1 / 38

Distributed Systems Security Overview

Distributed Systems Security Overview. Douglas C. Sicker Assistant Professor Department of Computer Science and Interdisciplinary Telecommunications Program. Network Security. What we’ll cover: What is network security? What are the goals? What are the threats? What are the solutions?

Thomas
Download Presentation

Distributed Systems Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed SystemsSecurity Overview Douglas C. Sicker Assistant Professor Department of Computer Science and Interdisciplinary Telecommunications Program

  2. Network Security • What we’ll cover: • What is network security? • What are the goals? • What are the threats? • What are the solutions? • How do they operate? • This is a lot of info and it might take a few reads to stick. Distributed Security, ECEN 5053, U of Colo, Boulder

  3. Network Security • Some issues with the book… • Assumes malicious intent as the reason for needing security. • Is this valid? • Focus on the protocols (not surprising) • However, the real problems with security are mostly outside of the technical space (see the Economist articles). • What else should we consider? • For example, more depth on security models, security policy, assurance, insurance, risk assessment… • Lastly, keep in mind that even the best protocols can be misapplied. Distributed Security, ECEN 5053, U of Colo, Boulder

  4. Network Security • What do we seek? • Confidentiality • Integrity • Availability • Non-repudiation • Accounting Distributed Security, ECEN 5053, U of Colo, Boulder

  5. Distributed Security and Electronic Voting“The Perils of Polling”, Steven Cherry, IEEE Spectrum, October 2004, pp. 34-40 ECEN 5053 Software Engineering of Distributed Systems University of Colorado, Boulder

  6. Background • Read Chapter 7 in text • Read articles from The Economist • Consider the issues of electronic voting • To simplify one of your homework problems, make a list of security issues as you recognize them in the lecture. Distributed Security, ECEN 5053, U of Colo, Boulder

  7. Advent of electronic voting acceptance • What is “electronic voting” for this unit? • Use of equipment that directly records votes only on electronic media, such as chips, cartridges, or disks, with no paper or other tangible form of backup • November 2004 election • More than 25% of U. S. Ballots will be cast using electronic voting • If we are ready for electronic voting, is the technology ready for us? Distributed Security, ECEN 5053, U of Colo, Boulder

  8. Pros & Cons • Advantages: • No hanging chads • No paper ballots printed out of alignment so that optical scanners make too many errors (the bane of Boulder County in November 2004) • Disadvantages for 2004 • Some deployed systems had known flaws • Some poorly tested • Some not tested at all Distributed Security, ECEN 5053, U of Colo, Boulder

  9. Basics • Fundamental requirement for ensuring integrity of votes • Ability to perform an independent recount • Reconstruct the tally if contested • Current systems • No assurance that the vote was counted at all • No assurance counted correctly • Some machines will fail (as they have in recent elections) Distributed Security, ECEN 5053, U of Colo, Boulder

  10. The real issues of security • Requirements: • voting machines must be robustly reliable • independently verifiable counts • Unfortunately, it may be a harder problem than is appreciated by those who developed products in use • David Chaum is working on it ...  • cryptographer • more later Distributed Security, ECEN 5053, U of Colo, Boulder

  11. The problem of [describe the problem] affects [the stakeholders affected by the problem] the impact of which is [what is the impact of the problem?] A successful solution would be [list some key benefits of a successful solution] Vision Document problem statement Distributed Security, ECEN 5053, U of Colo, Boulder

  12. Let’s stop and list requirements • What are some characteristics of elections? • early voting • absentee voting • election day • what else? Distributed Security, ECEN 5053, U of Colo, Boulder

  13. Are there standards in place? • Yes and no • Many installed for 2004 election complied with federal guidelines • obsolete ... from 1990 • A lot of legislation since then at state and federal level – not all systems comply Distributed Security, ECEN 5053, U of Colo, Boulder

  14. Domain challenges • Elections run individually by each state • State and local officials responsible for choosing and deploying equipment • not skeptical enough of manufacturers’ claims • sometimes rejected advice of engineers and specialists • If states are willing to buy and federal government is willing to give money to do so ... Distributed Security, ECEN 5053, U of Colo, Boulder

