Distributed Systems Security Overview

1
Distributed SystemsSecurity Overview

• Douglas C. Sicker
• Assistant Professor
• Department of Computer Science and
  Interdisciplinary Telecommunications Program

2
Network Security

• What well cover
• What is network security?
• What are the goals?
• What are the threats?
• What are the solutions?
• How do they operate?
• This is a lot of info and it might take a few
  reads to stick.

3
Network Security

• Some issues with the book
• Assumes malicious intent as the reason for
  needing security.
• Is this valid?
• Focus on the protocols (not surprising)
• However, the real problems with security are
  mostly outside of the technical space (see the
  Economist articles).
• What else should we consider?
• For example, more depth on security models,
  security policy, assurance, insurance, risk
  assessment
• Lastly, keep in mind that even the best protocols
  can be misapplied.

4
Network Security

• What do we seek?
• Confidentiality
• Integrity
• Availability
• Non-repudiation
• Accounting

5
Distributed Security and Electronic VotingThe
Perils of Polling, Steven Cherry, IEEE Spectrum,
October 2004, pp. 34-40

• ECEN 5053 Software Engineering of Distributed
  Systems
• University of Colorado, Boulder

6
Background

• Read Chapter 7 in text
• Read articles from The Economist
• Consider the issues of electronic voting
• To simplify one of your homework problems, make a
  list of security issues as you recognize them in
  the lecture.

7
Advent of electronic voting acceptance

• What is electronic voting for this unit?
• Use of equipment that directly records votes only
  on electronic media, such as chips, cartridges,
  or disks, with no paper or other tangible form of
  backup
• November 2004 election
• More than 25 of U. S. Ballots will be cast using
  electronic voting
• If we are ready for electronic voting, is the
  technology ready for us?

8
Pros Cons

• Advantages
• No hanging chads
• No paper ballots printed out of alignment so that
  optical scanners make too many errors (the bane
  of Boulder County in November 2004)
• Disadvantages for 2004
• Some deployed systems had known flaws
• Some poorly tested
• Some not tested at all

9
Basics

• Fundamental requirement for ensuring integrity of
  votes
• Ability to perform an independent recount
• Reconstruct the tally if contested
• Current systems
• No assurance that the vote was counted at all
• No assurance counted correctly
• Some machines will fail (as they have in recent
  elections)

10
The real issues of security

• Requirements
• voting machines must be robustly reliable
• independently verifiable counts
• Unfortunately, it may be a harder problem than is
  appreciated by those who developed products in
  use
• David Chaum is working on it ... ?
• cryptographer
• more later

11
Vision Document problem statement
12
Lets stop and list requirements

• What are some characteristics of elections?
• early voting
• absentee voting
• election day
• what else?

13
Are there standards in place?

• Yes and no
• Many installed for 2004 election complied with
  federal guidelines
• obsolete ... from 1990
• A lot of legislation since then at state and
  federal level not all systems comply

14
Domain challenges

• Elections run individually by each state
• State and local officials responsible for
  choosing and deploying equipment
• not skeptical enough of manufacturers claims
• sometimes rejected advice of engineers and
  specialists
• If states are willing to buy and federal
  government is willing to give money to do so ...

15
State differences

• Some states choose voting equipment at the state
  level
• Some leave it up to counties or even smaller
  municipalities
• Lots of decision makers leads to variety of
  decisions made
• Some other countries with electronic voting made
  the choice at the national level. See any
  problems with that?

16
Partially vs. wholly electronic

• Partially electronic systems
• Paper ballot to be optically scanned like
  standardized tests
• Scanners count
• If contested, ballots can be rescanned or counted
  by hand
• Wholly electronic
• Store the vote digitally, not on paper

17
Accu-Vote-TSX example

• Touch-screen system made by Diebold Inc
• Voter signs in at the polling station and
  receives an activated card similar to modern
  hotel-room key
• Voter inserts it into machine and makes
  selections
• When voter touches Cast Vote, vote is recorded
  on hard disk, access card is deactivated voter
  cannot vote a 2nd time
• Accu-Vote machine has built-in printer to record
  vote totals when polls close
• Accu-Vote machine has a modem for optional
  encryption and transmission of vote totals

18
80 of the market

• Diebold
• Election Systems Software, Inc.
• Sequoia Voting Systems, Inc.

19
Advantages of Electronic Voting

• Machines can be programmed to keep the voter from
  voting for two candidates for a single office
• Text on the screen can be read by voice-synthesis
  software
• Other features

20
Current disadvantages

• Early-generation equipment was flawed
• Hard for local governments to keep track
• Shifting cast of companies
• Testing is time-consuming
• Certification requirements cant keep up
• New machines, many workers are volunteers with
  short term training appropriate for a 1 or 2-day
  job

21
Examples of problems

• 2002 a Florida gubernatorial (governor) primary
• in two counties, some of the new equipment would
  not boot in time for the start of the election
• 2003, Boone County, Indiana
• 5,352 voters
• 144,000 votes reported
• 2004 primaries in California catastrophes
  throughout the state across wide variety of
  different machines
• San Diego County some opened 4 hrs late
• Some Diebold machines spontaneously rebooted
  presenting Microsoft Windows generic screen
  instead of ballot

