tags:

views:

141

answers:

6
+5  Q: 

Deploying software on compromised machines

I've been involved in a discussion about how to build internet voting software for a general election. We've reached a general consensus that there exist plenty of secure methods for two way authentication and communication.

However, someone came along and pointed out that in a general election some of the machines being used are almost certainly going to be compromised. To quote:

Let me be an evil electoral fraudster. I want to sample peoples votes as they vote and hope I get something scandalous. I hire a bot-net from some really shady dudes who control 1000 compromised machines in the UK just for election day.

I capture the voting habits of 1000 voters on election day. I notice 5 of them have voted BNP. I look these users up and check out their machines, I look through their documents on their machine and find out their names and addresses. I find out one of them is the wife of a tory MP. I leak 'wife of tory mp is a fascist!' to some blogger I know. It hits the internet and goes viral, swings an election.

That's a serious problem!

So, what are the best techniques for running software where user interactions with the software must be kept secret, on a machine which is possibly compromised?

A: 

An obvious solution is to send the software to the end user on a bootable CD. The user simply restarts their computer and they're now on a non compromised computer.

However, this is not terribly simple to develop (trying to make the OS on the CD compatible with all the variations of hardware we're going to encounter on machines). Also, I can't imagine that the average home user has their BIOS set to "Boot from CD" and telling voters to modify their BIOS settings is just going to far.

Martin  2010-05-09 00:24:06
This will not work if the machine has a physical key logger attached - the key strokes will still be captured.
 2010-05-09 00:58:18
BIOS, PCI roms, etc can be infected, not to mention the hardware itself.
Longpoke  2010-05-09 01:02:05
+1 interesting thought experiment.
Rook  2010-05-09 01:03:30
@Longpoke there are also "bootkits", and a hacked BIOS could be forced to always use the bootkit, even if a CD is selected. I'm not sure what you mean by "infected PCI roms". You need to provide more details or leet hackers will think your just a troll.
Rook  2010-05-09 01:05:20
I was assuming that physical hacks are going to be far too rare to be a huge problem. How common is an infected BIOS?
Martin  2010-05-09 01:10:20
PCI expansion ROM... You don't need any "bootkit" if you already infected the BIOS, but yes, infecting the MBR is another method of attack, although can be bypassed by setting the bootable media priority higher than the infected MBR.
Longpoke  2010-05-09 01:10:33
@Martin: You don't need to be physically present to infect the BIOS or PCI expansion ROM.
Longpoke  2010-05-09 01:11:24
@Longpoke You need to post a link to back up these flagrant claims.
Rook  2010-05-09 01:14:15
@The Rook: http://www.google.ca/search?q=PCI+rom+rootkitAnd BIOS rootkits are just trivial, either reverse engineer your target BIOS and patch in your own code, or use ACPI to make it a little more portable.
Longpoke  2010-05-09 01:19:18
@Longpoke aah its using PXE. The bios has enough free space to hold shellcode, but not enough to drive a backdoor. I guess its possible to do a PXE boot over the open internet, but i don't think anyone has done this outside of a lab.
Rook  2010-05-09 01:22:47
Another note, PXE uses TFTP to transfer the boot image. TFTP uses UDP which doesn't insure that the data makes it, and it doesn't use a checksum. If 1 packet is lost or even 1 bit gets flipped the victim's machine won't boot. And yes, you will still need a bootkit like the blue pill to pull off this attack.
Rook  2010-05-09 01:32:32
@The Rook: Not all PCI devices are the same, all you need is a few hundred bytes to bootstrap, you can store the payload in any other media if needed. I'm very sure this has been done outside of a lab, because I've seen it.
Longpoke  2010-05-09 01:33:01
@Longpoke You'll never be at my skill level (http://milw0rm.com/author/677). BTW i spoke at blackhat, the same con that talked about "pci rooktis".
Rook  2010-05-09 01:34:42
I've also seen people claiming to sell firmware rootkits for optical devices and NICs.
Longpoke  2010-05-09 01:38:24
@The Rook: lol :D But eh, my point is that you can't trust the preboot environment, if there was an election based on voting from a bootable disk, I can guarantee you that someone will massively rootkit preboot environments, regardless of the current ability of script kiddie bot herders / spammers who dominate 99% of PCs already.
Longpoke  2010-05-09 01:42:09
Rook  2010-05-09 06:33:02
@The Rook: What? I don't agree with that. Preboot attacks can be done widespread and automatically, nobody is going to go to a million houses and install hardware keyloggers.
Longpoke  2010-05-09 13:07:37
One of many problems with distributing CD, is not risk of malicious software being inserted onto the CD at some point. I don't want to put software arriving in the post on to my computers, particular from a source with a poor track record.
Tom Hawtin - tackline  2010-05-09 13:20:20
That's a good point tom. I think the discussions over at the other place generally agreed that the voting software should be open source for those people who wish to make sure that it's more secure by inspecting it themselves, and can even burn their own CD if they wish.
Martin  2010-05-09 13:53:45
A: 

The biggest threat facing e-voting is the ability for an attacker to influence the election. By spending CD's to people you make Massive Identity Leaks more valuable. Not only can an attacker destroy their credit, but they can also destroy their country.