  15. State differences • Some states choose voting equipment at the state level • Some leave it up to counties or even smaller municipalities • Lots of decision makers leads to variety of decisions made • Some other countries with electronic voting made the choice at the national level. See any problems with that? Distributed Security, ECEN 5053, U of Colo, Boulder

  16. Partially vs. wholly electronic • Partially electronic systems • Paper ballot to be optically scanned like standardized tests • Scanners count • If contested, ballots can be rescanned or counted by hand • Wholly electronic • Store the vote digitally, not on paper Distributed Security, ECEN 5053, U of Colo, Boulder

  17. Accu-Vote-TSX example • Touch-screen system made by Diebold Inc • Voter signs in at the polling station and receives an activated card similar to modern hotel-room “key” • Voter inserts it into machine and makes selections • When voter touches “Cast Vote”, vote is recorded on hard disk, access card is deactivated – voter cannot vote a 2nd time • Accu-Vote machine has built-in printer to record vote totals when polls close • Accu-Vote machine has a modem for optional encryption and transmission of vote totals Distributed Security, ECEN 5053, U of Colo, Boulder

  18. 80 % of the market • Diebold • Election Systems & Software, Inc. • Sequoia Voting Systems, Inc. Distributed Security, ECEN 5053, U of Colo, Boulder

  19. Advantages of Electronic Voting • Machines can be programmed to keep the voter from voting for two candidates for a single office • Text on the screen can be read by voice-synthesis software • Other features Distributed Security, ECEN 5053, U of Colo, Boulder

  20. Current disadvantages • Early-generation equipment was flawed • Hard for local governments to keep track • Shifting cast of companies • Testing is time-consuming • Certification requirements can’t keep up • New machines, many workers are volunteers with short term training appropriate for a 1 or 2-day job Distributed Security, ECEN 5053, U of Colo, Boulder

  21. Examples of problems • 2002 a Florida gubernatorial (governor) primary • in two counties, some of the new equipment would not boot in time for the start of the election • 2003, Boone County, Indiana • 5,352 voters • 144,000 votes reported • 2004 primaries in California – catastrophes throughout the state across wide variety of different machines • San Diego County – some opened 4 hrs late • Some Diebold machines spontaneously rebooted presenting Microsoft Windows generic screen instead of ballot Distributed Security, ECEN 5053, U of Colo, Boulder

  22. Reliability Concerns • The Diebold spontaneous reboot problem • Voter access card encoders • Power switches had faults that drained them of battery power • In northern Alameda County, 1 in 5 Diebold encoders had similar problems • Hearings held, California Sec’y of State Kevin Shelley released a report charging • Diebold marketed, sold, and installed AccuVote systems in Kern, San Diego, San Joaquin, and Solano counties • prior to full testing and federal qualification • without complying with state certification requirements Distributed Security, ECEN 5053, U of Colo, Boulder

  23. Reliability Consequences • April 30, Calif Sec’y of State withdrew approval for all direct-recording electronic voting systems in California • State required nearly 16,000 AccuVote machines in the 4 counties to be recertified • this time, complying with tighter security and auditability measures or • replaced with optically scanned balloting in time for the November election • Based on your knowledge of software, what are the implications of complying with new requirements within a tight deadline? Distributed Security, ECEN 5053, U of Colo, Boulder

  24. Other problems • Installation of uncertified components and coverup of malfunctioning products • Earlier in 2004, “a June 2003 ES&S memo came to light that indicated flaws in the auditing software for a $24.5 million installation of its iVotronic voting machines in Miami-Dade County” • ES&S also manufactured voting systems previously used in Venezuela that suffered a 6% malfunction rate in actual use. Distributed Security, ECEN 5053, U of Colo, Boulder

  25. Elsewhere • Ireland scuttled plans to use electronic voting in local and European parliamentary elections in June 2004 • partly over concerns about lack of independent auditability • constant software updates from the vendors* – software could not be reviewed in time • Same vendor (Nedap NV) made some of its online e-voting software** available as open source • Won’t compile and run • What else? Distributed Security, ECEN 5053, U of Colo, Boulder

