#Interdisciplinary: Teaching interdisciplinary concepts in a course about social media
Distributed Systems Security Overview Douglas C. Sicker Assistant Professor Department of Computer...
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Distributed Systems Security Overview Douglas C. Sicker Assistant Professor Department of Computer...
Distributed SystemsSecurity Overview
Douglas C. SickerAssistant Professor Department of Computer Science and Interdisciplinary Telecommunications Program
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
2
Network Security
What we’ll cover:– What is network security?– What are the goals?– What are the threats?– What are the solutions?– How do they operate?
This is a lot of info and it might take a few reads to stick.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
3
Network Security Some issues with the book… Assumes malicious intent as the reason for needing
security.– Is this valid?
Focus on the protocols (not surprising) – However, the real problems with security are mostly
outside of the technical space (see the Economist articles).
– What else should we consider? • For example, more depth on security models, security policy,
assurance, insurance, risk assessment…
– Lastly, keep in mind that even the best protocols can be misapplied.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
4
Network Security
What do we seek?– Confidentiality
– Integrity
– Availability
– Non-repudiation
– Accounting
Distributed Security and Electronic Voting
“The Perils of Polling”, Steven Cherry, IEEE Spectrum, October 2004, pp. 34-40
ECEN 5053 Software Engineering of Distributed Systems
University of Colorado, Boulder
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
6
Background
Read Chapter 7 in text Read articles from The Economist Consider the issues of electronic voting To simplify one of your homework
problems, make a list of security issues as you recognize them in the lecture.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
7
Advent of electronic voting acceptance
What is “electronic voting” for this unit?– Use of equipment that directly records votes
only on electronic media, such as chips, cartridges, or disks, with no paper or other tangible form of backup
November 2004 election – More than 25% of U. S. Ballots will be cast
using electronic voting
If we are ready for electronic voting, is the technology ready for us?
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
8
Pros & Cons
Advantages: – No hanging chads– No paper ballots printed out of alignment so
that optical scanners make too many errors (the bane of Boulder County in November 2004)
Disadvantages for 2004– Some deployed systems had known flaws– Some poorly tested– Some not tested at all
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
9
Basics
Fundamental requirement for ensuring integrity of votes– Ability to perform an independent recount– Reconstruct the tally if contested
Current systems– No assurance that the vote was counted at all– No assurance counted correctly– Some machines will fail (as they have in recent
elections)
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
10
The real issues of security
Requirements:– voting machines must be robustly reliable– independently verifiable counts
Unfortunately, it may be a harder problem than is appreciated by those who developed products in use
David Chaum is working on it ... – cryptographer– more later
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
11
Vision Document problem statement
The problem of [describe the problem]
affects [the stakeholders affected by the problem]
the impact of which is
[what is the impact of the problem?]
A successful solution would be
[list some key benefits of a successful solution]
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
12
Let’s stop and list requirements
What are some characteristics of elections?– early voting– absentee voting– election day– what else?
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
13
Yes and no– Many installed for 2004 election comply with
federal guidelines– obsolete ... from 1990– Replaced in 2002 – But many voting systems in use in 2004 were
certified according to the 1990 standards
Are there standards in place?
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
14
Domain challenges
Elections run individually by each state State and local officials responsible for
choosing and deploying equipment– not skeptical enough of manufacturers’ claims– sometimes rejected advice of engineers and
specialists
If states are willing to buy and federal government is willing to give money to do so ...
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
15
State differences
Some states choose voting equipment at the state level
Some leave it up to counties or even smaller municipalities
Lots of decision makers leads to variety of decisions made
Some other countries with electronic voting made the choice at the national level. See any problems with that?