Even forcing people to use specific hardware doesn't work. Look at console modding, or ATM Skimmers and Hardware Keyloggers. You have to worry about transferring the votes to be counted, even SSL has secuirty problems. There are also the problem of the centralized database, sql injection would be devastating.

The real question is, "Is e-voting more secure than paper voting?" What is harder for an attacker to influence? To be honest I don't think e-voting machines would have changed the outcome of the recent Iranian election.

Rook  2010-05-09 01:03:05
WTF. Why would there be something as _trivial_ as SQL injection in a voting system...
Longpoke  2010-05-09 01:05:34
@longpoke becuase government is slow and inefficient.
Rook  2010-05-09 01:07:51
How do you manager to build a system on such a massive scale and not use something sane such as an ORM or paramaterized queries? It's _more_ work to make SQL injection possible. You'd have to have absolutely incompetent programmers and no security review for this to fly.
Longpoke  2010-05-09 01:13:38
@Longpoke "Incompetent" That sums up every government.
Rook  2010-05-09 01:15:42
Longpoke has a point and I would tend to agree that sql injection represents any kind of threat.
Tomislav Nakic-Alfirevic  2010-05-09 01:17:37
Why is sending a CD to a person going to cause more data leaks? You simply bundle the CD with the voting card which every voter already gets in the post.
Martin  2010-05-09 01:20:29
@Martin i assume that you would have to identify your self somehow. When you vote you have to show id... By not showing id then its even more insecure, you could just raid people's mail boxes or even hijack a large of shipment mail during elections.
Rook  2010-05-09 01:25:46
In the UK you have to show no ID, you simply state your name and address. The current paper voting system in the UK is incredibly insecure.
Martin  2010-05-09 01:27:02
@Martin that is unbelievable, but i have never voted in the UK so i believe you.
Rook  2010-05-09 01:29:11
I voted first time in the elections a couple of days ago, and coming from a background in security where security is a big issue I was absolutely amazed by the insecurity.
Martin  2010-05-09 01:35:01
It's not insecure (see comments to answer above). Postal voting, now *that's* insecure, and indeed does suffer fraud at a rate that isn't completely trivial.
Steve Jessop  2010-05-09 02:22:36
+2  A: 

You have two main choices, either sidestep the comprimized part of the machine (e.g. provide the full OS) or work within the comprimise and make it hard to get hold of the data.

The second choice is more practical. Although you can't stop the shady dudes from eventually getting the data, you can make it difficult enough that it will take longer than a day, rendring the leaked voting habits harmless.

Assuming a web application, not using standard UI components and varying their locations on the screen, using multiple layers of encryption, disabling keyboard input, and using animations to fool screen grabbers can all make the process tricker to buy more time.

mdma  2010-05-09 01:05:02
+1 killer name.
Rook  2010-05-09 01:06:38
So how would you make it more difficult to obtain the data? If you have a piece of screen grab software installed on the compromised machine then obtaining that data is fast and easy and I can't see any way around that
Martin  2010-05-09 01:19:12
I was thinking of "obfuscating" user input, so that the software has to run for some time, generating ficticious screens and user input before and after the user has visited the voting page. It would then be harder to determine when the user is actually sitting in front of the pc and when the software is generating the screens. Another alternative is to use multi-modal input - e.g. the visual side is non-specfic, and you need audio cues to make sense of what the UI means. (E.g. click on the box on the left for vote X. The placement of boxes to votes would be random.)
mdma  2010-05-09 09:53:02
As to practicality, most people have trouble with an ordinary website, so this in practice would be very confusing for non-expert users, not to mention a pain, having to wait a period for the software to generate fake screens and input. But that's kind of how it is, with licencing, protection and extreme security - any measures put in place tend to reduce usability and increase complexity.
mdma  2010-05-09 09:55:45
+3  A: 

So, what are the best techniques for running software where user interactions with the software must be kept secret, on a machine which is possibly compromised?

The only answer is that you cannot / must not do it. If the hardware or OS might have been compromised you cannot guarantee to keep the user interactions secret.

