4/25/2015 6:17 PM Lecture 2: Voting Machine Study Access Control James Hook CS 591: Introduction to Computer Security.

Slides:



Advertisements
Similar presentations
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 14 Slide 1 Object-oriented Design 1.
Advertisements

Interactive lesson about operating system
Genesis: from raw hardware to processes System booting sequence: how does a machine come into life.
Analysis of an Electronic Voting System
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
By Mary Anne Poatsy, Keith Mulbery, Eric Cameron, Jason Davidson, Rebecca Lawson, Linda Lau, Jerri Williams Chapter 9 Fine-Tuning the Database 1 Copyright.
6/12/2015 9:14 PM Lecture 2: Access Control James Hook CS 591: Introduction to Computer Security.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Midterm Exam. Problem 1: Short Answer Access Control –Subject, object, rights Common Criteria –Government Assurance Standard Originator Controlled Access.
6/26/2015 6:12 PM Lecture 5: Integrity Models James Hook (Some materials from Bishop, copyright 2004) CS 591: Introduction to Computer Security.
Comparative Operating Systems Understanding the Kernel Structure Prashant Thuppala.
Week:#14 Windows Recovery
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
7/15/2015 4:25 PM Lecture 1: Overview James Hook CS 591: Introduction to Computer Security.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
8/6/ :30 PM Lecture 5: Integrity Models James Hook (Some materials from Bishop, copyright 2004) CS 591: Introduction to Computer Security.
TESTING THE SECRUITY OF ELECTRONIC VOTING SYSTEM Presented By: NIPUN NANDA
The Impact of Physical Security on Network Security
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.
Hands-On Microsoft Windows Server 2008
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Patterns for Secure Boot and Secure Storage in Computer Systems By: Hans L¨ohr, Ahmad-Reza Sadeghi, Marcel Winandy Horst G¨ortz Institute for IT Security,
October 22, 2008 CSC 682 Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
CS 1308 Computer Literacy and the Internet. Introduction  Von Neumann computer  “Naked machine”  Hardware without any helpful user-oriented features.
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
EE515/IS523 Think Like an Adversary Lecture 8 Usability/Software Failures Yongdae Kim.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Introduction to Concurrency.
Module 15 Managing Windows Server® 2008 Backup and Restore.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
G53SEC 1 Reference Monitors Enforcement of Access Control.
CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
Module 6: Designing Security for Network Hosts
Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
AUTHORS – X. NIE, D. FENG, J. CHE, X. WANG PRESENTED BY- PREOYATI KHAN KENT STATE UNIVERSITY Design and Implementation of Security Operating System based.
VIRUS.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Protection & Security Greg Bilodeau CS 5204 October 13, 2009.
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Software Installation and Copyrights Basic Computer Concepts Installation Basics  Installation Process  Copy files from distribution disks.
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
Lecture 1 Page 1 CS 111 Summer 2013 Important OS Properties For real operating systems built and used by real people Differs depending on who you are talking.
Operating System Security
Introduction to Operating Systems
© 2002, Cisco Systems, Inc. All rights reserved.
Chapter Objectives In this chapter, you will learn:
Secure Software Confidentiality Integrity Data Security Authentication
Introduction to Operating Systems
CE Operating Systems Lecture 21
CS 591: Introduction to Computer Security
Operating System Security
PLANNING A SECURE BASELINE INSTALLATION
Instructor Materials Chapter 5: Windows Installation
Presentation transcript:

4/25/2015 6:17 PM Lecture 2: Voting Machine Study Access Control James Hook CS 591: Introduction to Computer Security

4/25/2015 6:17 PM Objectives: Review/Discuss Analysis of Diebold machine Introduce Access Control

4/25/2015 6:17 PM Discussion Feldman, Halderman, and Felten, Security Analysis of the Diebold AccuVote-TS Voting Machine, September 2006 –Reaction to the paper?

4/25/2015 6:17 PM Discussion Questions What was the basic architecture of the voting machine? How did FHF steal votes? What other attacks did FHF consider? How did the viral propagation mechanism work?

4/25/2015 6:17 PM Discussion Questions Is the analysis credible? Is the threat model credible? Is this representative of commercial systems today? Did Diebold follow best practices? Are the FHF results reproducible? Did Felton’s lab follow a round methodology in analyzing the machine?

4/25/2015 6:17 PM Discussion Questions Having read the analysis of the Diebold machine, are you surprised that Sequoia used a threat of law suite to prevent Felten’s lab from analyzing their machine? Having seen this analysis of a fielded commercial system, are you more or less concerned about the discrepencies observed in Union County elections?

4/25/2015 6:17 PM Discussion Questions Do you like Oregon’s vote by mail system?

4/25/2015 6:17 PM Case Study We will use the FHF paper as a case study As we encounter concepts we will attempt to instantiate them in the context of the voting machine domain

4/25/2015 6:17 PM Voting Machine Architecture Touch Screen Smart Card Reader Audio jack Removable Flash Printer On-board Flash EPROM RAM Processor OpenKey AccessInside Box

4/25/2015 6:17 PM Boot Process Boot device specified by hardware jumpers (inside box) –EPROM –on-board flash (default) –ext flash On Boot: –Copy bootloader into RAM; init hardware –Scan Removable flash for special files “fboot.nb0” => replace bootloader in on-board flash “nk.bin” => replace OS in on-board flash “EraseFFX.bsq” => erase file system on on-board flash –If no special files uncompress OS image –Jump to entry point of OS

4/25/2015 6:17 PM Boot (continued) On OS start up: –run Filesys.exe unpacks registry runs programs in HKEY_LOCAL_MACHINE\Init –shell.exe (debug shell) –device.exe (Device manager) –gwes.exe (graphics and event) –taskman.exe (Task Manager) –Device.exe mounts file systems \ (root): RAM only \FFX: mount point for on-board flash \Storage Card: mount point for removable flash