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
16
Partially vs. wholly electronic
Partially electronic systems– Paper ballot to be optically scanned like
standardized tests– Scanners count – If contested, ballots can be rescanned or
counted by hand
Wholly electronic– Store the vote digitally, not on paper
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
17
Accu-Vote-TSX example Touch-screen system made by Diebold Inc Voter signs in at the polling station and receives
an activated card similar to modern hotel-room “key”
Voter inserts it into machine and makes selections When voter touches “Cast Vote”, vote is recorded
on hard disk, access card is deactivated – voter cannot vote a 2nd time
Accu-Vote machine has built-in printer to record vote totals when polls close
Accu-Vote machine has a modem for optional encryption and transmission of vote totals
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
18
80 % of the market
Diebold Election Systems & Software, Inc. Sequoia Voting Systems, Inc.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
19
Advantages of Electronic Voting
Machines can be programmed to keep the voter from voting for two candidates for a single office
Text on the screen can be read by voice-synthesis software
Other features
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
20
Current disadvantages
Early-generation equipment was flawed Hard for local governments to keep track Shifting cast of companies Testing is time-consuming Certification requirements can’t keep up New machines, many workers are
volunteers with short term training appropriate for a 1 or 2-day job
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
21
Examples of problems 2002 a Florida gubernatorial (governor) primary
– in two counties, some of the new equipment would not boot in time for the start of the election
2003, Boone County, Indiana– 5,352 voters– 144,000 votes reported
2004 primaries in California – catastrophes throughout the state across wide variety of different machines– San Diego County – some opened 4 hrs late– Some Diebold machines spontaneously rebooted
presenting Microsoft Windows generic screen instead of ballot
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
22
Reliability Concerns The Diebold spontaneous reboot problem
– Voter access card encoders– Power switches had faults that drained them of battery
power In northern Alameda County, 1 in 5 Diebold
encoders had similar problems Hearings held, California Sec’y of State Kevin
Shelley released a report charging– Diebold marketed, sold, and installed AccuVote
systems in Kern, San Diego, San Joaquin, and Solano counties
– prior to full testing and federal qualification– without complying with state certification requirements
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
23
Reliability Consequences April 30, Calif Sec’y of State withdrew approval
for all direct-recording electronic voting systems in California– State required nearly 16,000 AccuVote machines in the
4 counties to be recertified– this time, complying with tighter security and
auditability measures or– replaced with optically scanned balloting in time for the
November election Based on your knowledge of software, what are
the implications of complying with new requirements within a tight deadline?
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
24
Other problems
Installation of uncertified components and coverup of malfunctioning products– Earlier in 2004, “a June 2003 ES&S memo
came to light that indicated flaws in the auditing software for a $24.5 million installation of its iVotronic voting machines in Miami-Dade County”
– ES&S also manufactured voting systems previously used in Venezuela that suffered a 6% malfunction rate in actual use.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
25
State of Maryland hired SAIC ...
We recommend that SBE immediately implement the following mitigation strategies to address the identified risks with a rating of high: • Bring the AccuVote-TS voting system into compliance with the State of Maryland Information Security Policy and Standards. • Consider the creation of a Chief Information Systems Security Officer (CISSO) position at SBE. This individual would beresponsible for the secure operations of the AccuVote-TS voting system. • Develop a formal, documented, complete, and integrated set of standard policies and procedures. Apply these standard policies and procedures consistently through the LBEs in all jurisdictions.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
26
State of Maryland
• Create a formal, System Security Plan. The plan should be consistent with the State of Maryland Information Security
Policy and Standards, Code of Maryland Regulations (COMAR), Federal Election Commission (FEC) standards, and industry best practices.
• Apply cryptographic protocols to protect transmission of vote tallies.
• Require 100 percent verification of results transmitted to the media through separate count of PCMCIA cards containing the original votes cast.
• Establish a formal process requiring the review of audit trails at both the application and operating system levels.
• Provide formal information security awareness, training, and education program appropriate to each user’s level of access.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
27
State of Maryland - 2
• Review any system modifications through a formal, documented, risk assessment process to ensure that changes do not negate existing security controls. Perform a formal risk assessment following any major system modifications, or at least every three years. • Implement a formal, documented process to detect and respond to unauthorized transaction attempts by authorized and/or unauthorized users.
• Establish a formal, documented set of procedures describing how the general support system identifies access to the system.
And my personal favorite:Change default passwords and passwords printed in documentation immediately
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
28
Elsewhere
Ireland scuttled plans to use electronic voting in local and European parliamentary elections in June 2004– partly over concerns about lack of independent
auditability
– constant software updates from the vendors* – software could not be reviewed in time
Same vendor (Nedap NV) made some of its online e-voting software** available as open source– Won’t compile and run
– What else?
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
29
Physical security
1 % of Fairfax County, Virginia’s new WINvote touch-screen machines (Advanced Voting Solutions)– repaired outside the polling place– returned and put back into use– with broken or removed security seals– in apparent violation of state law
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
30
Distributed systems bandwidth issue Again, Fairfax
– About half of the vote totals (not the national election) couldn’t be electronically transmitted
– System flooded itself with messages
– They had inadvertently designed in their own denial of service attack on the server
A number of machines apparently subtracted votes at random from the Republican school board candidate (Rita Thompson) resulting in a possible miscount of 1 to 2 percent of her votes – close to the margin by which she lost the election.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
31
Warnings
Web site for Arlington County told poll workers what to do if – the voting machine freezes during boot-up– master unit does not “pick up” one of the units in the
polling place when opening the polls– when closing, “if tally fails to pick up a machine”
Jeremy Epstein, an information-security expert, attended a pre-election training session– submitted a 3-page list of questions to Fairfax officials– then electoral board sec’y couldn’t respond on the
grounds that “release of that information could jeopardize the security of that voting equipment”
– treat that as a requirement ...
