Software vulnerabilities in the Brazilian voting machine Diego F. Aranha, [email protected] Marcelo Monte Karam, [email protected] Andr´e de Miranda, [email protected] Felipe Brant Scarel, [email protected] Department of Computer Science, Center for Informatics University of Bras´ılia

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

1/25

Short version

srand(time(NULL)); fprintf(public document, "%d\n", time(NULL));

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

2/25

Context Brazilian Elections: - Is majoritarian or proportional, depending on public office position - Administered, executed and judged by the Superior Electoral Court (SEC) presided by judge from the Supreme Court - After rampant ballot paper fraud, became electronic in 1996 - Held in October with mandatory participation (140 million voters) Brazilian Voting Machines: - Claimed to be 100% secure (...but never really tested until March) - Have hardware manufactured by Diebold (half a million) - Have software developed by the SEC since 2006 - Adopted GNU/Linux in 2008 (after Windows CE and VirtuOS) - Run software accessible to political parties under NDA - Experimented with VVPATs in 2002 dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

3/25

Context Figure : Classic DRE voting machine: from left to right, election officer terminal and voter terminal.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

4/25

Cronology of the Public Security Tests 1 Preparation phase (March 6-8, 2012): - Opening presentation - Access to the source code in a sealed room - Formal submission of technical questions - Formulation of hypotheses and attack methodologies

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

5/25

Cronology of the Public Security Tests 1 Preparation phase (March 6-8, 2012): - Opening presentation - Access to the source code in a sealed room - Formal submission of technical questions - Formulation of hypotheses and attack methodologies 2 Testing phase (March 20-22, 2012): - Validation of hypotheses - Execution of attack methodologies - Joint writing with the SEC of team reports

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

5/25

Cronology of the Public Security Tests 1 Preparation phase (March 6-8, 2012): - Opening presentation - Access to the source code in a sealed room - Formal submission of technical questions - Formulation of hypotheses and attack methodologies 2 Testing phase (March 20-22, 2012): - Validation of hypotheses - Execution of attack methodologies - Joint writing with the SEC of team reports 3 Public audience (March 29, 2012): - Publication of results - Symbolic prizes

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

5/25

Cronology of the Public Security Tests 1 Preparation phase (March 6-8, 2012): - Opening presentation - Access to the source code in a sealed room - Formal submission of technical questions - Formulation of hypotheses and attack methodologies 2 Testing phase (March 20-22, 2012): - Validation of hypotheses - Execution of attack methodologies - Joint writing with the SEC of team reports 3 Public audience (March 29, 2012): - Publication of results - Symbolic prizes 4 Publishing of official documents (April 10, 2012): - Testing plans and team reports - Appreciation by the Evaluation Committee with team scores dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

5/25

Objectives

According to the call for participation: 1 Failure - Violation of the system specification - Inconsistent state of execution - No effect on integrity or secrecy of ballots 2 Fraud - Intentional act - Effect on integrity or secrecy of ballots - No traces left

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

6/25

Team participation – Opening presentation Election Algorithm 1 Voting machines loaded with software from Compact Flash 2 Zero-proof printed (between 7AM and 8AM in election day) 3 Voting session opened (at 8 AM) 4 Votes cast by electors 5 Voting session closed (at 5PM if there is no queue) 6 Media of Results (MR) written 7 Transmission of authenticated public products (Partial Sum (PS),

Digital Record of Votes (DRV), LOG) to the centralized totalizator Important: Only voting machines were tested!

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

7/25

Team participation – Opening presentation Digital Record of the Votes (DRV): - Public access file which replaced VVPATs in 2003 - Stores the votes in shuffled order Governor

Senator

President

31 13 BLANK

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

8/25

Team participation – Opening presentation Digital Record of the Votes (DRV): - Public access file which replaced VVPATs in 2003 - Stores the votes in shuffled order Governor

Senator

71

31

President

13 NULL BLANK

37 dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

8/25

Team participation – Preparation phase Digital Record of the Votes (DRV): - Public access file which replaced VVPATs in 2003 - Stores the votes in shuffled order Governor

Senator

President

71

31

37

BLANK

13 71

NULL BLANK

37 dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

9/25

Team participation – Preparation phase Digital Record of the Votes (DRV): - Public access file which replaced VVPATs in 2003 - Stores the votes in shuffled order Governor

Senator

President

71

31

37

BLANK

13 71

NULL BLANK

37 dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

9/25

Team participation – Preparation phase Hypothesis: DRV was not designed and implemented in a secure way. - Is it possible to simulate the shuffling order out of the machine? - Is it possible to recover the votes using this order? - Which information is needed for this recovery?

