Presentation is loading. Please wait.

Presentation is loading. Please wait.

EE515/IS523 Think Like an Adversary Lecture 8 Usability/Software Failures Yongdae Kim.

Published byCecilia Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "EE515/IS523 Think Like an Adversary Lecture 8 Usability/Software Failures Yongdae Kim."— Presentation transcript:

1 EE515/IS523 Think Like an Adversary Lecture 8 Usability/Software Failures Yongdae Kim

2 Why Johnny Can’t Encrypt - A Usability Evaluation of PGP 5.0- Alma Whitten and J.D. Tygar Usenix Sec’99 Presented by Yongdae Kim Some of the Slides borrowed from Jeremy Hyland

3 Defining Usable Security Software ^Security software is usable if the people who are expected to use it:  are reliably made aware of the security tasks they need to perform.  are able to figure out how to successfully perform those tasks  don't make dangerous errors  are sufficiently comfortable with the interface to continue using it.

4 Why is usable security hard? 1.The unmotivated users  “Security is usually a secondary goal” 2.Policy Abstraction  Programmers understand the representation but normal users have no background knowledge. 3.The lack of feedback  We can’t predict every situation. 4.The proverbial “barn door”  Need to focus on error prevention. 5.The weakest link  Attacker only needs to find one vulnerability

5 Why Johnny can’t encrypt? ^PGP 5.0  Pretty Good Privacy  Software for encrypting and signing data  Plug-in provides “easy” use with email clients  Modern GUI, well designed by most standards ^Usability Evaluation following their definition If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all?

6 Usability Evaluation Methods ^Cognitive walk through  Mentally step through the software as if we were a new user. Attempt to identify the usability pitfalls.  Focus on interface learnablity. ^Results

7 Cognitive Walk Through Results ^Irreversible actions  Need to prevent costly errors ^Consistency  Status message: “Encoding”?!? ^Too much information  More unneeded confusion  Show the basic information, make more advanced information available only when needed.

8 User Test ^User Test  PGP 5.0 with Eudora  12 participants all with at least some college and none with advanced knowledge of encryption  Participants were given a scenario with tasks to complete within 90 min  Tasks built on each other  Participants could ask some questions through email

9 User Test Results ^3 users accidentally sent the message in clear text ^7 users used their public key to encrypt and only 2 of the 7 figured out how to correct the problem ^Only 2 users were able to decrypt without problems ^Only 1 user figured out how to deal with RSA keys correctly. ^A total of 3 users were able to successfully complete the basic process of sending and receiving encrypted emails. ^One user was not able to encrypt at all

10 Conclusion ^Reminder If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all? ^Is this a failure in the design of the PGP 5.0 interface or is it a function of the problem of traditional usable design vs. design for usable secure systems? ^What other issues? What kind of similar security issues? What do we learn from this paper?

11 Analysis of an Electronic Voting System TADAYOSHI KOHNO ADAM STUBBLEFIELD† AVIEL D. RUBIN‡ DAN S. WALLACH§ February 27, 2004 Presented by: Aldo Villanueva

12 Outline ^Palm Beach Fiasco ^Introducing DRE ^History of Diebold ^Vulnerabilities of Diebold DRE ^Summary 12

13 Palm Beach Ballot Fiasco 13

14 Palm Beach Ballot Fiasco 14

15 ^Eliminate paper ballots from the voting process. ^Process:  The voter arrives to the voting place and prove he’s allowed to vote there.  He gets a token (PIN or smartcard).  Enters the token in the voting terminal and votes for its candidate.  DRE System presents the voter’s election and gives a final chance to make changes. DRE “Direct Recording Electronic”

16 History 1995: I-Mark Systems 1997: Global Election Systems acquired I-Mark 2002: Diebold acquired GES and change the name to Diebold Election System 2006: Diebold removed its name from the voting machines for “strategic” reasons 2007: Diebold changed its name to "Premier Election Solutions"

17 ^The source code for Diebold’s AccuVote-TS DRE voting system was analyzed. ^There were several vulnerabilities found. Analysis of the Diebold’s AccuVote-TS DRE voting system