But the other take on this is that no voting system known to mankind (electronic or otherwise) is incorruptible. That is why you need to have people checking for fraud, and people watching the people, and a culture where corrupt behavior is not the norm.

EDIT

... if one can reduce the impact of compromised machines to below the level of corruption in a paper voting system you're achieving a positive gain.

You also have to take into account other forms of corruption that are much easier with electronic voting from home. Like stand-over tactics, votes for sale, the fact that most people do not properly protect their electronic credentials, etc). In short, what you are proposing is hypothetical, and (IMO) unrealistic.

It is simpler to fix the flaws with in-person, on-paper voting than to address a whole bunch of potentially worse problems with a hypothetical from-home, electronic voting.

(Also, you are implying a level of corruption with UK paper voting that surprises me as an ex UK resident. This is off topic, but can you provide references / links that back this up?)

Stephen C  2010-05-09 01:11:56
This is why I asked for best techniques, if one can reduce the impact of compromised machines to below the level of corruption in a paper voting system you're achieving a positive gain
Martin  2010-05-09 01:24:42
Impossible. We would have to make computing secure first, and then make it impossible for users to install any software that can interfere with the voting software. In something as big as a vote, there is no "harder", there is only **flawed**, in which case the attacker will see his point of entry and take victory.
Longpoke  2010-05-09 01:26:47
My point was the system will be flawed, but if it's less flawed than the paper voting system (which is very flawed in the UK) then it's an improvement
Martin  2010-05-09 01:33:13
We have pencil-and-paper voting in Australia, and it is no more flawed than US electronic and manual voting machines. I don't know why you say the UK system is flawed, but bear in mind that no system can be perfect. The main problem with the UK electoral system at the moment is "first past the post", and that us nothing to do with the *technology* used to record / count votes.
Stephen C  2010-05-09 01:44:30
@Martin: With computers you can _automatically_ hijack a massive amount of votes, with paper, someone has to actually go intercept all those papers. I'm not sure using home computers would make this much better at all.
Longpoke  2010-05-09 01:50:54
the problem with the technology is that the only proof of ID is walking into the polling station and stating my name and address. That's it, no real proof of identity.
Martin  2010-05-09 01:51:36
@Martin - well the fix for that is to require proper proof of identity. E.g. you *must* show the voting card or your drivers license. Also do a post election audit of who has apparently voted more than once.
Stephen C  2010-05-09 01:58:47
Yes, but I'm not trying to fix the paper system, I'm trying to design a better electronic one ;)
Martin  2010-05-09 02:00:26
Regarding the comment in your answer, I'm not implying anything about the level of corruption in the UK voting system, just the potential for corruption
Martin  2010-05-09 02:00:58
Also, it's true some forms of fraud are easier to commit on a huge scale in an electronic system. That's a large amount of what this question is about, reducing the possibility for huge scale interference (we have to accept there will always be some interference)
Martin  2010-05-09 02:02:10
@Martin - Incorrect. Your first comment talks about "the level of corruption", not "the potential for corruption". Maybe you misspoke ... but your words said what they said.
Stephen C  2010-05-09 02:05:15
@Martin: "the problem with the technology is that the only proof of ID is walking into the polling station and stating my name and address." - that's not a problem. It barely happens at all, which I know because if it did then returning officers would know about it by the number of people who (apparently) turn up to vote having already voted, and act all surprised and shocked. The reason it doesn't happen is because votes must be cast in person and it's very risky to vote multiple times in person using different names. If you're worried about UK paper balloting, worry about postal voting.
Steve Jessop  2010-05-09 02:08:35
There's still a risk that if someone knows I'm not going to vote (I'm away from home at short notice, or apolitical), then they could steal my vote and nobody would ever know the difference. But, again, do we really believe this happens in significant numbers? Political parties bussing people about from one polling station to another so that they can steal one vote in each without being recognised by a poll clerk? It *could* happen, I guess, but it's a pretty big operation to keep secret and it's certainly not the low-hanging fruit of the balloting system.
Steve Jessop  2010-05-09 02:13:04
... and of course it would have to be kept secret in order to work. Even if the perpetrators weren't caught, if a fraud affecting the result were detected then it would defeat the purpose. IMO the balloting system is *way* too important to attempt to fix something that isn't broken, which is why the difficulty with voting machines in the US and elsewhere is so absurd and so unforgiveable.
Steve Jessop  2010-05-09 02:18:16
@Stephen, I misspoke, apologies.@Steve those are all good points, and I do worry about postal balloting! In fact, this discussion of electronic voting partially arose as a method to replace postal ballots with something more secure.
Martin  2010-05-09 02:24:28
Fair enough, I sympathise with that. I'm a bit hostile to the idea of showing ID to vote, simply because it's one of the parade of non-reasons which were offered in turn, and knocked down in turn, to "justify" national ID cards when we knew the real reasons weren't what was offered. Not everybody has official ID, nor do I think in principle that they should have to buy an official ID in order to be permitted to vote, and it wouldn't reduce fraud. So it's just a pointless obstruction to the voting process - lose your passport, lose your franchise.
Steve Jessop  2010-05-09 02:41:33
+1  A: 

