The State of US Voting System Security - Joshua Franklin · The State of US Voting System Security...

Post on 01-Apr-2018

217 views 2 download

transcript

TheStateofUSVotingSystemSecurityDEFCONVotingMachineHackingVillageJuly2017

JoshuaMFranklinNationalInstituteofStandardsandTechnology

ElectionFraudTypes- 1934

• Alteringballots• Ballotsubstitution• Falsecountsandreturns• Alteringreturns

• Registrationfraud• Repeating• Ballotboxstuffing• Assistancetovoters• Intimidation&violence

[1]Joseph Harris,1934

0 2

Bio

• ITSecurityEngineer,NIST• Enterprisemobility,telecommunications,evoting• 10+yearsintheelectionscommunity• Co-chairtheElectionCybersecurityWorkingGroup•MastersinInformationSecurityfromGeorgeMason

0 3

GettoKnowanAgency

• Federal:• ElectionAssistanceCommission(EAC)• NIST,DHS,andFBI

• State:SecretaryofState’soffice• Local:counties,cities,townships,parishes,hamlets

0 4

TypesofVotingSystems

• Votecapture&tabulation• DREs,central&precinctopticalscan,ballotmarkingdevice• Softwareassociatedwithelectionadministration

• Supportingelectionsystems• Voterregistration,epollbooks,electionnightreporting• Candidatefiling,pollworkertracking,ballottracking…

0 6

AChangingThreatModelOld&Busted

• Physicallyproximateattackers• Accidentalevents• Naturaldisasters• Eventsaffectingpublicconfidenceandtrust

NewHotness• Nationstateattackers• Phishing• Supportingelectionsystems• Everythingintheoldthreatmodel,plusCYBER

0 7

SecurityArchitecture

• Embeddedlegacysystem• Typicallyrunning*nixvariant

• Olderorproprietaryphysicalmedia• WorkingTCP/IPstackiscommon• Wirelessispossible• Requiredtostandthetestoftime(10- 15years)• JurisdictionthatcanpayMAYreceive1- 5updates

0 8

IndependentReviews

PrivilegeManagement– 3%CommonCWEs• CWE-306:MissingAuthenticationforCriticalFunction

• CWE-120:Classicbufferoverflow

• CWE-522:InsufficientlyProtectedCredentials

• CWE-345:InsufficientVerificationofDataAuthenticity

• CWE-311:Missingencryptionofsensitivedata

[10]– [27]

0 9

InnovationsinVotingSecurity

• RiskLimitingAudits[8]• SoftwareIndependence[6]• E2Everifiablecryptographicprotocols[9]• Recognitionofusabilityasasecurityissue

1 0

PaperisnotaPanacea

• Paperballotsprovidetamperdetectionandenableauditability• Papercanbemodified• Sealsandchainofcustodyneedverification• Routineauditsneedtobeperformed• Cyberhygiene

1 1

Testing&Certification

• EACrunsatestingandcertificationprogram•Moststatesdoaswell

• Votingsystemtestlabs(VSTLs)performtesting• Statesarenotrequiredtousecertifiedsystems• TestingvalidatesvotingmachinessubmittedforcertificationmeettheVVSG• Freelyavailabletestreports!www.eac.gov

1 2

CertificationProcess

VendorApplication

Kickoff

TestPlan

Testing

TestReport

CertificationDecision

MonitorFieldPerformance

Illustratesbestcasetestingscenario

1 4

VotingStandards

• VoluntaryVotingSystemGuidelines=VVSG[2]• Scopedtovotecaptureandtabulation• Notmandatedforuse• Littlesecurityfocusininitialdrafts• Largeoverhaulinsecurityrequirementssince2005

