CS 591: Introduction to Computer Security Lecture 2: Voting Machine Study Access Control James Hook 11/7/2015 8:02 AM.
Download ReportTranscript CS 591: Introduction to Computer Security Lecture 2: Voting Machine Study Access Control James Hook 11/7/2015 8:02 AM.
CS 591: Introduction to
Computer Security
Lecture 2:
Voting Machine Study
Access Control
James Hook
11/7/2015 8:02 AM
Instructor Notes
• In Fall 2010 I combined the content
from lecture 2 with an introduction to
BLP from lecture 4
• This slide deck is spliced together
without editing; it contains the slides I
discussed in lecture.
11/7/2015 8:02 AM
Objectives:
• Review/Discuss Analysis of Diebold
machine
• Introduce Access Control
11/7/2015 8:02 AM
Discussion
• Thompson, Can You Coun on Voting
Machines?, NY Times, January, 2008
– Reaction?
– Conflicts of interest in design and deployment?
– Conflicts of interest in Testing? How
independent?
– Role of the vendor in operations?
– How to prove the presence of a transient bug?
The absence?
11/7/2015 8:02 AM
Discussion
• If we can make a good ATM why is it
hard to make a good voting machine?
• “You have to be able to convince the
loser they lost” … “Not only must the
losing candidate believe in the loss; the
public has to believe in it, too.”
11/7/2015 8:02 AM
Discussion
• Feldman, Halderman, and Felten,
Security Analysis of the Diebold
AccuVote-TS Voting Machine,
September 2006
– Reaction to the paper?
11/7/2015 8:02 AM
Discussion Questions
• What was the basic architecture of the
voting machine?
• How did FHF steal votes?
• What other attacks did FHF consider?
• How did the viral propagation
mechanism work?
11/7/2015 8:02 AM
Discussion Questions
• Is the analysis credible?
• Is the threat model credible?
• Is this representative of commercial
systems today?
• Did Diebold follow best practices?
• Are the FHF results reproducible?
• Did Felton’s lab follow a sound
methodology in analyzing the machine?
11/7/2015 8:02 AM
Discussion Questions
• Having read the analysis of the Diebold
machine, are you surprised that Sequoia used
a threat of law suit to prevent Felten’s lab
from analyzing their machine?
• Having seen this analysis of a fielded
commercial system, are you more or less
concerned about the discrepencies observed
in Union County elections?
11/7/2015 8:02 AM
Discussion Questions
• Do you like Oregon’s vote by mail
system?
• Are Appel’s comments on Minnesota
relevant to voting in Oregon?
11/7/2015 8:02 AM
Case Study
• We will use the FHF paper as a case
study
• As we encounter concepts we will
attempt to instantiate them in the
context of the voting machine domain
11/7/2015 8:02 AM
Voting Machine Architecture
Processor
Touch
Screen
Smart
Card
Reader
Open
11/7/2015 8:02 AM
Audio
jack
Removable
Flash
Printer
Key Access
On-board
Flash
RAM
EPROM
Inside Box
Boot Process
• Boot device specified by hardware jumpers (inside box)
– EPROM
– on-board flash (default)
– ext flash
• On Boot:
– Copy bootloader into RAM; init hardware
– Scan Removable flash for special files
• “fboot.nb0” => replace bootloader in on-board flash
• “nk.bin” => replace OS in on-board flash
• “EraseFFX.bsq” => erase file system on on-board flash
– If no special files uncompress OS image
– Jump to entry point of OS
11/7/2015 8:02 AM
Boot (continued)
• On OS start up:
– run Filesys.exe
• unpacks registry
• runs programs in HKEY_LOCAL_MACHINE\Init
–
–
–
–
shell.exe (debug shell)
device.exe (Device manager)
gwes.exe (graphics and event)
taskman.exe (Task Manager)
– Device.exe mounts file systems
• \ (root): RAM only
• \FFX: mount point for on-board flash
• \Storage Card: mount point for removable flash
11/7/2015 8:02 AM
Boot (continued)
• Customized taskman.exe
– Check removable flash
• explorer.glb => launch windows explorer
• *.ins => run proprietary scripts