  26. Physical security • 1 % of Fairfax County, Virginia’s new WINvote touch-screen machines (Advanced Voting Solutions) • repaired outside the polling place • returned and put back into use • with broken or removed security seals • in apparent violation of state law Distributed Security, ECEN 5053, U of Colo, Boulder

  27. Distributed systems bandwidth issue • Again, Fairfax • About half of the vote totals (not the national election) couldn’t be electronically transmitted • System flooded itself with messages • They had inadvertently designed in their own denial of service attack on the server • A number of machines apparently subtracted votes at random from the Republican school board candidate (Rita Thompson) resulting in a possible miscount of 1 to 2 percent of her votes – close to the margin by which she lost the election. Distributed Security, ECEN 5053, U of Colo, Boulder

  28. Warnings • Web site for Arlington County told poll workers what to do if • the voting machine freezes during boot-up • master unit does not “pick up” one of the units in the polling place when opening the polls • when closing, “if tally fails to pick up a machine” • Jeremy Epstein, an information-security expert, attended a pre-election training session • submitted a 3-page list of questions to Fairfax officials • then electoral board sec’y couldn’t respond on the grounds that “release of that information could jeopardize the security of that voting equipment” • treat that as a requirement ... Distributed Security, ECEN 5053, U of Colo, Boulder

  29. Complexity is generally not understood • “Here are the candidates, pick one” • What other situations occur? • Anonymity is a potentially bigger problem • Requirements? Distributed Security, ECEN 5053, U of Colo, Boulder

  30. Complexity continued • Independent verifiability • California audits elections by requiring 1% of all paper ballots be manually recounted whether or not an election is contested • Requirements? • Focus on adding paper back into the process • Requirements re paper ballot? • California: newly purchased direct-recording must have accessible, voter-verified paper audit trail • retrofit required for existing ones by July 2006 Distributed Security, ECEN 5053, U of Colo, Boulder

  31. Complexity summary • The vote • Complexity of selection possibilities • Count correctly • Robust hardware and software • Accurate LAN communication at polling place • Accurate WAN communication to central server, if used • ETC • how to verify electronic votes • how to test electronic voting hw and sw • how to maintain security and integrity Distributed Security, ECEN 5053, U of Colo, Boulder

  32. Without voter-verified paper audit trail • Certification process necessary • Compliance verification • Is the system in place, the one that was certified? • Current federal guidelines (2002) don’t require digital signature to track software from certification to installation to end of voting day • IEEE Standards Association formed a working group on voting standards Distributed Security, ECEN 5053, U of Colo, Boulder

  33. Design question • Is it possible to provide sufficient auditability without paper • Consider electronic funds transactions • Encryption techniques • David Chaum, cryptographer • Lets election officials post electronic ballots to the internet • Voters can check that their votes were included in the election tally • Still needs paper but his electronic tallies are as reliable as a count of paper ballots • Still provides voter anonymity • Great, right? Distributed Security, ECEN 5053, U of Colo, Boulder

  34. Suppose all crypto-graphy issues settled ... • If all mathematical problems are solved, what remains? • Voting is a complicated social phenomenon and the solution must be perceived socially to be a solution. • Machines need to be physically secure before, during, after • Workers well trained, able to deal with technological problems that can occur Distributed Security, ECEN 5053, U of Colo, Boulder

  35. Article’s conclusion • At the trailhead of electronic voting systems • “Election officials underestimated the problems of deploying the technology.” • “Computer scientists underestimated the long-standing difficulties of conducting traditional all-paper ballots.” • “Election officials now seem to be coming to understand the merits and demerits of electronic voting systems.” • “The current debate over electronic voting systems has certainly raised the bar for election equipment.” • “And every year, we get a chance to do better.” Distributed Security, ECEN 5053, U of Colo, Boulder

  36. Distributed Security, ECEN 5053, U of Colo, Boulder

  37. Chaum’s approach Distributed Security, ECEN 5053, U of Colo, Boulder

  38. Distributed System Issues? In addition to the security issues you listed, what distributed system issues do we have to address to have an acceptable system? Distributed Security, ECEN 5053, U of Colo, Boulder

More Related