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

10/25

Team participation – Preparation phase Hypothesis: DRV was not designed and implemented in a secure way. - Is it possible to simulate the shuffling order out of the machine? - Is it possible to recover the votes using this order? - Which information is needed for this recovery?

Pseudo-random number generator (Wikipedia) It is an algorithm which produces a sequence of numbers approximately random. The sequence is not truly random, because it can be reproduced from a small set of initial parameters, one of them called the seed (which must be truly random).

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

10/25

Team participation – Preparation phase Hypothesis: DRV was not designed and implemented in a secure way. - Is it possible to simulate the shuffling order out of the machine? - Is it possible to recover the votes using this order? - Which information is needed for this recovery?

Pseudo-random number generator (Wikipedia) It is an algorithm which produces a sequence of numbers approximately random. The sequence is not truly random, because it can be reproduced from a small set of initial parameters, one of them called the seed (which must be truly random).

Validation: 1 hour of source code analysis gave us certainty of hypothesis.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

10/25

Team participation – Testing phase Preliminarly: Development of analysis tool.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

11/25

Team participation – Testing phase Preliminarly: Development of analysis tool.

Methodology 1 SEC produces a secret list of votes 2 Team splits into subteams A and B 3 SEC staff and subteam A insert votes in the machine 4 Subteam B examines public products of the voting process 5 Subteam B runs analysis program to recover list of votes in order 6 SEC staff and subteams A and B verify if both lists are equal

Important: No communication between subteams A and B.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

11/25

Team participation – Testing phase Preliminarly: Development of analysis tool.

Methodology 1 SEC produces a secret list of votes 2 Team splits into subteams A and B 3 SEC staff and subteam A insert votes in the machine 4 Subteam B examines public products of the voting process 5 Subteam B runs analysis program to recover list of votes in order 6 SEC staff and subteams A and B verify if both lists are equal

Important: No communication between subteams A and B. Success: Perfect match between the two lists.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

11/25

Team participation – Testing phase Preliminarly: Development of analysis tool.

Methodology 1 SEC produces a secret list of votes 2 Team splits into subteams A and B 3 SEC staff and subteam A insert votes in the machine 4 Subteam B examines public products of the voting process 5 Subteam B runs analysis program to recover list of votes in order 6 SEC staff and subteams A and B verify if both lists are equal

Important: No communication between subteams A and B. Success: Perfect match between the two lists. Validation: Absolute success in elections with 10, 16, 21 and 475 voters. dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

11/25

Team participation – Vulnerabilities 1 Weak PRNG: - Small 32-bit seed space (srand()/rand()) - Does not attain cryptographic requirements

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

12/25

Team participation – Vulnerabilities 1 Weak PRNG: - Small 32-bit seed space (srand()/rand()) - Does not attain cryptographic requirements 2 Choice of seed not truly random: - Consists of a time measurement with precision of seconds - Violates the operation limits of PRNG - Reduces significantly the cost of exhaustive search

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

12/25

Team participation – Vulnerabilities 1 Weak PRNG: - Small 32-bit seed space (srand()/rand()) - Does not attain cryptographic requirements 2 Choice of seed not truly random: - Consists of a time measurement with precision of seconds - Violates the operation limits of PRNG - Reduces significantly the cost of exhaustive search 3 Seed made public: - Printed in public products - No exhaustive search needed

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

12/25

Team participation – Vulnerabilities Secret and truly random seed:

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

13/25

Team participation – Attacks

1 Direct attack: - Recover votes in order from the public seed. 2 Indirect attack: - Exhaustive search to match “holes” in DRV and recover correct seed.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

14/25

Team participation – Attacks

1 Direct attack: - Recover votes in order from the public seed. 2 Indirect attack: - Exhaustive search to match “holes” in DRV and recover correct seed.

Attack features: - Efficient (exact and deterministic) - Elegant (nothing was changed or invaded) - Essentially untraceable (only requires reading public products)

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

14/25

Team participation – Results and corrections Results 1 It is possible to recover the votes in order from the public seed 2 It is possible to recover seed from votes out of order 3 Defeated the only protection implemented for ballot secrecy.