– (script language has buffer overflow vulnerabilities)
– used to configure election data
• default => launch “BallotStation”
– \FFX\Bin\BallotStation.exe
11/7/2015 8:02 AM
BallotStation
• Four modes: pre-download, preelection testing, election, post-election
• Mode recorded in election results file
– \Storage Card\CurrentElection\election.brs
11/7/2015 8:02 AM
Stealing Votes
• Malicious processes runs in parallel with
BallotStation
• Polls election results file every 15
seconds
– If election mode and new results
– temporarily suspend Ballot Station
– steal votes
– resume Ballot Station
11/7/2015 8:02 AM
Viral propagation
• Malicious bootloader
– Infects host by replacing existing
bootloader in on-board flash
– subsequent bootloader updates print
appropriate messages but do nothing
• fboot.nb0
– package contains malicious boot loader
– and vote stealing software
11/7/2015 8:02 AM
Access Control Model
11/7/2015 8:02 AM
Objectives
• Introduce the concept of Access Control
• Relate mechanism to Confidentiality,
Integrity and Availability
11/7/2015 8:02 AM
Articulating Policy
• How do we articulate a security policy?
• How do we provide mechanisms to enforce
policy?
• Voting
– Different individuals in different roles
• Voter, Poll worker, …
– Different actions
• Vote, define ballot, start and stop election, …
– Logical and physical entities
• Ballot, stored tally, final tally, voting machine, removable
flash, on-board flash, …
11/7/2015 8:02 AM
Ad hoc policies
• Discus
– Only voters should vote
– Only poll workers should start and start
elections
11/7/2015 8:02 AM
Access Control Matrix Model
– Lampson ‘71, refined by Graham and Denning (‘71, ‘72)
– Concepts
– Objects, the protected entities, O
– Subjects, the active entities acting on the objects, S
– Rights, the controlled operations subjects can
perform on objects, R
– Access Control Matrix, A, maps Objects and
Subjects to sets of Rights
– State: (S, O, A)
11/7/2015 8:02 AM
Voting: Subjects, Objects, Rights
• Subjects: (Roles)
– Voter, Poll worker, …
• Rights: (Actions)
– Vote, define ballot, start and stop election, …
• Objects: (Logical and physical entities)
– Ballot, stored tally, final tally, voting machine,
removable flash, on-board flash, …
• Question: Is every voter a subject? Or is the
role of voter a subject? One-person-one-vote?
11/7/2015 8:02 AM
Exercise
• Sketch Access Control Matrix (ACM) for
Voting
Voter
Poll
Worker
…
11/7/2015 8:02 AM
Ballot Stored
Final Tally …
Tally
read increment
print
Questions
• What about modes?
– Once the election starts the ballot should
not change
– Voters should only vote when the election
is happening
11/7/2015 8:02 AM
Questions
• Levels of abstraction
– Some objects are physical, some are logical
– When considering the programming model
you now have processes and files (and
possibly modes of operation)
• Exercise:
– Sketch ACMs with processes as subjects
and files as objects for voting and postelection modes
11/7/2015 8:02 AM
Exercise
• Compare the ACMs for files and
processes with the original ACM
• Is every operation specified in the
original feasible in the refined ACMs?
• Is every feasible operation in the
refined ACMs allowed in the original?
11/7/2015 8:02 AM
Mechanisms
• Policy specifies abstract goals
• Mechanisms are concrete devices,
algorithms, or processes that assist in
implementing a policy
• For example, passwords are a
mechanism that can support an
authentication policy
– Mechanisms are not always perfect!
11/7/2015 8:02 AM
Access Control Mechanisms
• Most operating systems provide some
mechanisms for supporting access control
• Typically:
– Processes are associated with users (or user
identification numbers), which are the subjects
– Files are objects
– Rights are: read, write, append, execute, search,
...