18 ^The smartcards used in the voting process are very easy to fake since they don’t perform any cryptographic operations. ^Attacker could:  Cast multiple votes  End the elections early Vulnerability No. 1: Smartcards

19 ^System configuration : impersonating any other voting terminal. ^Ballot definitions: changing the order of the candidates only in the interface ^Election results: modifying the voting records file stored on the device Vulnerability No. 2: Tampering

20 ^Voting terminals are configured to upload voting totals to a system after an election. ^An adversary able to pose as a legitimate voting terminal to the tabulating authority could report false vote counts. Vulnerability No. 3: Impersonating legitimate voting terminals

21 ^If an attacker with access to the source code learns the key, he can read and modify voting and auditing records. ^In the Diebold system, from the CVS logs, we see this particular key has been used without change since December 1998. Vulnerability No. 4: Key management

22 ^Each vote is written sequentially to the file recording the votes. ^It’s easy for the attacker (poll worker) to access the voting records, to link voters with their votes. Vulnerability No. 5: Linking voters to their votes

23 ^The whole audit log is encrypted using an insecure method. ^At the time that the logging occurs, the log can also be printed to an attached printer. ^An attacker could create discrepancies between the printed log and the log stored on the terminal by unplugging the printer (or, by simply cutting the cable). Vulnerability No. 6: Audit logs

24

25 ^An attacker can delay the start of an election:  DoS attack against the election management’s server preventing the voting terminals from acquiring their ballot definition in time. ^Poor software engineering:  Uses C++  No documentation  Top-to-bottom code review would be nearly impossible. Other vulnerabilities

26 ^Significant security flaws:  Voters can trivially cast multiple ballots  Administrative functions can be performed by regular voters  Threats posed by insiders such as poll workers, software developers, etc. Summary

27 SECURITY ANALYSIS OF THE DIEBOLD ACCUVOTE – TS VOTING MACHINE Ariel J. Feldman J. Alex Halderman Edward W. Felten September 13, 2006 Presented by: Jiseong Noh

28 Outline ^Overview of Diebold AccuVote-TS Voting Machine ^Design Points ^Boot Processes ^Vulnerability Points ^Attack Scenarios ^Mitigation of the vulnerabilities ^Conclusion 28

29 (*)http://www.electiondataservices.com/images/File/NR_VoteEquip_Nov-2008wAppendix2.pdf) Diebold AccuVote-TS ^Manufactured by Diebold Election Systems  Sold to Election Systems & Software in 2009 ^DRE – Direct Recording Electronic Voting Machine  Voters use machine to cast vote  Machine is used to record the votes  (*) 32% of the USA registered voters used DRE in 2008  About 16 Million voters used Accuvote-TS in 2010 ^Custom election software runs on top of Windows CE 29

30 Design Points 30 Touch Screen Smart Card Reader Audio jack Removable Flash Printer On-board Flash EPROM RAM Processor Open to PublicKey AccessInside Box http://web.cecs.pdx.edu/~hook/cs491sp08/AccessControlSp08.pdf Serial port

31 Design Points 31 ^Similar to a general-purpose hand-held PC  A CPU, 32MB RAM, 16MB internal flash storage  Touchscreen LCD display  Two PC card slots – one for memory card, other for modem card ^OS uses a customized software  Automatically runs Voting Program  Searches for special files in memory card to administer or update the system  Searches for script files with user confirmation (CPU)(RAM) (Flash)

32 Boot Process 32 ^Boot loader loads itself into RAM  Boot Location determined by jumpers on the board  Onboard Flash Memory (default)  EPROM  Ext Flash slot ^Boot loader looks for special file names  fboot.nb0: replacement boot loader  nk.bin: replacement of operating system  EraseFFX.bsq: erases file system on-board flash *** Does not verify file authenticity!

