diff -r 729b86eae005 -r 40c51038c9e4 slides/slides02.tex --- a/slides/slides02.tex Tue Sep 24 12:29:24 2013 +0100 +++ b/slides/slides02.tex Mon Sep 30 23:57:44 2013 +0100 @@ -1,6 +1,5 @@ \documentclass[dvipsnames,14pt,t]{beamer} -\usepackage{beamerthemeplainculight} -\usepackage[T1]{fontenc} +\usepackage{beamerthemeplaincu} \usepackage[latin1]{inputenc} \usepackage{mathpartir} \usepackage[absolute,overlay]{textpos} @@ -71,8 +70,13 @@ showstringspaces=false} % beamer stuff -\renewcommand{\slidecaption}{APP 02, King's College London, 2 October 2012} +\renewcommand{\slidecaption}{APP 02, King's College London, 1 October 2013} +%Bank vs Voting +%http://www.parliament.vic.gov.au/images/stories/committees/emc/2010_Election/submissions/13_VTeague_EMC_Inquiry_No.6.pdf + +% first cyber attack +%http://investigations.nbcnews.com/_news/2013/03/18/17314818-cyberattack-on-florida-election-is-first-known-case-in-us-experts-say \begin{document} @@ -86,16 +90,12 @@ \LARGE Privacy Policies (2)\\[-6mm] \end{tabular}}\bigskip\bigskip\bigskip - %\begin{center} - %\includegraphics[scale=1.3]{pics/barrier.jpg} - %\end{center} - \normalsize \begin{center} \begin{tabular}{ll} Email: & christian.urban at kcl.ac.uk\\ - Of$\!$fice: & S1.27 (1st floor Strand Building)\\ - Slides: & KEATS (also home work is there) + Office: & S1.27 (1st floor Strand Building)\\ + Slides: & KEATS (also homework is there)\\ \end{tabular} \end{center} @@ -103,94 +103,244 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Homework\end{tabular}} - - -\ldots{} I have a question about the homework.\\[3mm] -Is it required to submit the homework before\\ -the next lecture?\\[5mm] - -Thank you!\\ -Anonymous - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] +\frametitle{\begin{tabular}{c}This Course is about\\[-2mm] ``Satan's Computer''\end{tabular}} -\begin{center} -\begin{tabular}[t]{c} -\includegraphics[scale=1.2]{pics/barrier.jpg}\\ -future lectures -\end{tabular}\;\;\; -\onslide<2>{ -\begin{tabular}[t]{c} -\includegraphics[scale=0.32]{pics/trainwreck.jpg}\\ -today +Ross Anderson and Roger Needham wrote:\bigskip + +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\normalsize\color{darkgray} +\begin{minipage}{10cm}\raggedright\small +``In effect, our task is to program a computer which gives +answers which are subtly and maliciously wrong at the most +inconvenient possible moment\ldots{} we hope that the lessons +learned from programming Satan's computer may be helpful +in tackling the more common problem of programming Murphy's.'' +\end{minipage}}; +\end{tikzpicture}\\[30mm] + +\only<2>{ +\begin{textblock}{11}(2,12) +\begin{tabular}{c} +\includegraphics[scale=0.12]{pics/ariane.jpg}\\[-2mm] +\footnotesize Murphy's computer \end{tabular} -} -\end{center} +\begin{tabular}{c} +\includegraphics[scale=0.15]{pics/mobile.jpg}\; +\includegraphics[scale=0.06]{pics/pinsentry.jpg}\\[-2mm] +\footnotesize Satan's computers +\end{tabular} +\end{textblock}} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\Large\begin{tabular}{c}User-Tracking Without Cookies\end{tabular}} + +Can you track a user {\bf without}: + +\begin{itemize} +\item Cookies +\item Javascript +\item LocalStorage/SessionStorage/GlobalStorage +\item Flash, Java or other plugins +\item Your IP address or user agent string +\item Any methods employed by Panopticlick\\ +\mbox{}\hfill $\rightarrow$ \textcolor{blue}{\url{https://panopticlick.eff.org/}} +\end{itemize} + +Even when you disabled cookies entirely, have Javascript turned off and use a VPN service.