distributed systems security overview l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Distributed Systems Security Overview PowerPoint Presentation
Download Presentation
Distributed Systems Security Overview

Loading in 2 Seconds...

play fullscreen
1 / 48

Distributed Systems Security Overview - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

Distributed Systems Security Overview. Douglas C. Sicker Assistant Professor Department of Computer Science and Interdisciplinary Telecommunications Program. Network Security. What we’ll cover: What is network security? What are the goals? What are the threats? What are the solutions?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Distributed Systems Security Overview' - elina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
distributed systems security overview

Distributed SystemsSecurity Overview

Douglas C. Sicker

Assistant Professor

Department of Computer Science and Interdisciplinary Telecommunications Program

network security
Network Security
  • What we’ll cover:
    • What is network security?
    • What are the goals?
    • What are the threats?
    • What are the solutions?
    • How do they operate?
  • This is a lot of info and it might take a few reads to stick.

Distributed Security, ECEN 5053, U of Colo, Boulder

network security3
Network Security
  • Some issues with the book…
  • Assumes malicious intent as the reason for needing security.
    • Is this valid?
  • Focus on the protocols (not surprising)
    • However, the real problems with security are mostly outside of the technical space (see the Economist articles).
    • What else should we consider?
      • For example, more depth on security models, security policy, assurance, insurance, risk assessment…
    • Lastly, keep in mind that even the best protocols can be misapplied.

Distributed Security, ECEN 5053, U of Colo, Boulder

network security4
Network Security
  • What do we seek?
    • Confidentiality
    • Integrity
    • Availability
    • Non-repudiation
    • Accounting

Distributed Security, ECEN 5053, U of Colo, Boulder

slide5

Distributed Security and Electronic Voting“The Perils of Polling”, Steven Cherry, IEEE Spectrum, October 2004, pp. 34-40

ECEN 5053 Software Engineering of Distributed Systems

University of Colorado, Boulder

background
Background
  • Read Chapter 7 in text
  • Read articles from The Economist
  • Consider the issues of electronic voting
  • To simplify one of your homework problems, make a list of security issues as you recognize them in the lecture.

Distributed Security, ECEN 5053, U of Colo, Boulder

advent of electronic voting acceptance
Advent of electronic voting acceptance
  • What is “electronic voting” for this unit?
    • Use of equipment that directly records votes only on electronic media, such as chips, cartridges, or disks, with no paper or other tangible form of backup
  • November 2004 election
    • More than 25% of U. S. Ballots will be cast using electronic voting
  • If we are ready for electronic voting, is the technology ready for us?

Distributed Security, ECEN 5053, U of Colo, Boulder

pros cons
Pros & Cons
  • Advantages:
    • No hanging chads
    • No paper ballots printed out of alignment so that optical scanners make too many errors (the bane of Boulder County in November 2004)
  • Disadvantages for 2004
    • Some deployed systems had known flaws
    • Some poorly tested
    • Some not tested at all

Distributed Security, ECEN 5053, U of Colo, Boulder

basics
Basics
  • Fundamental requirement for ensuring integrity of votes
    • Ability to perform an independent recount
    • Reconstruct the tally if contested
  • Current systems
    • No assurance that the vote was counted at all
    • No assurance counted correctly
    • Some machines will fail (as they have in recent elections)

Distributed Security, ECEN 5053, U of Colo, Boulder

the real issues of security
The real issues of security
  • Requirements:
    • voting machines must be robustly reliable
    • independently verifiable counts
  • Unfortunately, it may be a harder problem than is appreciated by those who developed products in use
  • David Chaum is working on it ... 
    • cryptographer
    • more later

Distributed Security, ECEN 5053, U of Colo, Boulder

vision document problem statement

The problem of

[describe the problem]

affects

[the stakeholders affected by the problem]

the impact of which is

[what is the impact of the problem?]

A successful solution would be

[list some key benefits of a successful solution]

Vision Document problem statement

Distributed Security, ECEN 5053, U of Colo, Boulder

let s stop and list requirements
Let’s stop and list requirements
  • What are some characteristics of elections?
    • early voting
    • absentee voting
    • election day
    • what else?

Distributed Security, ECEN 5053, U of Colo, Boulder

are there standards in place
Are there standards in place?
  • Yes and no
    • Many installed for 2004 election comply with federal guidelines
    • obsolete ... from 1990
    • Replaced in 2002
    • But many voting systems in use in 2004 were certified according to the 1990 standards

Distributed Security, ECEN 5053, U of Colo, Boulder

domain challenges
Domain challenges
  • Elections run individually by each state
  • State and local officials responsible for choosing and deploying equipment
    • not skeptical enough of manufacturers’ claims
    • sometimes rejected advice of engineers and specialists
  • If states are willing to buy and federal government is willing to give money to do so ...

