EE515/IS523 Think Like an AdversaryLecture 8

Usability/Software Failures

Yongdae Kim

Why Johnny Can’t Encrypt

- A Usability Evaluation of PGP 5.0-

Alma Whitten and J.D. TygarUsenix Sec’99

Presented by Yongdae Kim

Some of the Slides borrowed from Jeremy Hyland

Defining Usable Security Software

Security software is usable if the people who are expected to use it:are reliably made aware of the security tasks they need to perform.

are able to figure out how to successfully perform those tasks

don't make dangerous errorsare sufficiently comfortable with the interface to continue using it.

Why is usable security hard?

1. The unmotivated users“Security is usually a secondary goal”

2. Policy AbstractionProgrammers understand the representation but normal users have no background knowledge.

3. The lack of feedbackWe can’t predict every situation.

4. The proverbial “barn door”Need to focus on error prevention.

5. The weakest linkAttacker only needs to find one vulnerability

Why Johnny can’t encrypt?PGP 5.0

Pretty Good PrivacySoftware for encrypting and signing dataPlug-in provides “easy” use with email clientsModern GUI, well designed by most standards

Usability Evaluation following their definition

If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all?

Usability Evaluation Methods

Cognitive walk throughMentally step through the software as if we were a new user. Attempt to identify the usability pitfalls.

Focus on interface learnablity.

Results

Cognitive Walk Through Results

Irreversible actions Need to prevent costly errors

Consistency Status message: “Encoding”?!?

Too much information More unneeded confusion Show the basic information, make more advanced information available only when needed.

User TestUser Test

PGP 5.0 with Eudora12 participants all with at least some college and none with advanced knowledge of encryption

Participants were given a scenario with tasks to complete within 90 min

Tasks built on each otherParticipants could ask some questions through email

User Test Results 3 users accidentally sent the message in clear text

7 users used their public key to encrypt and only 2 of the 7 figured out how to correct the problem

Only 2 users were able to decrypt without problems

Only 1 user figured out how to deal with RSA keys correctly.

A total of 3 users were able to successfully complete the basic process of sending and receiving encrypted emails.

One user was not able to encrypt at all

Conclusion Reminder

If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all?

Is this a failure in the design of the PGP 5.0 interface or is it a function of the problem of traditional usable design vs. design for usable secure systems?

What other issues? What kind of similar security issues? What do we learn from this paper?

Analysis of an Electronic Voting System

TADAYOSHI KOHNO ADAM STUBBLEFIELD† AVIEL D. RUBIN‡DAN S. WALLACH§

February 27, 2004

Presented by: Aldo Villanueva

OutlinePalm Beach FiascoIntroducing DREHistory of DieboldVulnerabilities of Diebold DRESummary

12

Palm Beach Ballot Fiasco

13

Palm Beach Ballot Fiasco

14

Eliminate paper ballots from the voting process.

Process:The voter arrives to the voting place and prove he’s allowed to vote there.

He gets a token (PIN or smartcard).Enters the token in the voting terminal and votes for its candidate.

DRE System presents the voter’s election and gives a final chance to make changes.

DRE “Direct Recording Electronic”

History

•1995: I-Mark Systems

•1997: Global Election Systems acquired I-Mark

•2002: Diebold acquired GES and change the name to Diebold Election System

•2006: Diebold removed its name from the voting machines for “strategic” reasons

•2007: Diebold changed its name to "Premier Election Solutions"

The source code for

Diebold’s AccuVote-TS DRE voting system was analyzed.

There were several vulnerabilities found.

Analysis of the Diebold’s AccuVote-TS

DRE voting system

The smartcards used in the voting process are very easy to fake since they don’t perform any cryptographic operations.

Attacker could:Cast multiple votesEnd the elections early

Vulnerability No. 1: Smartcards

System configuration : impersonating any other voting terminal.

Ballot definitions: changing the order of the candidates only in the interface

Election results: modifying the voting records file stored on the device

Vulnerability No. 2: Tampering

Voting terminals are configured to upload voting totals to a system after an election.

An adversary able to pose as a legitimate voting terminal to the tabulating authority could report false vote counts.

Vulnerability No. 3: Impersonating

legitimate voting terminals

If an attacker with access to the source code learns the key, he can read and modify voting and auditing records.

In the Diebold system, from the CVS logs, we see this particular key has been used without change since December 1998.

Vulnerability No. 4: Key management

Each vote is written sequentially to the file recording the votes.

It’s easy for the attacker (poll worker) to access the voting records, to link voters with their votes.

Vulnerability No. 5: Linking voters to their

votes

The whole audit log is encrypted using an insecure method.

At the time that the logging occurs, the log can also be printed to an attached printer.

An attacker could create discrepancies between the printed log and the log stored on the terminal by unplugging the printer (or, by simply cutting the cable).

Vulnerability No. 6: Audit logs

An attacker can delay the start of an election:DoS attack against the election management’s server preventing the voting terminals from acquiring their ballot definition in time.

