Vote Selling, Voter Anonymity, and Forensic Logging of Electronic Voting Machines

Similar documents
Making Forensic Attack Event/forensic Analysis as Simple as Possible and No Simpler

Computer Forensics In Forensis

Toward Models for Forensic Analysis

Election System and Software

GUIDANCE ON ELECTRONIC VOTING SYSTEM PREPARATION AND SECURITY

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Computer Security Fall 2006 Joseph/Tygar MT 3 Solutions

Digital Forensics at a University. Calvin Weeks Director, Oklahoma Digital Forensics Lab University of Oklahoma

The Unity v4 Voting System and Unity Voting System are comprised of previously VSTL tested components and state certified components.

Digital Forensics Lecture 01- Disk Forensics

Forensic Analysis through Goal-Oriented Logging

Ten Security Tips for SQL Server. Andy Warren

California Secretary of State Consultant s Report on:

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 21

Computer Security Fall 2006 Joseph/Tygar Midterm 3

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Security seminar topics Aleksei Gorny

From the Lab to the Boardroom; Forensics goes mainstream

CS Review. Prof. Clarkson Spring 2016

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Sample Defense in Depth White Paper

Risks of Computers: What do we Do? Steven M. Bellovin April 15,

Voting System Security as per the VVSG

Election Night Reporting Quick Start Guide

DISTRIBUTED DATABASE MODEL FOR MOBILE E-POLLING SYSTEM

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Risks of Computers: Voting Machines. Steven M. Bellovin February 10,

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Vulnerability & Security Assessment Report Election Systems &Software s Unity

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

BIG DATA ANALYTICS IN FORENSIC AUDIT. Presented in Mombasa. Uphold public interest

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

5 REASONS YOUR BUSINESS NEEDS NETWORK MONITORING

Transparent Open Secure e- Voting using OASIS EML Exploring the Paradox. Introduction

- This presentation courtesy of Black Box Voting - Election Integrity

OFFICE OF THE PROSECUTING ATTORNEY DANIEL R. LUTZ 215 N. GRANT STREET WOOSTER, OHIO BAD CHECK PACKET

Taming the Data Breach Beast... because we all know it will happen. John Tomaszewski Seyfarth Shaw January 2015

Demonstrating Compliance in the Financial Services Industry with Veriato

Demonstrating HIPAA Compliance

Internal Audit Report DATA CENTER LOGICAL SECURITY

VoteBox: a verifiable, tamper-evident electronic voting system

Vote HOA Now Software Manual Updated 1/2/2018 Table of Contents

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Distributed-Application Security

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

McCormick 2016 Statewide Runoff Audit Report

Berkeley 2017 State House Dist 99 General Audit Report

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Usable Privacy and Security Introduction to HCI Methods January 19, 2006 Jason Hong Notes By: Kami Vaniea

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

DIS10.3:CYBER FORENSICS AND INVESTIGATION

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

COMPUTER FORENSICS (CFRS)

ISPE Annual Meeting 8 11 November 2015 Philadelphia, PA. Forensic Auditing for Data Integrity. Rebecca A. Brewer Quality Executive Partners

Tracking and Reporting

Intrusion Detection Systems

User-Centered Design Data Entry

New York State Board of Elections Voting System Verification Testing

The Mail Must Go Through: USPS & California Elections CACEO SA CRAMENTO, CA DECEMBER 15, 2016

Logging and Log Management

Unit code: D/601/1939 QCF Level 5: BTEC Higher National Credit value: 15

Security Incident Investigation

EXPERT WITNESS: Completion of a perfect circle

Introduction to Cryptoeconomics

Failure models. Byzantine Fault Tolerance. What can go wrong? Paxos is fail-stop tolerant. BFT model. BFT replication 5/25/18

Design your network to aid forensics investigation

SO OS Secure Online Voting System

Remote Poll-Site Voting

Incident response in the energy

Management Information Systems. B15. Managing Information Resources and IT Security

Auditing in an Automated Environment: Appendix B: Application Controls

Security of Information Technology Resources IT-12

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

CTF Workshop. Crim Synopsys, Inc. 1

CS Review. Prof. Clarkson Spring 2017

A Case for Host-based Information Security

TEL2813/IS2820 Security Management

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Cyber Security Audit & Roadmap Business Process and