22
Reliability Concerns

• The Diebold spontaneous reboot problem
• Voter access card encoders
• Power switches had faults that drained them of
  battery power
• In northern Alameda County, 1 in 5 Diebold
  encoders had similar problems
• Hearings held, California Secy of State Kevin
  Shelley released a report charging
• Diebold marketed, sold, and installed AccuVote
  systems in Kern, San Diego, San Joaquin, and
  Solano counties
• prior to full testing and federal qualification
• without complying with state certification
  requirements

23
Reliability Consequences

• April 30, Calif Secy of State withdrew approval
  for all direct-recording electronic voting
  systems in California
• State required nearly 16,000 AccuVote machines in
  the 4 counties to be recertified
• this time, complying with tighter security and
  auditability measures or
• replaced with optically scanned balloting in time
  for the November election
• Based on your knowledge of software, what are the
  implications of complying with new requirements
  within a tight deadline?

24
Other problems

• Installation of uncertified components and
  coverup of malfunctioning products
• Earlier in 2004, a June 2003 ESS memo came to
  light that indicated flaws in the auditing
  software for a 24.5 million installation of its
  iVotronic voting machines in Miami-Dade County
• ESS also manufactured voting systems previously
  used in Venezuela that suffered a 6 malfunction
  rate in actual use.

25
Elsewhere

• Ireland scuttled plans to use electronic voting
  in local and European parliamentary elections in
  June 2004
• partly over concerns about lack of independent
  auditability
• constant software updates from the vendors
  software could not be reviewed in time
• Same vendor (Nedap NV) made some of its online
  e-voting software available as open source
• Wont compile and run
• What else?

26
Physical security

• 1 of Fairfax County, Virginias new WINvote
  touch-screen machines (Advanced Voting Solutions)
• repaired outside the polling place
• returned and put back into use
• with broken or removed security seals
• in apparent violation of state law

27
Distributed systems bandwidth issue

• Again, Fairfax
• About half of the vote totals (not the national
  election) couldnt be electronically transmitted
• System flooded itself with messages
• They had inadvertently designed in their own
  denial of service attack on the server
• A number of machines apparently subtracted votes
  at random from the Republican school board
  candidate (Rita Thompson) resulting in a possible
  miscount of 1 to 2 percent of her votes close
  to the margin by which she lost the election.

28
Warnings

• Web site for Arlington County told poll workers
  what to do if
• the voting machine freezes during boot-up
• master unit does not pick up one of the units
  in the polling place when opening the polls
• when closing, if tally fails to pick up a
  machine
• Jeremy Epstein, an information-security expert,
  attended a pre-election training session
• submitted a 3-page list of questions to Fairfax
  officials
• then electoral board secy couldnt respond on
  the grounds that release of that information
  could jeopardize the security of that voting
  equipment
• treat that as a requirement ...

29
Complexity is generally not understood

• Here are the candidates, pick one
• What other situations occur?
• Anonymity is a potentially bigger problem
• Requirements?

30
Complexity continued

• Independent verifiability
• California audits elections by requiring 1 of
  all paper ballots be manually recounted whether
  or not an election is contested
• Requirements?
• Focus on adding paper back into the process
• Requirements re paper ballot?
• California newly purchased direct-recording must
  have accessible, voter-verified paper audit trail
• retrofit required for existing ones by July 2006

31
Complexity summary

• The vote
• Complexity of selection possibilities
• Count correctly
• Robust hardware and software
• Accurate LAN communication at polling place
• Accurate WAN communication to central server, if
  used
• ETC
• how to verify electronic votes
• how to test electronic voting hw and sw
• how to maintain security and integrity

32
Without voter-verified paper audit trail

• Certification process necessary
• Compliance verification
• Is the system in place, the one that was
  certified?
• Current federal guidelines (2002) dont require
  digital signature to track software from
  certification to installation to end of voting
  day
• IEEE Standards Association formed a working group
  on voting standards

33
Design question

• Is it possible to provide sufficient auditability
  without paper
• Consider electronic funds transactions
• Encryption techniques
• David Chaum, cryptographer
• Lets election officials post electronic ballots
  to the internet
• Voters can check that their votes were included
  in the election tally
• Still needs paper but his electronic tallies are
  as reliable as a count of paper ballots
• Still provides voter anonymity
• Great, right?

34
Suppose all crypto-graphy issues settled ...

• If all mathematical problems are solved, what
  remains?
• Voting is a complicated social phenomenon and the
  solution must be perceived socially to be a
  solution.
• Machines need to be physically secure before,
  during, after
• Workers well trained, able to deal with
  technological problems that can occur

35
Articles conclusion

• At the trailhead of electronic voting systems
• Election officials underestimated the problems
  of deploying the technology.
• Computer scientists underestimated the
  long-standing difficulties of conducting
  traditional all-paper ballots.
• Election officials now seem to be coming to
  understand the merits and demerits of electronic
  voting systems.
• The current debate over electronic voting
  systems has certainly raised the bar for election
  equipment.
• And every year, we get a chance to do better.

36
(No Transcript)
37
Chaums approach
38
Distributed System Issues?
In addition to the security issues you listed,
what distributed system issues do we have to
address to have an acceptable system?