1 erik nordin [email protected] fredrik holgersson [email protected] emilie...
TRANSCRIPT
1
Erik [email protected]
Fredrik Holgersson
Emilie [email protected]
Security assessment of the E-valg system
Agenda
Evalg 2011 - Introduction Technical solution Security assessment and results What happens next?
Introduction to Evalg 2011
On monday evening, September 12th 2011, experts and observers from around the world gathered in the auditorium of the government district, building R5, to witness the counting process of Norway's first electronic election for local governments.
This presentation deals with project experience, technical solution, results and future ...
Introduction film (7 min)
Customer
Ministry of local government and regional development [Kommunal- og regionaldepartementet (KRD)]
Christian Bull / responsible for security in Evalg project
Technical solution
Technical solution
V: voter
P: voter's computer
B: the ballot box
R: the receipt generator
D: the decryption service
A: the auditor
ElGamal Schnorr proof of knowledge
V:party1,party2,
…4l5+&sdkjf
5648d”k(nj
8318
V: party
-------------
8318->partyOK!
Locations
BBrønnøysund
DOslo
RTønsberg
Zeroknowledgeproof
EDB Ergogroup
Developed e-voting solution via the Internet. EDB ErgoGroup SYSteam is one of the leading IT
players with approximately 10 000 employees and annual sales of almost SEK 16 billion. The company is listed on the Oslo Stock Exchange with headquarters in Oslo and has a significant presence in both the Norwegian and Swedish market with 135 offices in 16 countries worldwide.
http://www.edbergogroup.com/
Scytl
Spanish company Subcontractor to EDB ErgoGroup Implementation of the security functions Scytl, worldwide leader in the development of secure
solutions for electoral modernization. http://www.scytl.com/
Combitech
Swedish IT consulting company Independent security evaluations http://www.combitech.se/
Security assessment
Transparency vs. Secrecy? Source Code and documentation Testing Methodology/Restrictions Results
http://source.evalg.stat.no
Iterative development process
iteration 1 iteration 2
iteration 3 iteration 4 iteration 5 iteration 6
Actual review begins
Ergo+Syctl CAB
Security review
Source code review General purpose code review Verification of the implementation of cryptographic protocols
Penetration tests External Internal
(Log analysis) Post election/test review
Source code review
The codebase ~160.000 lines of code Java – Admin, Authentication, Vote, Counting and
Cryptography
Aim: Identify flaws that could lead to: stored votes being manipulated invalid votes entered voting in another persons stead removal of valid votes (selectively) breach of the secrecy of the vote manipulation of the counting process
Methods
Automated – Sonar/Checkstyle/Findbugs Identify possible low hanging fruit
Sql-injection, cross site scripting… Error-/Exception handling
Manual – Eclipse, Understand Accessmethods Error-/Exceptionhandling Traceability/Accountability User interaction/input Database interaction (querys and connections) Implementation of the cryptographic protocol (Overall source code state – well formated, comments,
structure, variable/attribute usage, …)
SQL Injection?
sql = " select e.election_group_id, e.election_id, e.contest_id, v.voter_id"+ " FROM voter v"+ " JOIN contest_area ca ON true"+ " JOIN mv_area ac ON ac.mv_area_pk = ca.mv_area_pk"+ " JOIN mv_area a ON text2ltree(a.area_path) <@ text2ltree(ac.area_path) AND a.area_level = 5"+ " JOIN mv_election e ON e.election_event_pk = " + electionEventPk+ " AND v.country_id::text = a.country_id::text"+ " AND v.county_id::text = a.county_id::text"+ " AND v.municipality_id::text = a.municipality_id::text"+ " AND v.borough_id::text = a.borough_id::text"+ " AND v.polling_district_id::text = a.polling_district_id::text"+ " AND v.date_of_birth <= COALESCE(e.contest_end_date_of_birth, e.election_end_date_of_birth)"+ " JOIN voting cv ON cv.voter_pk = v.voter_pk AND cv.election_group_pk = e.election_group_pk"+ " WHERE e.election_level = 3"+ " and v.election_event_pk = " + electionEventPk+ " and v.municipality_id = '" + municipalityId + "'"+ " and cv.approved"+ " and ca.contest_pk = e.contest_pk"// order by is slow+ " order by v.voter_id, e.election_id";
SQL Injection?