ECCouncil v9. ECCouncil Computer Hacking Forensic Investigator (V9)

Ed Ferrara, MSIA, CISSP

MFP: The Mobile Forensic Platform

Vendor Fraud. Goals of Presentation. Detection and Investigation

THE EVOLUTION OF SIEM

Risks of Computers: Voting Machines. Steven M. Bellovin February 11,

The Convergence of Security and Compliance

Data Integrity and Worldwide Regulatory Guidance

Guide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics

Part 5. Verification and Validation

Advanced Systems Security: Multics

Welcome to my presentation: Message Denial and Alteration on IEEE Low- Power Radio Networks.

Doing Analysis Carnegie Mellon University

Digital Forensics Lecture 5. DF Analysis Techniques

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

Managed. Code Rootkits. Hooking. into Runtime. Environments. Erez Metula ELSEVIER. Syngress is an imprint of Elsevier SYNGRESS

Transcription:

Vote Selling, Voter Anonymity, and Forensic Logging of Electronic Voting Machines Sean Peisert Matt Bishop Alec Yasinsac given at HICSS 09 Waikoloa, HI January 7, 2009 1

Meltdowns in Elections Most have been with regard to paper ballots, and not e- voting machines so far. A few high-profile problems (Sarasota Cnty., FL, 2007). Reasons to be concerned (possible vote-dropping in 34 states, 2008). Maybe more meltdowns we don t know about because the data is simply absent. This is bad: intent of voters must be inviolate. 2 2

E-Voting Machine Investigations Most investigations have been of software or machines, not election results: California Top-to-Bottom Review (2007) Florida ES&S ivotronic study (2007) Ohio EVEREST (2008) Operation BRAVO (2008) 3 3

What happens when something goes wrong with an election? 4 4

Post Mortem Procedures Collect evidence Machines, printers, memory cards VVPAT (if they exist) System logs (if they exist) Precincts voting registers Look for discrepancies Determine potential causes of discrepancies 5 5

VVPATs are not audit trails (Yasinsac & Bishop, HICSS 08) If a VVPAT shows an undervote: could be malfunction could be voter choice If a VVPAT shows an over-vote: probably malfunction, but where? If a VVPAT shows an equal balance: implies that any problem did not involve dropping or adding votes (but could simply be mis-recording votes) 6 6

What is Forensic Analysis? Forensic analysis is the process of answering the questions: How did an event take place? What was the nature of the event? What were the effects of the event? Forensic analysis applies to arbitrary events. This can include attacks, but is not limited to attacks (e.g., mistakes). 7 7

When We Need Forensics & Audit Logs Computer forensics in courts Compliance (HIPAA, SOx) Human resources cases Recovering from an attack (including insiders) Debugging or verifying correct results (e.g., electronic voting machines) Performance analysis Accounting 8 8

Forensic logging has been an essential element of validating security since at least 1980. Why isn t it done on e-voting machines? No real logging/auditing standards. No real consistent machine standards. No real legal guidance. In forensic auditing, accountability and traceability are key. That's exactly what cannot be done with voters. 9 9

Principles of Auditing Electronic Voting Machines Need to be able to count ballots Need to be able to determine if and how a machine failed. Cannot allow a voter to indicate to an auditor who they are (vote selling) Cannot allow an auditor to determine who a voter is (voter coercion) This leads to a direct conflict. So how do we balance this? Add (benign) noise Enforce (benign) regularity Split data 10 10

Example of Conflict Voter: George, Auditor: John Scenario: George wants to sell his vote. John will pay for votes for Thomas. Forensic Audit Trail (FAT) records touches. John tells George to select James/Andrew/ James/Thomas to identify himself in a FAT. This is a covert channel. 11 11

Example of Adding Noise If someone touches the screen in x > ε places, can we assume communication, and add y additional touches without removing important information? If someone touches the screen in x < ε places, we might suspect a mis-calibrated screen and/or undervotes. 12 12

Example of Enforcing Regularity If a voter casts a write-in vote, correct the spelling, capitalization, etc.., to the registered version. If a voter votes on initiatives in reverse order, have the logs reflect a forward order. 13 13