Poor software engineering:Uses C++No documentation Top-to-bottom code review would be nearly impossible.

Other vulnerabilities

Significant security flaws:  

Voters can trivially cast multiple ballots Administrative functions can be performed by regular voters

Threats posed by insiders such as poll workers, software developers, etc.

Summary

SECURITY ANALYSIS OF THE DIEBOLD ACCUVOTE –

TS VOTING MACHINEAriel J. FeldmanJ. Alex HaldermanEdward W. Felten

September 13, 2006

Presented by: Jiseong Noh

OutlineOverview of Diebold AccuVote-TS Voting Machine

Design PointsBoot ProcessesVulnerability PointsAttack ScenariosMitigation of the vulnerabilitiesConclusion

28

(*)http://www.electiondataservices.com/images/File/NR_VoteEquip_Nov-2008wAppendix2.pdf)

Diebold AccuVote-TS Manufactured by Diebold Election Systems

Sold to Election Systems & Software in 2009

DRE – Direct Recording Electronic Voting Machine Voters use machine to cast vote Machine is used to record the votes (*) 32% of the USA registered voters used DRE in 2008

About 16 Million voters used Accuvote-TS in 2010

Custom election software runs on top of Windows CE

29

Design Points

30

Touch Screen

SmartCard

Reader

Audio jack

RemovableFlash

PrinterOn-board

FlashEPROM

RAMProcessor

Open to Public Key Access Inside Box

http://web.cecs.pdx.edu/~hook/cs491sp08/AccessControlSp08.pdf

Serialport

Design Points

31

Similar to a general-purpose hand-held PCA CPU, 32MB RAM, 16MB internal flash storageTouchscreen LCD displayTwo PC card slots – one for memory card, other for modem card

OS uses a customized softwareAutomatically runs Voting ProgramSearches for special files in memory card to administer or update the system

Searches for script files with user confirmation

(CPU) (RAM)

(Flash)

Boot Process

32

Boot loader loads itself into RAM Boot Location determined by jumpers on the board Onboard Flash Memory (default) EPROM Ext Flash slot

Boot loader looks for special file names fboot.nb0: replacement boot loader nk.bin: replacement of operating system EraseFFX.bsq: erases file system on-board flash

*** Does not verify file authenticity!

Boot Process

33

Windows CE image loads and start

Customized task managerAutomatically runs Voting programIf memory card is present and contains explorer.glb Runs windows explorer instead of voting program

runs script files (. with user confirmation

Vulnerability Points (H/W)

Lightweight Lock: easily picked up without a key

34

Easy Access to Memory Card

Vulnerability Points (H/W)

EPROM(E): Replace EPROM with malware

PC Card Slot(S): Used to replace existing software with malware using Memory Card

Serial Keypad Connector(O): open communication port

Infrared Port(N): open communication port

35

Vulnerability Points (S/W)

Authenticity problem Never checks to validate the authenticity of files on the memory card on booting or updating software

Buffer Overflow malformed script files could bypass the confirmation

36

http://www.cyberdin.com/images/stories/pict5.jpg

Attack Types

37

• Stealing Votes• Malicious processes runs in parallel with voting program

• Change votes for a favored candidate

• Total count of votes does not change

• Denial-of-Service• Destroys all records of the election

• Makes the voting machine inoperable

Delivery of Malicious Code

38

EPROM Attack code is placed on an EPROM chip Attacker replaces the EPROM chip and changes the jumper settings to boot from EPROM

Memory card on PC Card Slot Attack code is placed on the memory card Memory card is inserted before voting machine booted

Malicious boot loader containing virus is installed on the machine

The machine is now infected

Delivery of Malicious Code

39

Memory card on PC Card Slot (continue)

Mitigation of Vulnerabilities

40

Modifications to DRE Software and Hardware

Digitally sign all software updates Verify the signature of software updates before installing them

Ask user confirmation of any software updates Use specialized hardware to maintain tamper-proof logs

Physical Access Controls Sealing the machine and memory card with tamper-evident seals

SummaryDREs are like desktop PC, in the security point of view

Diebold AccuVote-TS has many serious vulnerabilitiesWeak physical securityRuns on general-purpose H/W and OSNo way to check if an attack occurredVirus attack possible – no need for distributed attack

DREs have their advantages; however, they should overcome these problems to make reliable votes

41

Papers which criticize DRE, particularly Diebold Systems

2003: Analysis of an Electronic Voting System

2004: Trusted Agent Report Diebold AccuVote-TS Voting System

2006: Security Analysis Of The Diebold AccuVote - TS Voting Machine

Bad Reputation Changed the name multiple times

May 19, 2010 Dominion Voting Systems acquired Premier Elections Solutions.

Bankruptcy of Diebold

Voting equipment vendors say closed-source nature of the systems makes them more secure.

Authors think that an open process would result better.

The best solution will be a computerized voting system with ballot paper.

Conclusions