\\\pause +And numerous sites already use it (Google). + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Web-Protocol\end{tabular}} + +\only<1->{ +\begin{textblock}{1}(2,2) + \begin{tikzpicture}[scale=1.3] + \draw[white] (0,0) node (X) {\includegraphics[scale=0.12]{pics/firefox.jpg}}; + \end{tikzpicture} +\end{textblock}} + +\only<1->{ +\begin{textblock}{1}(11,2) + \begin{tikzpicture}[scale=1.3] + \draw[white] (0,0) node (X) {\includegraphics[scale=0.15]{pics/servers.png}}; + \end{tikzpicture} +\end{textblock}} + +\only<1->{ +\begin{textblock}{1}(5,2.5) + \begin{tikzpicture}[scale=1.3] + \draw[white] (0,0) node (X) {}; + \draw[white] (3,0) node (Y) {}; + \draw[red, ->, line width = 2mm] (X) -- (Y); + \node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg}] at ($ (X)!.5!(Y) $) {}; + \end{tikzpicture} +\end{textblock}} + +\only<2->{ +\begin{textblock}{1}(5,6) + \begin{tikzpicture}[scale=1.3] + \draw[white] (0,0) node (X) {}; + \draw[white] (3,0) node (Y) {}; + \draw[red, <-, line width = 2mm] (X) -- (Y); + \node [inner sep=5pt,label=below:\textcolor{black}{\small ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {}; + \node [inner sep=5pt,label=above:{\includegraphics[scale=0.15]{pics/tvtestscreen.jpg}}] at ($ (X)!.5!(Y) $) {}; + \end{tikzpicture} +\end{textblock}} + +\only<3->{ +\begin{textblock}{1}(4.2,11) + \begin{tikzpicture}[scale=1.3] + \draw[white] (0,0) node (X) {}; + \draw[white] (3,0) node (Y) {}; + \draw[red, ->, line width = 2mm] (X) -- (Y); + \node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {}; + \end{tikzpicture} +\end{textblock}} + +\only<4->{ +\begin{textblock}{1}(4.2,13.9) + \begin{tikzpicture}[scale=1.3] + \draw[white] (0,0) node (X) {}; + \draw[white] (3,0) node (Y) {}; + \draw[red, <-, line width = 2mm] (X) -- (Y); + \node [inner sep=5pt,label=below:\textcolor{black}{\small HTTP/1.1 304 (Not Modified)}] at ($ (X)!.5!(Y) $) {}; + \end{tikzpicture} +\end{textblock}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}SmartWater\end{tabular}} - -\begin{textblock}{1}(1,3) -\begin{tabular}{c} -\includegraphics[scale=0.15]{pics/SmartWater} +\frametitle{Today's Lecture} +\begin{center} +\begin{tabular}{cc} +\large online banking & \hspace{6mm}\large e-voting\\ +\textcolor{gray}{solved} & \hspace{6mm}\textcolor{gray}{unsolved}\\ \end{tabular} -\end{textblock} +\end{center} -\begin{textblock}{8.5}(7,3) -\begin{itemize} -\item seems helpful for preventing cable theft\medskip -\item wouldn't be helpful to make your property safe, because of possible abuse\medskip +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\item security is always a tradeoff -\end{itemize} -\end{textblock} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Plain-text Passwords at IEEE\end{tabular}} +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Voting as Security Problem\end{tabular}} -\small\textcolor{gray}{On 25 September 2012, a report on a data breach at IEEE:} - +What are the security requirements of a voting system?\bigskip \begin{itemize} -\item IEEE is a standards organisation (not-for-profit) -\item many standards in CS are by IEEE\medskip -\item 100k plain-text passwords were recorded in logs -\item the logs were openly accessible on their FTP server -\end{itemize}\bigskip - -\begin{flushright}\small -\textcolor{gray}{\url{http://ieeelog.com}} -\end{flushright} +\item<2->Integrity +\item<3->Ballot Secrecy +\item<5->Voter Authentication +\item<6->Enfranchisement +\item<7->Availability +\end{itemize} \only<2>{ -\begin{textblock}{11}(3,2) +\begin{textblock}{5.5}(8,5) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] +{\small +\begin{minipage}{5cm}\raggedright +\begin{center} +\begin{minipage}{4.5cm} +\begin{itemize} +\item The outcome matches with the voters' intend. +\item There might be gigantic sums at stake and need to be defended against. +\end{itemize} +\end{minipage} +\end{center} +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + +\only<4>{ +\begin{textblock}{5.5}(8,5) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] +{\small +\begin{minipage}{5cm}\raggedright +\begin{center} +\begin{minipage}{4.5cm} +\begin{itemize} +\item Nobody can find out how you voted. +\item (Stronger) Even if you try, you cannot prove how you