4/25/2015 6:17 PM Boot (continued) Customized taskman.exe –Check removable flash explorer.glb => launch windows explorer *.ins => run proprietary scripts –(script language has buffer overflow vulnerabilities) –used to configure election data default => launch “BallotStation” –\FFX\Bin\BallotStation.exe

4/25/2015 6:17 PM BallotStation Four modes: pre-download, pre- election testing, election, post-election Mode recorded in election results file –\Storage Card\CurrentElection\election.brs

4/25/2015 6:17 PM Stealing Votes Malicious processes runs in parallel with BallotStation Polls election results file every 15 seconds –If election mode and new results –temporarily suspend Ballot Station –steal votes –resume Ballot Station

4/25/2015 6:17 PM Viral propagation Malicious bootloader –Infects host by replacing existing bootloader in on-board flash –subsequent bootloader updates print appropriate messages but do nothing fboot.nb0 –package contains malicious boot loader –and vote stealing software

4/25/2015 6:17 PM Access Control Model

4/25/2015 6:17 PM Objectives Introduce the concept of Access Control Relate mechanism to Confidentiality, Integrity and Availability

4/25/2015 6:17 PM Articulating Policy How do we articulate a security policy? How do we provide mechanisms to enforce policy? Voting –Different individuals in different roles Voter, Poll worker, … –Different actions Vote, define ballot, start and stop election, … –Logical and physical entities Ballot, stored tally, final tally, voting machine, removable flash, on-board flash, …

4/25/2015 6:17 PM Ad hoc policies Discus –Only voters should vote –Only poll workers should start and start elections

4/25/2015 6:17 PM Access Control Matrix Model – Lampson ‘71, refined by Graham and Denning (‘71, ‘72) – Concepts –Objects, the protected entities, O –Subjects, the active entities acting on the objects, S –Rights, the controlled operations subjects can perform on objects, R –Access Control Matrix, A, maps Objects and Subjects to sets of Rights –State: (S, O, A)

4/25/2015 6:17 PM Voting: Subjects, Objects, Rights Subjects: (Roles) –Voter, Poll worker, … Rights: (Actions) –Vote, define ballot, start and stop election, … Objects: (Logical and physical entities) –Ballot, stored tally, final tally, voting machine, removable flash, on-board flash, … Question: Is every voter a subject? Or is the role of voter a subject? One-person-one-vote?

4/25/2015 6:17 PM Exercise Sketch Access Control Matrix (ACM) for Voting BallotStored Tally Final Tally… Voterreadincrement Poll Worker print …

4/25/2015 6:17 PM Questions What about modes? –Once the election starts the ballot should not change –Voters should only vote when the election is happening

4/25/2015 6:17 PM Questions Levels of abstraction –Some objects are physical, some are logical –When considering the programming model you now have processes and files (and possibly modes of operation) Exercise: –Sketch ACMs with processes as subjects and files as objects for voting and post- election modes

4/25/2015 6:17 PM Exercise Compare the ACMs for files and processes with the original ACM Is every operation specified in the original feasible in the refined ACMs? Is every feasible operation in the refined ACMs allowed in the original?

4/25/2015 6:17 PM Mechanisms Policy specifies abstract goals Mechanisms are concrete devices, algorithms, or processes that assist in implementing a policy For example, passwords are a mechanism that cat support an authentication policy –Mechanisms are not always perfect!

4/25/2015 6:17 PM Access Control Mechanisms Most operating systems provide some mechanisms for supporting access control Typically: –Processes are associated with users (or user identification numbers), which are the subjects –Files are objects –Rights are: read, write, append, execute, search,...

4/25/2015 6:17 PM Applying the Mechanism Can a generic Access Control mechanism help make the Voting machine more trustworthy? What about modes? –Mode is not part of typical AC mechanisms –However rights can be changed, but this is heavy weight –Analysis of systems that actively change rights is potentially difficult

4/25/2015 6:17 PM Limitations on Mechanisms Simple mechanisms are preferred All computational mechanisms must be decidable In general, useful mechanisms must be computationally cheap

4/25/2015 6:17 PM Limitations on ACM Given an ACM mechanism with dynamic rights management, can a software tool say yes or no, in all cases, to the question: –Does object O ever acquire right r? In 1976 Harrison, Ruzzo and Ullman showed that –in general this is an undecidable problem –In restricted cases it is decidable These results are presented in Bishop Chapter 3

4/25/2015 6:17 PM Why should I care? Although the specifics of the Bishop recounting of the HRU results may seem tedious, the take home message is critical: –Security is a non-trivial property of computer systems –Any reasonably expressive security mechanism when coupled with a general purpose programming system will lead to undecidable language problems –There will never be a post-hoc “lint-like” tool that takes a security spec and an arbitrary program and definitively says “secure” or “insecure”

4/25/2015 6:17 PM So can I give up? Don’t give up! Build security in from the start Design systems so that security properties are manifest Use simple mechanisms, like access control, in straightforward ways Architect for verification and validation

4/25/2015 6:17 PM Returning to Access Control Is Access Control biased to –Confidentiality –Integrity –Availability Exercise –Develop scenarios in which a confidentiality (integrity, availability) property is expressed using an access control matrix

4/25/2015 6:17 PM Model vs. Mechanism Earlier I presented the model of the AC Matrix Does UNIX implement the full AC Matrix? –What key simplifications does UNIX adopt? –Why? Is the full ACM mechanism a good idea? –Is it a good model?

4/25/2015 6:17 PM A Good Model ACM is a good model because any mechanism of compatible granularity can be described in terms of how it approximates the ACM model

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.