1 3

VVSGUpdates

1. 1990VSS2. 2002VSS3. 2005VVSG4. 2007Recommendations5. 2015VVSG6. Principles&Guidelines

underdevelopment

1 5

NewProposedStructure

• Principles• Highlevelsystemdesigngoals

• Guidelines• Broadsystemdesigndetailsforelectionofficials

• Requirements• Technicaldetailsfordesignanddevelopmentbyvendors

• TestAssertions• Technicalspecificationfortestingbylabs

1 6

SecurityPrinciples&Guidelines

• DataProtection• SoftwareIntegrity• PhysicalSecurity

• Auditability• BallotSecrecy• AccessControl• DetectionandMonitoring

[3]NIST&EACVotingTwiki

1 7

apt-getupgrade

• Routinemeaningfulaudits• Responsiblevulnerabilitydisclosure• Augmenthowwemanageelectionsecurity

• Riskassessment,threatmodeling,andcontingencyplanning

• Regular,externalscrutinyofsystemsisessential• Votingsystemsneedsoftwareupdates• Electionofficialsneedactionableguidance

1 8

HelpMakeaDifference

• Registertovote• Beapollworker•Workwithyourelectionofficial– notagainst• Jointhepublicworkinggroups

1 9

References1. ElectionAdministrationintheUnitedStates,1934,byJosephP.Harris

https://www.nist.gov/itl/election-administration-united-states-1934-joseph-p-harris-phd2. EAC,VoluntaryVotingSystemGuidelines,2017.

https://www.eac.gov/voting-equipment/voluntary-voting-system-guidelines3. NIST&EACSecurityPrinciples&Guidelines,2017.

http://collaborate.nist.gov/voting/bin/view/Voting/SecurityObjectives4. OfficeoftheDirectorofNationalIntelligence,AssessingRussianActivitiesandIntentionsin

RecentUSelections,ICA2017-01D, 2017.https://www.dni.gov/files/documents/ICA_2017_01.pdf

5. ACM,StatewideDatabasesofRegisteredVoters- StudyOfAccuracy,Privacy,Usability,Security,andReliabilityIssues,2006.http://usacm.acm.org/images/documents/vrd_report2.pdf

6. Rivest,Wack,OntheNotionofSoftware-Independence,2008.https://people.csail.mit.edu/rivest/RivestWack-OnTheNotionOfSoftwareIndependenceInVotingSystems.pdf

7. Jones,Simons,BrokenBallots,2012.http://brokenballots.com

8. Stark,AGentleIntroductiontoRiskLimitingAudits,2012.https://www.stat.berkeley.edu/~stark/Preprints/gentle12.pdf

9. Benaloh etal,End-to-endverifiability,2015.https://arxiv.org/pdf/1504.03778.pdf

2 0

References10. SAIC- RiskAssessmentReportDieboldAccuVote-TSVotingSystemandProcesses,200311. AnalysisofanElectronicVotingSystem,200412. RABA- TrustedAgentReportDieboldAccuVote-TSVotingSystem,200413. SecurityAnalysisoftheDieboldAccuBasic Interpreter,200614. SecurityAnalysisoftheDieboldAccuVote-TSVotingMachine,200615. DieboldTSx Evaluation,200616. ToptoBottomReview(TTBR),200717. EVEREST:EvaluationandValidationofElection-RelatedEquipment,StandardsandTesting,200718. SoftwareReviewandSecurityAnalysisoftheDieboldVotingMachineSoftware,200719. SoftwareReviewandSecurityAnalysisoftheES&SiVotronic 8.0.1.2VotingMachineFirmware,

200720. InsecuritiesandInaccuraciesoftheSequoiaAVCAdvantage9.00HDREVotingMachine,200821. SoftwareReviewandSecurityAnalysisofScytl RemoteVotingSoftware,200822. CanDREsProvideLong-LastingSecurity?TheCaseofReturn-OrientedProgrammingandtheAVC

Advantage,200923. SecurityAnalysisofIndia’sElectronicVotingMachines,201024. ExploitingtheClientVulnerabilitiesinInternetE-votingSystems:HackingHelios2.0asan

Example,201025. MarylandStateBoardofElectionsOnlineVoterServicesPenetrationTestingReport,201226. AttackingtheWashington,D.C.InternetVotingSystem,201227. SecurityAnalysisoftheEstonianInternetVotingSystem,2014

2 1