voted. +\end{itemize} +\end{minipage} +\end{center} +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + +\only<5>{ +\begin{textblock}{5.5}(8,5) \begin{tikzpicture} -\draw (0,0) node[inner sep=2mm,fill=white, ultra thick, draw=red, rounded corners=2mm] -{\normalsize\color{darkgray} -\begin{minipage}{7.5cm}\raggedright\small -\includegraphics[scale=0.6]{pics/IEEElog.jpg} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] +{\small +\begin{minipage}{5cm}\raggedright +\begin{center} +\begin{minipage}{4.5cm} +\begin{itemize} +\item Only authorised voters can vote up to the permitted number of votes. +\end{itemize} +\end{minipage} +\end{center} +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + +\only<6>{ +\begin{textblock}{5.5}(8,5) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] +{\small +\begin{minipage}{5cm}\raggedright +\begin{center} +\begin{minipage}{4.5cm} +\begin{itemize} +\item Authorised voters should have the opportunity to vote. +\end{itemize} +\end{minipage} +\end{center} +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + +\only<7>{ +\begin{textblock}{5.5}(8,5) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered] +{\small +\begin{minipage}{5cm}\raggedright +\begin{center} +\begin{minipage}{4.5cm} +\begin{itemize} +\item The voting system should accept all authorised votes and produce results in a timely manner. +\end{itemize} +\end{minipage} +\end{center} \end{minipage}}; \end{tikzpicture} \end{textblock}} @@ -198,23 +348,202 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Problems with Voting\end{tabular}} + + +\begin{center}\large +\begin{tabular}{rcl} +Integrity & vs. & Ballot Secrecy\bigskip\\ +Authentication & vs. &Enfranchisement +\end{tabular} +\end{center}\bigskip\bigskip\pause + +Further constraints: + +\begin{itemize} +\item costs +\item accessibility +\item convenience +\item intelligibility +\end{itemize} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Traditional Ballot Boxes\end{tabular}} + + +\begin{center} +\includegraphics[scale=2.5]{pics/ballotbox.jpg} +\end{center}\pause\bigskip + +they need a ``protocol'' + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}} + + +\begin{itemize} +\item The Netherlands between 1997 - 2006 had electronic voting machines\\ +\textcolor{gray}{(hacktivists had found: they can be hacked and also emitted radio signals revealing how you voted)} + +\item Germany had used them in pilot studies\\ +\textcolor{gray}{(in 2007 a law suit has reached the highest court and it rejected electronic voting +on the grounds of not being understandable by the general public)} + +\item UK used optical scan voting systems in a few polls +\end{itemize} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}} + +\mbox{}\\[-12mm] +\begin{itemize} +\item US used mechanical machines since the 30s, later punch cards, now DREs and +optical scan voting machines + +\item Estonia used in 2007 the Internet for national elections +\textcolor{gray}{(there were earlier pilot studies in other countries)} + +\item India uses e-voting devices since at least 2003\\ +\textcolor{gray}{(``keep-it-simple'' machines produced by a government owned company)} + +\item South Africa used software for its tallying in the 1993 elections (when Nelson Mandela was elected) +\textcolor{gray}{(they found the tallying software was rigged, but they were able to tally manually)} +\end{itemize} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Virgin Mobile (USA)\end{tabular}} +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}A Brief History of Voting\end{tabular}} -\begin{flushright}\small -\textcolor{gray}{\url{http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/}} -\end{flushright} \begin{itemize} -\item for online accounts passwords must be 6 digits -\item you must cycle through 1M combinations (online)\pause\bigskip +\item Athenians +\begin{itemize} +\item show of hands +\item