Obviously you can not ensure confidentiality of the vote if the machine the vote is entered with is compromised. Whatever measures you take, all an attacker needs to do is to execute your software in a virtual machine that records all access to keyboard, mouse and screen. By playing back the recording, the attacker can see how the user voted ...

However, when designing a E-Voting protocol this is the least of your worries. How do you prevent somebody from hacking the election server and manipulating results? How do you even detect tampering? What about the secrecy of my vote if the server is compromised? Can I be forced to reveal my vote?

meriton  2010-05-09 02:25:26
This is obviously a concern too. However, I have some knowledge in the field of network security which is contributing to the debate elsewhere. My knowledge of low level security like CMOS hacks and keyloggers is basically nonexistent, hence this question ;)
Martin  2010-05-09 10:20:58
+5  A: 

It can't be done. Fortunately, banks face exactly the same problem, so those little home chip'n'pin doohickies are pretty cheap.

So, if you want secure online voting, you send a custom voting doohicky to everyone who applies for one. This doohicky signs and encrypts their vote before sending it to the PC to be transmitted over the wire. The only thing an attacker on the wire can do, is eavesdrop whether or not the voter voted at all. Since political parties already do this, by posting party workers outside polling stations, that's not a significant risk to the system ;-)

You still face some of the problems of postal voting, such as vote buying and coercion, or stealing someone's doohicky, but only via physical access, not by compromising their PC. There's obvious DOS attacks if you rely on home internet connections, but there's no reason the voter can't have the option of going to the polling station if their connection goes down.

Whether the doohicky is cheap enough is still doubtful - I guess they cost a few pounds each, which I don't think is cheap on the scale of what is actually spent on elections. But they're not infeasibly expensive. I doubt they save much money at polling stations, unfortunately. The cost of polling in the UK depends pretty much on the number of polling stations. Problems this time notwithstanding, the number of polling stations isn't driven by the need to provide a fast enough throughput, it's driven by a desire that people not have to travel far to get to them. So having fewer voters doesn't really allow you to reduce the number of polling stations. Reducing paper might save time and money at the count, but surely not enough to pay for doohickies.

Finally of course there's still a risk of attack on the hardware. Someone could maybe intercept them in the post and replace them with identical-looking devices. But unlike attacking the hardware at a polling station, the attacker only affects one vote per piece of dedicated voting hardware compromised, so at least the bar is set high to begin with.

Steve Jessop  2010-05-09 02:33:27
How would changing the hardware in the post affect the vote, surely that would just make the authentication stage fail rather than sending a false vote?
Martin  2010-05-09 13:29:29
Depends how thoroughly the hardware can be replaced with modified behaviour. For a simplified example, suppose I take out the internal microchip which does the signing, and stick it into a new, correct-looking shell, with a modified display that replaces the text "Nasty Party" with "Nice Party" every time it sees it. So you the user see "Select a candidate to vote for". You select the one that looks like "Nice Party". "Confirm: vote for Nice Party?". You select yes. The microchip generates an authenticated vote for the Nasty Party. Once the attacker controls the hardware, you're screwed.
Steve Jessop  2010-05-09 17:00:51

related questions

How to transition to Functional Programming
List of the top Programming "shows"
How to contribute code back to an Open Source project?
What is Test Driven Development (TDD)?
pass by reference or pass by value?
Could you recommend a good free project hosting website?
Writing A "Conway's Game of Life" Program
Learning to write a compiler
How can I modify .xfdl files? (Update #1)
Followup: "Sorting" colors by distinctiveness
Followup: Finding an accurate "distance" between colors
Windows Help files - what are the options?
A little diversion into floating point (im)precision, part 1
Internationalization in your projects
Efficiently get sorted sums of a sorted list
Format string to title case
GUI Programming APIs
Using combinations of sets as test data
What books would you recommend for a beginning Software Developer?
The Definitive Guide To Website Authentication
What is your solution to the FizzBuzz problem?
Generate list of all possible permutations of a string
When to use unsigned values over signed ones?
Function for creating color wheels
Fastest way to get value of pi