Distributed Security, ECEN 5053, U of Colo, Boulder

state differences
State differences
  • Some states choose voting equipment at the state level
  • Some leave it up to counties or even smaller municipalities
  • Lots of decision makers leads to variety of decisions made
  • Some other countries with electronic voting made the choice at the national level. See any problems with that?

Distributed Security, ECEN 5053, U of Colo, Boulder

partially vs wholly electronic
Partially vs. wholly electronic
  • Partially electronic systems
    • Paper ballot to be optically scanned like standardized tests
    • Scanners count
    • If contested, ballots can be rescanned or counted by hand
  • Wholly electronic
    • Store the vote digitally, not on paper

Distributed Security, ECEN 5053, U of Colo, Boulder

accu vote tsx example
Accu-Vote-TSX example
  • Touch-screen system made by Diebold Inc
  • Voter signs in at the polling station and receives an activated card similar to modern hotel-room “key”
  • Voter inserts it into machine and makes selections
  • When voter touches “Cast Vote”, vote is recorded on hard disk, access card is deactivated – voter cannot vote a 2nd time
  • Accu-Vote machine has built-in printer to record vote totals when polls close
  • Accu-Vote machine has a modem for optional encryption and transmission of vote totals

Distributed Security, ECEN 5053, U of Colo, Boulder

80 of the market
80 % of the market
  • Diebold
  • Election Systems & Software, Inc.
  • Sequoia Voting Systems, Inc.

Distributed Security, ECEN 5053, U of Colo, Boulder

advantages of electronic voting
Advantages of Electronic Voting
  • Machines can be programmed to keep the voter from voting for two candidates for a single office
  • Text on the screen can be read by voice-synthesis software
  • Other features

Distributed Security, ECEN 5053, U of Colo, Boulder

current disadvantages
Current disadvantages
  • Early-generation equipment was flawed
  • Hard for local governments to keep track
  • Shifting cast of companies
  • Testing is time-consuming
  • Certification requirements can’t keep up
  • New machines, many workers are volunteers with short term training appropriate for a 1 or 2-day job

Distributed Security, ECEN 5053, U of Colo, Boulder

examples of problems
Examples of problems
  • 2002 a Florida gubernatorial (governor) primary
    • in two counties, some of the new equipment would not boot in time for the start of the election
  • 2003, Boone County, Indiana
    • 5,352 voters
    • 144,000 votes reported
  • 2004 primaries in California – catastrophes throughout the state across wide variety of different machines
    • San Diego County – some opened 4 hrs late
    • Some Diebold machines spontaneously rebooted presenting Microsoft Windows generic screen instead of ballot

Distributed Security, ECEN 5053, U of Colo, Boulder

reliability concerns
Reliability Concerns
  • The Diebold spontaneous reboot problem
    • Voter access card encoders
    • Power switches had faults that drained them of battery power
  • In northern Alameda County, 1 in 5 Diebold encoders had similar problems
  • Hearings held, California Sec’y of State Kevin Shelley released a report charging
    • Diebold marketed, sold, and installed AccuVote systems in Kern, San Diego, San Joaquin, and Solano counties
    • prior to full testing and federal qualification
    • without complying with state certification requirements

Distributed Security, ECEN 5053, U of Colo, Boulder

reliability consequences
Reliability Consequences
  • April 30, Calif Sec’y of State withdrew approval for all direct-recording electronic voting systems in California
    • State required nearly 16,000 AccuVote machines in the 4 counties to be recertified
    • this time, complying with tighter security and auditability measures or
    • replaced with optically scanned balloting in time for the November election
  • Based on your knowledge of software, what are the implications of complying with new requirements within a tight deadline?

Distributed Security, ECEN 5053, U of Colo, Boulder

other problems
Other problems
  • Installation of uncertified components and coverup of malfunctioning products
    • Earlier in 2004, “a June 2003 ES&S memo came to light that indicated flaws in the auditing software for a $24.5 million installation of its iVotronic voting machines in Miami-Dade County”
    • ES&S also manufactured voting systems previously used in Venezuela that suffered a 6% malfunction rate in actual use.

Distributed Security, ECEN 5053, U of Colo, Boulder

state of maryland hired saic
State of Maryland hired SAIC ...

We recommend that SBE immediately implement the following

mitigation strategies to address the identified risks with a rating

of high:

• Bring the AccuVote-TS voting system into compliance with

the State of Maryland Information Security Policy and Standards.