ballots on pieces of pottery +\item different colours of stones +\item ``facebook''-like authorisation +\end{itemize}\bigskip + +\textcolor{gray}{problems with vote buying / no ballot privacy}\bigskip + + +\item French Revolution and the US Constitution got things ``started'' with +paper ballots (you first had to bring your own; later they were pre-printed by parties) +\end{itemize} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}} + +Security policies involved with paper ballots: + +\begin{enumerate} +\item you need to check that the ballot box is empty at the start of the poll / no false bottom (to prevent ballot stuffing) +\item you need to guard the ballot box during the poll until counting +\item tallied by a team at the end of the poll (independent observers) +\end{enumerate} + +\begin{center} +\includegraphics[scale=1.5]{pics/ballotbox.jpg} +\end{center} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Paper Ballots\end{tabular}} + +What can go wrong with paper ballots? + +\only<2>{ +\begin{center} +\includegraphics[scale=0.8]{pics/tweet.jpg}\\ +\footnotesize William M.~Tweed, US Politician in 1860's\\ +``As long as I count the votes, what are you going to do about it?'' +\end{center}} -\item he limited the attack on his own account to 1 guess per second, \alert{\bf and} -\item wrote a script that cleared the cookie set after each guess\pause -\item has been fixed now +\only<3>{ +\medskip +\begin{center} +\begin{minipage}{10cm} +{\bf Chain Voting Attack} +\begin{enumerate} +\item you obtain a blank ballot and fill it out as you want +\item you give it to a voter outside the polling station +\item voter receives a new blank ballot +\item voter submits prefilled ballot +\item voter gives blank ballot to you, you give money +\item goto 1 +\end{enumerate} +\end{minipage} +\end{center} +} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +Which security requirements do paper ballots satisfy better than voice voting?\bigskip + +\begin{itemize} +\item Integrity +\item Enfranchisement +\item Ballot secrecy +\item Voter authentication +\item Availability +\end{itemize} + +\end{frame}} + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Mechanical Voting Machines\end{tabular}} + +\begin{itemize} +\item<1-> Lever Voting Machines (ca.~1930 - 1990) +\only<1>{ +\begin{center} +\includegraphics[scale=0.56]{pics/leavermachine.jpg} +\end{center} +} +\item<2->Punch Cards (ca.~1950 - 2000) +\only<2>{ +\begin{center} +\includegraphics[scale=0.5]{pics/punchcard1.jpg}\;\; +\includegraphics[scale=0.46]{pics/punchcard2.jpg} +\end{center} +} \end{itemize} @@ -222,29 +551,51 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{\begin{tabular}{@ {}c@ {}}Electronic Voting Machines\end{tabular}} + +\begin{center} +\begin{tabular}{c} +\includegraphics[scale=0.45]{pics/dre1.jpg}\; +\includegraphics[scale=0.40]{pics/dre2.jpg}\\\hline\\ +\includegraphics[scale=0.5]{pics/opticalscan.jpg} +\end{tabular} +\end{center} + +\only<1->{ +\begin{textblock}{5.5}(1,4) +DREs +\end{textblock}} +\only<1->{ +\begin{textblock}{5.5}(1,11) +Optical Scan +\end{textblock}} + +\only<2>{ +\begin{textblock}{5.5}(0.5,14.5) +all are computers +\end{textblock}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{@ {}c@ {}}Smash the Stack for Fun \ldots\end{tabular}} +\frametitle{\begin{tabular}{@ {}c@ {}}DREs\end{tabular}} + +Direct-recording electronic voting machines\\ +(votes are recorded for example on memory cards) -\begin{itemize} -\item ``smashing the stack attacks'' or ``buffer overflow attacks'' -\item one of the most popular attacks;\\ attack of the (last) decade\\ ($>$ 50\% of security incidents reported at CERT are related to buffer overflows) -\begin{flushright}\small -\textcolor{gray}{\url{http://www.kb.cert.org/vuls}} -\end{flushright} -\medskip -\item made popular in an article by Elias Levy\\ (also known as Aleph One):\\ +typically touchscreen machines + +usually no papertrail + \begin{center} -{\bf ``Smashing The Stack For Fun and Profit''} -\end{center}\medskip - -\begin{flushright} -\small\textcolor{gray}{\url{http://www.phrack.org}, Issue 49, Article 14} -\end{flushright} - -\end{itemize} +\includegraphics[scale=0.56]{pics/dre1.jpg} +\end{center} \end{frame}} @@ -253,53 +604,104 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}The Problem\end{tabular}} +\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}} + +The work by J.