Posteriorly: LOG associates each vote cast with a timestamp.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

15/25

Team participation – Results and corrections Results 1 It is possible to recover the votes in order from the public seed 2 It is possible to recover seed from votes out of order 3 Defeated the only protection implemented for ballot secrecy.

Posteriorly: LOG associates each vote cast with a timestamp.

Corrections 1 Use a hardware RNG (voting machine has two) 2 Use /dev/random (viable in practice?) 3 Use /dev/urandom with no cryptographic strength, but still superior

(secure?)

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

15/25

Going beyond – Consequences Attacker model Capable of buying votes and monitoring/coercing voters on election day. Four kinds of general attacks on ballot secrecy: 1 Attacker records order or time votes were cast 2 Coerced electors vote in the session start 3 First coerced elector cast a marker vote 4 Coerced electors vote in prearranged positions or times

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

16/25

Going beyond – Consequences Attacker model Capable of buying votes and monitoring/coercing voters on election day. Four kinds of general attacks on ballot secrecy: 1 Attacker records order or time votes were cast 2 Coerced electors vote in the session start 3 First coerced elector cast a marker vote 4 Coerced electors vote in prearranged positions or times

One directed attack on ballot secrecy: - Recover a specific vote, given place and time vote was cast

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

16/25

Team participation – Appreciation After initial repercussions in the press: - “Extremely positive contribution” - “Highly advanced technological attack” - “We learned a lot with the testing methodologies” - “We will ask for help from academia in the next two years” Unappealable report by the Evaluation Committee: - Attack consists in an attempt to cause failure instead of fraud - Needs physical access to the voting machine, media, seals and source code - Score of 0.0313 in 0-400 range

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

17/25

Other problems

Flaws in the software: - Inadequate source of entropy (17-year old vulnerability) - Massive sharing of encryption keys - Presence of encryption keys in the source code - Violation of specification for block ciphers - Insufficient verification of software integrity - Obsolete algorithm (SHA-1) when collision-resistance is needed - Repeated implementations of cryptographic primitives

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

18/25

Other problems Bad engineering practices: - Emphasis on obfuscation instead of security - Focus on external instead of internal attackers - No internal exercises or formal training - Usernames, passwords and hostnames available - Complete lack of static code analysis

Flawfinder “This function is not sufficiently random for security-related functions such as key and nonce creation. Use a more secure technique for acquiring random values.” - False sense of security

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

19/25

Official positions by the SEC (my translation)

Regarding the media encryption Using a single shared key is more secure due to cryptanalytic attacks based on statistical estimators.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

20/25

Official positions by the SEC (my translation)

Regarding the media encryption Using a single shared key is more secure due to cryptanalytic attacks based on statistical estimators.

Regarding internal attacks It is not practical to execute an insider attack without leaving traces detectable by an audit.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

20/25

Official positions by the SEC Technical criticism: - Statistical attacks are of academic interest only - Leaking the shared key a single time has critical impact - Mode of operation randomizes plaintext (if used correctly) - Argument only reinforces focus on external attacks

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

21/25

Official positions by the SEC Technical criticism: - Statistical attacks are of academic interest only - Leaking the shared key a single time has critical impact - Mode of operation randomizes plaintext (if used correctly) - Argument only reinforces focus on external attacks

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

21/25

Official positions by the SEC (my translation)

Regarding VVPATs Obtaining absolute ballot secrecy and integrity is impossible. It does not make sense to focus on integrity only. VVPATs only give a false (and expensive) sense of security. Arguing that a correctable software vulnerability requires reintroducing VVPATs is a threat to democracy. Technical criticism: - Fallacy of the perfect solution - Is it really better to trust (demonstrably) vulnerable software produced by a flawed development process?

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

22/25

Conclusions

1 Kerckhoff’s principle (1883) 2 Shannon’s maxim (around 1945) 3 John von Neumann (1951): “Any one who considers arithmetical

methods of producing random digits is, of course, in a state of sin”.