• Consider the creation of a Chief Information Systems Security

Officer (CISSO) position at SBE. This individual would be

responsible for the secure operations of the AccuVote-TS voting

system.

• Develop a formal, documented, complete, and integrated set of

standard policies and procedures. Apply these standard policies

and procedures consistently through the LBEs in all jurisdictions.

Distributed Security, ECEN 5053, U of Colo, Boulder

state of maryland
State of Maryland

• Create a formal, System Security Plan. The plan should be

consistent with the State of Maryland Information Security Policy and Standards, Code of Maryland Regulations (COMAR), Federal Election Commission (FEC) standards, and industry best practices.

• Apply cryptographic protocols to protect transmission of vote tallies.

• Require 100 percent verification of results transmitted to the media through separate count of PCMCIA cards containing the original votes cast.

• Establish a formal process requiring the review of audit trails at both the application and operating system levels.

• Provide formal information security awareness, training, and education program appropriate to each user’s level of access.

Distributed Security, ECEN 5053, U of Colo, Boulder

state of maryland 2
State of Maryland - 2

• Review any system modifications through a formal, documented, risk assessment process to ensure that changes do not negate existing security controls. Perform a formal risk assessment following any major system modifications, or at least every three years. • Implement a formal, documented process to detect and respond to unauthorized transaction attempts by authorized and/or unauthorized users.

• Establish a formal, documented set of procedures describing how the general support system identifies access to the system.

And my personal favorite:

Change default passwords and passwords printed in documentation immediately

Distributed Security, ECEN 5053, U of Colo, Boulder

elsewhere
Elsewhere
  • Ireland scuttled plans to use electronic voting in local and European parliamentary elections in June 2004
    • partly over concerns about lack of independent auditability
    • constant software updates from the vendors* – software could not be reviewed in time
  • Same vendor (Nedap NV) made some of its online e-voting software** available as open source
    • Won’t compile and run
    • What else?

Distributed Security, ECEN 5053, U of Colo, Boulder

physical security
Physical security
  • 1 % of Fairfax County, Virginia’s new WINvote touch-screen machines (Advanced Voting Solutions)
    • repaired outside the polling place
    • returned and put back into use
    • with broken or removed security seals
    • in apparent violation of state law

Distributed Security, ECEN 5053, U of Colo, Boulder

distributed systems bandwidth issue
Distributed systems bandwidth issue
  • Again, Fairfax
    • About half of the vote totals (not the national election) couldn’t be electronically transmitted
    • System flooded itself with messages
    • They had inadvertently designed in their own denial of service attack on the server
  • A number of machines apparently subtracted votes at random from the Republican school board candidate (Rita Thompson) resulting in a possible miscount of 1 to 2 percent of her votes – close to the margin by which she lost the election.

Distributed Security, ECEN 5053, U of Colo, Boulder

warnings
Warnings
  • Web site for Arlington County told poll workers what to do if
    • the voting machine freezes during boot-up
    • master unit does not “pick up” one of the units in the polling place when opening the polls
    • when closing, “if tally fails to pick up a machine”
  • Jeremy Epstein, an information-security expert, attended a pre-election training session
    • submitted a 3-page list of questions to Fairfax officials
    • then electoral board sec’y couldn’t respond on the grounds that “release of that information could jeopardize the security of that voting equipment”
    • treat that as a requirement ...

Distributed Security, ECEN 5053, U of Colo, Boulder

complexity is generally not understood
Complexity is generally not understood
  • “Here are the candidates, pick one”
    • What other situations occur?
  • Anonymity is a potentially bigger problem
    • Requirements?

Distributed Security, ECEN 5053, U of Colo, Boulder

complexity continued
Complexity continued
  • Independent verifiability
    • California audits elections by requiring 1% of all paper ballots be manually recounted whether or not an election is contested
    • Requirements?
    • Focus on adding paper back into the process
      • Requirements re paper ballot?
    • California: newly purchased direct-recording must have accessible, voter-verified paper audit trail
      • retrofit required for existing ones by July 2006

Distributed Security, ECEN 5053, U of Colo, Boulder

complexity summary
Complexity summary
  • The vote
    • Complexity of selection possibilities
    • Count correctly
    • Robust hardware and software
    • Accurate LAN communication at polling place
    • Accurate WAN communication to central server, if used
  • ETC
    • how to verify electronic votes
    • how to test electronic voting hw and sw
    • how to maintain security and integrity