sql = " select e.election_group_id, e.election_id, e.contest_id, v.voter_id"+ " FROM voter v"+ " JOIN contest_area ca ON true"+ " JOIN mv_area ac ON ac.mv_area_pk = ca.mv_area_pk"+ " JOIN mv_area a ON text2ltree(a.area_path) <@ text2ltree(ac.area_path) AND a.area_level = 5"+ " JOIN mv_election e ON e.election_event_pk = " + electionEventPk+ " AND v.country_id::text = a.country_id::text"+ " AND v.county_id::text = a.county_id::text"+ " AND v.municipality_id::text = a.municipality_id::text"+ " AND v.borough_id::text = a.borough_id::text"+ " AND v.polling_district_id::text = a.polling_district_id::text"+ " AND v.date_of_birth <= COALESCE(e.contest_end_date_of_birth, e.election_end_date_of_birth)"+ " JOIN voting cv ON cv.voter_pk = v.voter_pk AND cv.election_group_pk = e.election_group_pk"+ " WHERE e.election_level = 3"+ " and v.election_event_pk = " + electionEventPk+ " and v.municipality_id = '" + municipalityId + "'"+ " and cv.approved"+ " and ca.contest_pk = e.contest_pk"+ " order by v.voter_id, e.election_id";
Penetration testing- logical view of network
PublicEvote
Return codes
Voter
MinID SMS tjänst
Filtered tunnel
Penetration testing- logical view of network
PublicEvote
Return codes
Voter
MinID SMS tjänst
Filtered tunnel
Penetration testing- logical view of network
PublicEvote
Return codes
Voter
MinID SMS tjänst
Filtered tunnel
Penetration testing- logical view of network
PublicEvote
Return codes
Voter
MinID SMS tjänst
Filtered tunnel
Penetration testing- logical view of network
PublicEvote
Return codes
Voter
MinID SMS tjänst
Filtered tunnel
Goal of penetration test A secure and robust production system
Test applications in their final environment Identify weaknesses in the realization of the design Find forgotten test ”features” Create a check list of vulnerabilities that needs to be eliminated or mitigated
… and it is always nice to get a root prompt
Penetration test Methodology
OSSTMM (Open Source Security Testing Methodology Manual) Penetration testing framework
(http://www.vulnerabilityassessment.co.uk/)
Tools: Port scanning - Nmap Vulnerability scanning - Nessus, Openvas Web application testing - BurpSuite, Nikto, W3AF Network traffic analysis - Wireshark, TCPdump, Urlsnarf ARP spoofing - Ettercap Port redirection, File transfer - Netcat
Platforms och services: Mainly Linux based system with web applications
External penetration test
Port scanning Vulnerability scanning Testing the web application server and client software
Internal penetration test Two sites tested at the same time Test the separation between the sites and towards the Internet Check that no sensitive data is sent in clear text Generell security assessment – patch level, unnecessary
services, … Segmentation of internal systems
Pentest – exampels of resultARP spoofing
ARP spoofing – necessary to be able to sniff network traffic between servers and check that no sensitive traffic was sent in clear text
IP-filters prevented direct access to some servers – sniffing made it possible to see which servers they allowed access from
101hacker.com
Kodgranskning – exempel på xss
The vulnerable link which was identified during the test is the following:
https://195.43.61.60/voting/applet/error.do?eeid=VALG2007&errorCode=welcomeController.error.eeid&lang=XSS (replacing XSS with a malicious script)
XSS - description
Log analysis
Splunk Collects web application logs Debugging Forensic/incident investigation
What happens next?
Election results
County
Percentage of voters who voted
electronically
Percentage of voters who voted
in advance
E-voters percent of voters who voted in
advance
Bodø 29,07 % 41,40 % 70,21 %
Bremanger 20,96 % 30,87 % 67,89 %
Hammerfest 25,89 % 41,44 % 62,47 %
Mandal 19,78 % 30,41 % 65,04 %
Radøy 31,15 % 38,55 % 80,82 %
Re 22,46 % 29,58 % 75,92 %
Sandnes 27,00 % 33,89 % 79,68 %
Tynset 31,60 % 39,86 % 79,28 %
Vefsn 21,54 % 33,55 % 64,20 %
Ålesund 26,42 % 37,60 % 70,26 %
Total 26,40 % 36,43 % 72,48 %
Norway 22,20 %
More information
Project web site: http://e-valg.dep.no
The source code is available on the Internet: http://source.evalg.stat.no
The election system:http://evalg.stat.no
24/7 monitoring
Christian Bull was interviewed in Computer Sweden 2012-04-23http://computersweden.idg.se/2.2683/1.444711
The future
2017: Full scale national election in Norway? Common criteria evaluation? Sweden?
Is E-valg secure?
Is E-valg more secure than current systems?
Questions?