11/7/2015 8:02 AM
Applying the Mechanism
• Can a generic Access Control mechanism help
make the Voting machine more trustworthy?
• What about modes?
– Mode is not part of typical AC mechanisms
– However rights can be changed
• A typical right is “own” which in discretionary access
control generally allows the subject to change rights
– Analysis of systems that actively change rights is
potentially difficult
11/7/2015 8:02 AM
Limitations on Mechanisms
• Simple mechanisms are preferred
• All computational mechanisms must be
decidable
• In general, useful mechanisms must be
computationally cheap
11/7/2015 8:02 AM
Access Control
• Is Access Control biased to
– Confidentiality
– Integrity
– Availability
• Exercise
– Develop scenarios in which a confidentiality
(integrity, availability) property is
expressed using an access control matrix
11/7/2015 8:02 AM
Model vs. Mechanism
• Earlier I presented the model of the AC
Matrix
• Does UNIX implement the full AC
Matrix?
– What key simplifications does UNIX adopt?
– Why?
• Is the full ACM mechanism a good idea?
– Is it a good model?
11/7/2015 8:02 AM
A Good Model
• ACM is a good model because any
mechanism of compatible granularity
can be described in terms of how it
approximates the ACM model
11/7/2015 8:02 AM
References:
• Bell retrospective
• Anderson Chapter 8 (first edition
Chapter 7)
• Bishop Chapter 5
11/7/2015 8:02 AM
Access Control Policies
• Discretionary Access Control (DAC)
– An individual user can set allow or deny access to
an object
• Mandatory Access Control (MAC)
– System mechanism controls access
– User cannot alter that access
• Originator Controlled Access Control (ORCON)
– Access control set by creator of information
– Owner (if different) can’t alter AC
• Like copyright
11/7/2015 8:02 AM
Background
• Clearance levels
– Top Secret
• In-depth background check; highly trusted individual
– Secret
• Routine background check; trusted individual
– For Official Use Only/Sensitive
• No background check, but limited distribution; minimally
trusted individuals
• May be exempt from disclosure
– Unclassified
• Unlimited distribution
• Untrusted individuals
11/7/2015 8:02 AM
Background
• Clearance levels are only half the story
– They give a level of trust of the subject
• The “need to know” policy provides an
orthogonal structure called compartmentalization
• A category (or compartment) is a designation
related to the “need to know” policy
• Examples:
– NUC: Nuclear
– EUR: Europe
– ASI: Asia
11/7/2015 8:02 AM
Categories and Coalitions
• Categories can be critical in complex
coalitions
• The US may have two allies that do not wish
to share information (perhaps Israel and
Saudi Arabia)
• Policy must support:
– Top Secret, Israel
– Top Secret, Saudi Arabia
– Top Secret, Israel and Saudi Arabia
• (probably very few people in this set)
11/7/2015 8:02 AM
Classification Systems
• Both notions of classification induce a
partial order
– TS is more trusted that S
– You can only see information if you are
cleared to access all categories that label it
• Mathematicians Bell and LaPadula
picked a lattice structure as a natural
model for security levels
11/7/2015 8:02 AM
Partially Ordered Set
• A Set S with relation (written (S, ) is
called a partially ordered set if is
– Anti-symmetric
• If a b and b a then a = b
– Reflexive
• For all a in S, a a
– Transitive
• For all a, b, c. a b and b c implies a c
11/7/2015 8:02 AM
Poset examples
• Natural numbers with less than (total
order)
• Sets under the subset relation (not a
total order)
• Natural numbers ordered by divisibility
11/7/2015 8:02 AM
Lattice
• Partially ordered set (S, ) and two operations:
– greatest lower bound (glb X)
• Greatest element less than all elements of set X
– least upper bound (lub X)
• Least element greater than all elements of set X
• Every lattice has
– bottom (glb L) a least element
– top (lub L) a greatest element