Distributed Security, ECEN 5053, U of Colo, Boulder

without voter verified paper audit trail
Without voter-verified paper audit trail
  • Certification process necessary
    • Compliance verification
    • Is the system in place, the one that was certified?
    • Current federal guidelines (2002) don’t require digital signature to track software from certification to installation to end of voting day
  • IEEE Standards Association formed a working group on voting standards

Distributed Security, ECEN 5053, U of Colo, Boulder

design question
Design question
  • Is it possible to provide sufficient auditability without paper?
    • Consider electronic funds transactions
    • Encryption techniques
  • David Chaum, cryptographer
    • Lets election officials post electronic ballots to the internet
    • Voters can check that their votes were included in the election tally
    • Still needs paper but his electronic tallies are as reliable as a count of paper ballots
    • Still provides voter anonymity
    • Great, right?

Distributed Security, ECEN 5053, U of Colo, Boulder

suppose all crypto graphy issues settled
Suppose all crypto-graphy issues settled ...
  • If all mathematical problems are solved, what remains?
  • Voting is a complicated social phenomenon and the solution must be perceived socially to be a solution.
    • Machines need to be physically secure before, during, after
    • Workers well trained, able to deal with technological problems that can occur
    • www.OpenVotingConsortium.org

Distributed Security, ECEN 5053, U of Colo, Boulder

article s conclusion
Article’s conclusion
  • At the trailhead of electronic voting systems
    • “Election officials underestimated the problems of deploying the technology.”
    • “Computer scientists underestimated the long-standing difficulties of conducting traditional all-paper ballots.” (requirements elicitation!)
  • “Election officials now seem to be coming to understand the merits and demerits of electronic voting systems.”
  • “The current debate over electronic voting systems has certainly raised the bar for election equipment.”
  • “And every year, we get a chance to do better.”

Distributed Security, ECEN 5053, U of Colo, Boulder

chaum s approach
Chaum’s approach

Distributed Security, ECEN 5053, U of Colo, Boulder

ssl and the human element
SSL and the human element
  • A drop-in replacement for standard network sockets?
  • SSL’s intent: provide an authenticated, encrypted communications channel, where the attacker cannot tamper with data in transit without being detected on the receiving end.
  • What’s the easy part?
  • What’s the hard part?

Distributed Security, ECEN 5053, U of Colo, Boulder

mutual authentication
Mutual Authentication
  • Client wants to know it is talking to correct server (precinct and county, for example)
  • Server wants to know which user is on the other end
  • Expect: authenticate the server to the client and once an encrypted data channel is established, implement an authentication mechanism over it so the server can establish the client’s identity.

Distributed Security, ECEN 5053, U of Colo, Boulder

how ssl authenticates
How SSL authenticates
  • Party-to-be-validated (server) presents the other party (client) its certificate
    • Public key, identifying information, dates of validity, endorsing digital signatures from a Certification authority (CA)
    • The CA responsible to make sure it endorses only those certificates that really do belong to the intended owners

Distributed Security, ECEN 5053, U of Colo, Boulder

the client s responsibility
The client’s responsibility
  • Assume CA never makes a mistake
  • Companies we are to do business with are good at protecting their private key
  • Client must make sure the certificate is the right one.
    • certificate is signed by a known CA
    • certificate is current
    • certificate is bound to entity you want

Distributed Security, ECEN 5053, U of Colo, Boulder

validate the data in the certificate
Validate the data in the certificate
  • Certificate is bound to a domain name
  • None of the major SSL libraries performs any of this validation for the developer by default.
  • When a user asks to open a client socket the SSL library could easily perform every reasonable check on the server certificate including whether the certificate is bound to the domain supplied by the user.

Distributed Security, ECEN 5053, U of Colo, Boulder

vulnerability
Vulnerability
  • Most applications using SSL are subject to man-in-the-middle attacks
  • Only a theoretical problem?
  • Yes, you can exploit the Internet’s router infrastructure
  • But if you couldn’t, still ... one can launch a man-in-the-middle attack from machines on the same underlying medium as either of the two endpoints.

Distributed Security, ECEN 5053, U of Colo, Boulder

resources
Resources
  • Viega and McGraw, Building Secure Software, Addison Wesley Professional, 2001.
  • Howard and LeBlanc, Writing Secure Code, Microsoft Press, 2002, 2nd edition.
  • Viega and Messier, Secure Programming Cookbook for C and C++, O’Reilly, 2003.

Distributed Security, ECEN 5053, U of Colo, Boulder

distributed system issues
Distributed System Issues?

In addition to the security issues you listed, what distributed system issues do we have to address to have an acceptable system?

Distributed Security, ECEN 5053, U of Colo, Boulder