Example of Splitting Data If personally identifiable and/or data communicating a possible covert channel can be split from voting data, then two or more independent analysts can audit the data. E.g., separate ballot selections and transform multiple touches so that exact locations do not correspond to ballot 14 14

Audit trails are... It is is not well understood what forensic data is necessary, and there is no general solution to find that data. Data is often redundant, missing, vague, or misleading. Forensic analysis is worthless with bad data. We re wasting time, drawing bad conclusions, and making bad decisions. We need better data. A systematic approach to forensic logging gives better data and better analysis. 15 15

Erroneous and Missing Data The problem isn t just erroneous data... we don t know have enough good data to identify/outvote the erroneous data we don t know the assumptions, and so even accurate data may lead to erroneous conclusions assumptions and accuracy need to be part of the model The problem isn t just missing data... we don t know what s missing we don t know what attacks we can t analyze without more/ different/better data we don t know what attacks we can analyze with current data 16 16

What are the assumptions for e-voting and current forensic tools? Often that there s only one person who had access to the machine (what about sleepovers?). Often that the owner of the machine was in complete control (as opposed to malware or third-party virus scanners). Probably a lot of other assumptions that we have no clue about... 17 17

Current State of Forensic Tools Decent tools, but what problem do they solve? file & filesystem analysis (Coroner s Toolkit, Sleuth Kit, EnCase, FTK) syslog, tcpwrappers, Windows event logs BSM process accounting logs IDS logs packet sniffing 18 18

A Systematic Approach is Better Given system S, that records data D, what intrusions I D can we understand with the data we have? Given intrusions I, what additional data DI do we need to record to analyze those intrusions? Given an arbitrary system defined by certain specifications, what information must be logged to detect violations of those specifications? 19 19

Laocoön Laocoön: A Model of Forensic Logging Attack graphs of goals. Goals can be attacker goals (i.e., targets ) or defender goals (i.e., security policies ) Predicates represented by pre-conditions & post-conditions of events to accomplish goals. Method of translating those conditions into logging requirements. Logs are in a standardized and parseable format. Logged data can be at arbitrary levels of granularity. 20 20

Applying Security Policies Applying Laocoön to security policies guides where to place instrumentation and what to log. The logged data needs to be correlated with a unique path identifier. Branches of a graph unrelated to the attack can be automatically pruned. Defining policies and instrumenting systems can be hard on general-purpose computer systems. 21 21

Laocoön & E-Voting Good news: Many violations of security policy on e- voting are easy to define precisely (e.g., changing or discarding cast votes) Machines have (theoretically or ideally) limited modes of operation. 22 22

Possible Log Data Network traffic Insertion of new software Replacement of existing software System and library calls 23 23

Procedural Elements What about methods of bypassing the logging system? How tamperproof are logs? What about denial-of-service? What about human error? What about DREs vs. optical scanners? 24 24

Start with E-Voting Requirements Laws and requirements become security policies Security policies define attack graphs Attack graphs start with ultimate goals Attack graphs are translated into detailed specifications and implementations to guide logging Forensic data is used by an analyst. 25 25

Laocoön & Over-Voting Over-voting occurs when more candidates are selected than allowed in a given race. At some point, the value of a bit changes. What are the paths to that event? Start with the entry to the system (e.g., touchscreen, supervisor screen, HW manipulation). End at the data. This places bounds on the intermediate steps. Monitor those paths. 26 26

Summary and Status We need a means of verifying that votes have been recorded and tallied correctly. Forensics is an obvious solution. Current methods of forensic logging on e-voting machines is insufficient. VVPATs are insufficient. Detailed, systematic FAT is needed. FAT needs to be sanitized without removing important data. Some methods include adding noise, enforcing regularity, and splitting the data. 27 27

Going Forward Analyze covert channels and varying methods of sanitization on a specific machine Analyze means of integrating sanitization into e-voting system code base. Validation experiments (probably red teaming) 28 28

Thank you Questions? Sean Peisert peisert@cs.ucdavis.edu http://www.cs.ucdavis.edu/~peisert/ 29 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback