0.24) C
x86 assembly
124043
99521
212731
124657
VeriVote (VVPAT 4.3) PIC assembly 245 353
ADA Audio Board 5.0 C 1328 1956
Card Activator (Card Activator 5.0) C 8907 14238
HAAT 50 (HAAT 1.0.69L) 8051 assembly
C
C++
C#
5368
535
2886
38648
5891
963
5640
120246
Insight (HPX 1.42, APX 2.10) Z80 assembly 24405 46452
MemoryPack Receiver (MPR 2.15) Z80 assembly 5679 9714
Optech 400-C (WinETP 1.12.4) C
C++
x86 assembly
561
45361
273
1007
83229
612
Total: 806947 1344571
16
Know Issues
o The Electronic Frontier Foundation (EFF) published a list of known problems
o The Alameda County Evaluation
o Multiple votes attack
o The Sequoia voting system was evaluated by Pacific Design Engineering for Alameda County and the problems found by them can be summarized as follows:
o The WinEDS and the other servers use non-encrypted text passwords when communicating
o The Edge uses constant hashes and DES encryption keys that can be discovered if somebody has physical access to a machine
17
Continuation…
o The Edge’s memory cartridge results are not bound together cryptographically, and therefore the content of one cartridge could be copied onto another
o The WinEDS system uses Windows and therefore inherits the vulnerabilities associated with that operating system
o Multiple Votes Attack:o An attack enabling a voter to vote multiple times without the need for an activated SmartCard has been reported
18
Findings
o Some important security issues:
o Arbitrary Code Execution: An attacker to overwrite an AVC Edge firmware with a malicious version
o The development of the exploit was made easier because the Edge runs a proprietary OS
o File Overwriting: The AVC Edge firmware is vulnerable to a directory traversal attack that can name, and overwrite the files containing the boot loader and the system firmware
o Accuracy Testing Mode Detection: In the case of the Edge, the pre-election correctness test is performed by switching the machine to a specific “Logic and Accuracy Test” (LAT) mode
o Execution of Modified Firmware: There is no way to determine which version of the firmware is running on an Edge device
19
Continuation…
o Availability of an Interpreter in Violation of Guidelines: The Edge firmware was discovered to include a shell-like scripting language interpreter
o This language includes, among others, several interesting commands:
o A command to set the protective counter of the machine, which was described by the Sequoia representatives as tamper-proof
o A command to set the machine’s serial number
o A command that can be used to overwrite arbitrary files on the internal compact flash drive, including the system firmware or audit trail
o Commands to reboot the machine at will
o Arbitrary Directory Creation Through Traversal Attack: The AVC Edge voting machine ballot loading logic is vulnerable to a directory traversal attack that leads to a denial of service
20
Continuation…
o Automatic Execution of Code: The WinEDS host operating system provided and configured by Sequoia is configured so that it will execute an “autorun” file whenever removable media is inserted
o Security of the MS SQL Server: In the documentation, it is stated that: “WinEDS currently does NOT utilize code outside of MS SQL Server and no connections or permissions are required on the server. The election data stored on the server can only be modified by authorized users only through the application.”
o Votes Encrypted Using Static Key: The contents of the Results Cartridge are not protected by any cryptographic signatures, and can easily be modified
21
Continuation…
o Possible Unsafe OS Choices: The WinEDS documentation states that Windows 98 could be used for the WinEDS client machine
o Windows versions provide no user-level security
o Physical Security: Serious concerns about the physical security of the different hardware components
o Reversible Password Hash: The password stored on the update cartridge is not stored as a password hash
o Forging Update Cards and Voter Cards: Voter SmartCards can be forged because the SmartCards are DES-encrypted using a static key
22
Successful Attack Scenarios
o Attack Scenario 1: An attacker drops a USB flash drive in the pool of USB drives used to initialize the HAAT systems
o When the drive is inserted in the computer on which WinEDS is running
o The cartridge is inserted in an Edge machine to load the ballots
o Modifies the ballot to give advantage to a certain candidate
o Attack Scenario 2: The malicious firmware takes advantage of “fleeing” voters
o The poll worker has no access to the content of the ballot
o The firmware records a modified vote
23
Continuation…
o Attack Scenario 3: In this case the firmware prints a copy of the voter’s actual choices
o The firmware displays “Please Wait, Recording Vote” for a few seconds
o “Thank you”, vote recorded but the machine prints “VOIDED” on the receipt
o Attack Scenario 4: After the machine prints “VOIDED”, instead of jumping back to the ballot, it completes the voting process by casting a modified vote
o Attack Scenario 5: An attacker replaces the firmware’s flashcard with one containing a malicious firmware
24
Continuation…o Attack Scenario 6: Attacker obtains access to the static key used to
encrypt the voter cards
o Creates a number of valid voter cards to vote multiple times
o Attack Scenario 7: Access to election functionality on a WinEDS workstation directly connects to the MS SQL Server running on a separate WinEDS server machine
o The attacker transfers a malicious program to the database, and installs the program on the WinEDS server
o The installed program can be left on the machine as a Trojan
25
Potential Attack Scenarios
o Attack Scenario 8: An authorized user gets access to a 400-C machine
o Reboots the PC with a bootable CD containing a different OS
o The attacker then installs a Trojan application on the Windows system installed on the PC
o It will start modifying the votes
o It is possible to hide the malicious behavior from the LAT procedures
26
Conclusion
o Vulnerabilities could be exploited by a determined attacker to modify the results of an election
o No knowledge of source code required
o The implementation of the attacks did not require access to the source code