11/7/2015 8:02 AM
Lattice examples
• Natural numbers in an interval (0 .. n) with
less than
– Also the linear order of clearances
(U FOUO S TS)
• The powerset of a set of generators under
inclusion
– E.g. Powerset of security categories
{NUC, Crypto, ASI, EUR}
• The divisors of a natural number under
divisibility
11/7/2015 8:02 AM
New lattices from old
• The opposite of a lattice is a lattice
• The product of two lattices is a lattice
• The lattice of security classifications
used by Bishop is the product of the
lattice of clearances and the lattice of
sets generated from the categories
(compartments)
11/7/2015 8:02 AM
Mandatory Access Control
• In a MAC system all documents are
assigned labels by a set of rules
• Documents can only be relabeled under
defined special circumstances
• Violations of the policy are considered
very serious offenses (criminal or
treasonous acts)
11/7/2015 8:02 AM
Bell LaPadula Context
• Pre-Anderson report policy was not to
mix data of different classifications on a
single system
• Still a good idea if it meets your needs
• Anderson report identified “on-line
multi-level secure operation” as a goal
of computer security
11/7/2015 8:02 AM
From Paper to Computers
• How to apply MAC to computers?
• Documents are analogous to objects in
Lampson’s Access Control model
– Every object can be labeled with a classification
• Cleared personnel are analogous to subjects
– Every subject can be labeled with a clearance
• What about processes?
11/7/2015 8:02 AM
Note on subject labels
• A person is generally cleared “up to” a level
• Cross level communication requires that a
person be able to interact below their level of
clearance
• Subjects are given two labels:
– The maximum level
– The current level
• Current never exceeds maximum
• We will focus on static labelings
– A subject will not dynamically change their current
level
11/7/2015 8:02 AM
Bell LaPadula
• Task was to propose a theory of multilevel security
– supported by a mechanism implemented in
an Anderson-style reference monitor
– prevents unwanted information flow
11/7/2015 8:02 AM
BLP model
• Adapt Lampson ACM
• Characterize system as state machine
• Characterize key actions, such as file system
interaction, as transitions
– Classify actions as
• observation (reads)
• alteration (writes)
• [Aside: How to classify execute?]
• Show that only “safe states” are reachable
11/7/2015 8:02 AM
Simple Security
• The simple security property
– The current level of a subject dominates
the level of every object that it observes
• This property strongly analogous to
paper systems
• It is referred to by the slogan “no read
up”
11/7/2015 8:02 AM
Problem
11/7/2015 8:02 AM
Figure from Bell 2005
Problem
• Simple Security does not account for
alterations (writes)
• Another property is needed to
characterize alterations
11/7/2015 8:02 AM
* - Property
11/7/2015 8:02 AM
Figure from Bell 2005
*- Property
• In any state, if a subject has
simultaneous “observe” access to
object-1 and “alter” access to object-2,
then level (object-1) is dominated by
level (object-2).
– From BLP 1976, Unified Exposition
• Slogan: “No write down”
11/7/2015 8:02 AM
Discretionary
• In addition to the MAC mechanisms of
the simple security and *-properties,
the BLP model also has a discretionary
component
– All accesses must be allowed by both the
MAC and discretionary rules
11/7/2015 8:02 AM
BLP Basic Security Theorem
• If all transitions (consdiered
individually) satisfy
– simple security property
– * - property
– discretionary security property
• Then system security is preserved
inductively (that is, all states reached
from a “secure” state are “secure”)
11/7/2015 8:02 AM
Next Lecture
• Discussion
– Tibet
• NY Times article
http://www.nytimes.com/2009/03/29/technolog
y/29spy.html?emc=eta1
• Nagaraja and Anderson tech report
http://www.cl.cam.ac.uk/techreports/UCAM-CLTR-746.html
11/7/2015 8:02 AM