33 Boot Process 33 ^Windows CE image loads and start ^Customized task manager  Automatically runs Voting program  If memory card is present and contains explorer.glb  Runs windows explorer instead of voting program  runs script files (. with user confirmation

34 Vulnerability Points (H/W) ^Lightweight Lock: easily picked up without a key 34 Easy Access to Memory Card

35 Vulnerability Points (H/W) ^EPROM(E): Replace EPROM with malware ^PC Card Slot(S): Used to replace existing software with malware using Memory Card ^Serial Keypad Connector(O): open communication port ^Infrared Port(N): open communication port 35

36 Vulnerability Points (S/W) ^Authenticity problem  Never checks to validate the authenticity of files on the memory card on booting or updating software ^Buffer Overflow  malformed script files could bypass the confirmation 36 http://www.cyberdin.com/images/stories/pict5.jpg

37 Attack Types 37 Stealing Votes Malicious processes runs in parallel with voting program Change votes for a favored candidate Total count of votes does not change Denial-of-Service Destroys all records of the election Makes the voting machine inoperable

38 Delivery of Malicious Code 38 ^EPROM  Attack code is placed on an EPROM chip  Attacker replaces the EPROM chip and changes the jumper settings to boot from EPROM ^Memory card on PC Card Slot  Attack code is placed on the memory card  Memory card is inserted before voting machine booted  Malicious boot loader containing virus is installed on the machine  The machine is now infected

39 Delivery of Malicious Code 39 ^Memory card on PC Card Slot (continue)

40 Mitigation of Vulnerabilities 40 ^Modifications to DRE Software and Hardware  Digitally sign all software updates  Verify the signature of software updates before installing them  Ask user confirmation of any software updates  Use specialized hardware to maintain tamper-proof logs  Physical Access Controls  Sealing the machine and memory card with tamper-evident seals

41 Summary ^DREs are like desktop PC, in the security point of view ^Diebold AccuVote-TS has many serious vulnerabilities  Weak physical security  Runs on general-purpose H/W and OS  No way to check if an attack occurred  Virus attack possible – no need for distributed attack ^DREs have their advantages; however, they should overcome these problems to make reliable votes 41

42 ^Papers which criticize DRE, particularly Diebold Systems ^2003: Analysis of an Electronic Voting System ^2004: Trusted Agent Report Diebold AccuVote-TS Voting System ^2006: Security Analysis Of The Diebold AccuVote - TS Voting Machine ^Bad Reputation  Changed the name multiple times ^May 19, 2010 Dominion Voting Systems acquired Premier Elections Solutions. Bankruptcy of Diebold

43 ^Voting equipment vendors say closed-source nature of the systems makes them more secure. ^Authors think that an open process would result better. ^The best solution will be a computerized voting system with ballot paper. Conclusions

Download ppt "EE515/IS523 Think Like an Adversary Lecture 8 Usability/Software Failures Yongdae Kim."

Similar presentations

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.
Electronic Voting Systems

Electronic Voting Systems
With your instructor, Jeremy Hyland

With your instructor, Jeremy Hyland
4/25/2015 6:17 PM Lecture 2: Voting Machine Study Access Control James Hook CS 591: Introduction to Computer Security.

4/25/2015 6:17 PM Lecture 2: Voting Machine Study Access Control James Hook CS 591: Introduction to Computer Security.
Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.

Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.
ELECTION DAY ACTIVITIES. Checklist of contents of the box PCOS machine and its power adaptor Thirteen (13) rolls of official thermal paper Three (3)

ELECTION DAY ACTIVITIES. Checklist of contents of the box PCOS machine and its power adaptor Thirteen (13) rolls of official thermal paper Three (3)
Analysis of an Electronic Voting System

Analysis of an Electronic Voting System
By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.

By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.

1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS 17-803/17-400 Electronic Voting Session 5: Direct Recording Electronic (DRE)

17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 5: Direct Recording Electronic (DRE)
Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.

Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Electronic Voting Linh Nguyen. Electronic Voting  Voting Technologies  The Florida 2000 Election  Direct Recording Electronic Devices (DREs)‏ - Diebold.

Electronic Voting Linh Nguyen. Electronic Voting  Voting Technologies  The Florida 2000 Election  Direct Recording Electronic Devices (DREs)‏ - Diebold.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS 17-803/17-400 Electronic Voting Session 6: The Diebold Reports Michael I.

17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 6: The Diebold Reports Michael I.

Similar presentations

Ads by Google