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

23/25

Acknowledgments

- My team of brave researchers

- EVT/WOTE 2012 organizers for the invitation

- Increased transparecy from the Superior Electoral Court

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

24/25

Thank you for your attention! Any questions? http://sites.google.com/site/dfaranha/projects/

dfaranha (CIC)

Software vulnerabilities in the Brazilian voting machine

25/25

Software vulnerabilities in the Brazilian voting machine

dfaranha (CIC). Software vulnerabilities in the Brazilian voting machine .... 5 Subteam B runs analysis program to recover list of votes in order. 6 SEC staff and ...
Download PDF
645KB Sizes 1 Downloads 130 Views
Report

Recommend Documents

Software vulnerabilities in the Brazilian voting machine
Mar 31, 2013 - among all voting machines for encrypting their memory cards. Using the classical abstraction of a locker as an encryption technique, this is equivalent to using half a million lockers with exactly the same key, since this is the approx
“software independence” in voting systems
integrity of their software in ways that “software independent” systems do not. .... incorrectly. Recovery is again possible, assuming that the tally administrators. 5 ...
Risk in Agriculture & Vulnerabilities among Small farmers.docs.pdf ...
to small farmers than solace. Farmer suicides are more common ... Organizations as community enterprise system at Gram Panchayat level. This can serve as.
Evolution of Voting in the US - Home
1975 - Further amendments to the. Voting Rights Act require that many voting materials ... 1947 - Miguel Trujillo, a Native. American and former Marine, wins a.
1 The processing of object anaphora in Brazilian ...
"The resident said right now in the interview to the television that the firemen are ... BP data show that comprehenders deal with topic-comment relations as fast as they .... Therefore the best candidates for topic anaphora are empty categories ...
Harvest Planning in the Brazilian Sugar Cane Industry ...
transported to the industrial sector, i.e. the sugar cane mills. In Brazil ..... cf − ∑ f1∈F. ∑ f2∈F. ∑ i∈I. ∑ c∈C. CT di cf1f2. · oi cf1f2. (1). Industrial and Resource ...
Security Vulnerabilities in Operating Systems: A ... - Semantic Scholar
allocation of resources for security testing, development of security patches and scheduling their releases. It can also be used by ... lifetime after its release, an application program encounters changes in its usage environment. When a new version
Important Dates in Voting History.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Important Dates ...Missing:
go get my/vulnerabilities - HackInBo
Who. ○ ( Web|Mobile ) penetration tester. ○ Code reviewer. ○ Programmer. Roberto Clapis. @empijei. 2. Page 3. Go. ○ Google's language. ○ Born in 2007 (quite new). ○ Widespread. 3. Page 4. Cool, but how do I break it? 4. ○ Memory safety,
Auto-verifying voting system and voting method
Feb 14, 2005 - mechanical or electronic comparison of the printed ballot with the data stored from the voter input. The present invention has elements that may be consid ered to be covered generally by class 235, particularly sub class 51 covering ma
Machine-Independent Organic Software Tools
a big-end and a little-end PDUMP file of the compiler are included in the system ... These changes and additions have resulted in a reduction of the listing length of the ... MINT for applications where the use of 16 bits for the size of data-storage
Machine/Job Features - HEP Software Foundation
Feb 4, 2016 - In the case of virtual machines on IaaS cloud platforms, the virtual machine ... keys provided by resource provider via the cloud infrastructure.
Information Leak Vulnerabilities in SIP Implementations
Users can potentially leverage SIP-compliant components, services, ... One key security concern is the exploitation of vulnerabilities in VoIP devices in the ... vulnerability in Pingtel phones with software version 1.2.5–1.2.7.4 opens holes for ..
Security Vulnerabilities in Operating Systems: A ...
KEYWORDS: Vulnerabilities, security holes, risk evaluation, quantitative security ... 1 Contact author: Indrajit Ray, Department of Computer Science, Colorado ...
Auto-verifying voting system and voting method
Feb 14, 2005 - in memory or on storage media. A printed ballot produced by the computer voting station which shows the votes of a voter is then presented to the voter and either compared by the voter, or by operation of the computer program for the v
Costless honesty in voting
Jun 30, 2010 - honest” all social choice correspondences satisfying No Veto Power ... Single-name plurality voting: voting for a preferred candidate.
Do Bugs Foreshadow Vulnerabilities? A Study of the Chromium Project
2015 12th Working Conference on Mining Software Repositories ... A. Data terms. When we refer to a release, we are referring to a milestone in the software development life cycle for our case study project. Releases represent an snapshot of all sourc
The Link Between Voting and Life Satisfaction in Latin America
more likely to be a cause rather than an effect of voting in Latin. America. What is the relationship between political participation and indi- vidual happiness? At first glance, the ... Using data from 18 AmericasBarometer country surveys carried ou