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
32
Complexity is generally not understood
“Here are the candidates, pick one”– What other situations occur?
Anonymity is a potentially bigger problem– Requirements?
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
33
Complexity continued Independent verifiability
– California audits elections by requiring 1% of all paper ballots be manually recounted whether or not an election is contested
– Requirements?
– Focus on adding paper back into the process• Requirements re paper ballot?
– California: newly purchased direct-recording must have accessible, voter-verified paper audit trail
• retrofit required for existing ones by July 2006
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
34
Complexity summary The vote
– Complexity of selection possibilities– Count correctly– Robust hardware and software– Accurate LAN communication at polling place– Accurate WAN communication to central
server, if used ETC
– how to verify electronic votes– how to test electronic voting hw and sw– how to maintain security and integrity
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
35
Without voter-verified paper audit trail
Certification process necessary– Compliance verification– Is the system in place, the one that was
certified?– Current federal guidelines (2002) don’t require
digital signature to track software from certification to installation to end of voting day
IEEE Standards Association formed a working group on voting standards
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
36
Design question Is it possible to provide sufficient auditability without
paper?– Consider electronic funds transactions– Encryption techniques
David Chaum, cryptographer– Lets election officials post electronic ballots to the
internet– Voters can check that their votes were included in the
election tally– Still needs paper but his electronic tallies are as reliable
as a count of paper ballots – Still provides voter anonymity– Great, right?
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
37
Suppose all crypto-graphy issues settled ...
If all mathematical problems are solved, what remains?
Voting is a complicated social phenomenon and the solution must be perceived socially to be a solution.– Machines need to be physically secure before,
during, after– Workers well trained, able to deal with
technological problems that can occur– www.OpenVotingConsortium.org
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
38
Article’s conclusion At the trailhead of electronic voting systems
– “Election officials underestimated the problems of deploying the technology.”
– “Computer scientists underestimated the long-standing difficulties of conducting traditional all-paper ballots.” (requirements elicitation!)
“Election officials now seem to be coming to understand the merits and demerits of electronic voting systems.”
“The current debate over electronic voting systems has certainly raised the bar for election equipment.”
“And every year, we get a chance to do better.”
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
41
SSL and the human element
A drop-in replacement for standard network sockets?
SSL’s intent: provide an authenticated, encrypted communications channel, where the attacker cannot tamper with data in transit without being detected on the receiving end.
What’s the easy part? What’s the hard part?
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
42
Mutual Authentication
Client wants to know it is talking to correct server (precinct and county, for example)
Server wants to know which user is on the other end
Expect: authenticate the server to the client and once an encrypted data channel is established, implement an authentication mechanism over it so the server can establish the client’s identity.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
43
How SSL authenticates
Party-to-be-validated (server) presents the other party (client) its certificate– Public key, identifying information, dates of
validity, endorsing digital signatures from a Certification authority (CA)
– The CA responsible to make sure it endorses only those certificates that really do belong to the intended owners
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
44
The client’s responsibility
Assume CA never makes a mistake Companies we are to do business with are
good at protecting their private key Client must make sure the certificate is the
right one.– certificate is signed by a known CA– certificate is current– certificate is bound to entity you want
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
45
Validate the data in the certificate
Certificate is bound to a domain name None of the major SSL libraries performs
any of this validation for the developer by default.
When a user asks to open a client socket the SSL library could easily perform every reasonable check on the server certificate including whether the certificate is bound to the domain supplied by the user.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
46
Vulnerability
Most applications using SSL are subject to man-in-the-middle attacks
Only a theoretical problem? Yes, you can exploit the Internet’s router
infrastructure But if you couldn’t, still ... one can launch a
man-in-the-middle attack from machines on the same underlying medium as either of the two endpoints.
Nov. 15, 2005 Distributed Security, ECEN 5053, U of Colo, Boulder
47
Resources
Viega and McGraw, Building Secure Software, Addison Wesley Professional, 2001.
Howard and LeBlanc, Writing Secure Code, Microsoft Press, 2002, 2nd edition.
Viega and Messier, Secure Programming Cookbook for C and C++, O’Reilly, 2003.