~Alex Halderman: \begin{itemize} -\item The basic problem is that library routines in C look as follows: -\begin{center} -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{app5.c}}} -\end{center} -\item the resulting problems are often remotely exploitable -\item can be used to circumvents all access control -(botnets for further attacks) +\item acquired a machine from an anonymous source\medskip +\item the source code running the machine was tried to be kept secret\medskip\pause + +\item first reversed-engineered the machine (extremely tedious) +\item could completely reboot the machine and even install a virus that infects other Diebold machines +\item obtained also the source code for other machines \end{itemize} - + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}} + +What could go wrong?\pause \;\;Failure-in-depth.\bigskip\pause + +A non-obvious problem: + +\begin{itemize} +\item you can nowadays get old machines, which still store old polls + +\item the paper ballot box needed to be secured during the voting until counting; +e-voting machines need to be secured during the entire life-time +\end{itemize} + \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Variants\end{tabular}} +\frametitle{\begin{tabular}{@ {}c@ {}}Paper Trail\end{tabular}} -There are many variants: +Conclusion:\\ Any electronic solution should have a paper trail. -\begin{itemize} -\item return-to-lib-C attacks -\item heap-smashing attacks\\ -\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip +\begin{center} +\begin{tabular}{c} +\includegraphics[scale=0.5]{pics/opticalscan.jpg} +\end{tabular} +\end{center}\pause -\item ``zero-days-attacks'' (new unknown vulnerability) -\end{itemize} - +You still have to solve problems about +voter registration, voter authentification, guarding against tampering + \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting in India\end{tabular}} + +Their underlying engineering principle is ``keep-it-simple'': + +\begin{center} +\begin{tabular}{c} +\includegraphics[scale=1.05]{pics/indiaellection.jpg}\;\; +\includegraphics[scale=0.40]{pics/india1.jpg} +\end{tabular} +\end{center}\medskip\pause + +Official claims: ``perfect'', ``tamperproof'', ``no need for technical improvements'' , ``infallible'' +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Lessons Learned\end{tabular}} + +\begin{itemize} +\item keep a paper trail and design your system to keep this secure\medskip +\item make the software open source (avoid security-by-obscurity)\medskip +\item have a simple design in order to minimise the attack surface +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\small -\texttt{my\_float} is printed twice:\bigskip +\begin{center} +\includegraphics[scale=0.56]{pics/Voting1.png} +\end{center} -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C1.c}}} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -308,23 +710,10 @@ \begin{frame}[c] \begin{center} -\only<1>{\includegraphics[scale=0.9]{pics/stack1}\;\;} -\only<2>{\includegraphics[scale=0.9]{pics/stack2}\;\;} -\only<3>{\includegraphics[scale=0.9]{pics/stack3}\;\;} +\includegraphics[scale=0.56]{pics/Voting2.png} \end{center} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C2.c}}} - - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -332,115 +721,23 @@ \mode{ \begin{frame}[c] -\small -A programmer might be careful, but still introduce vulnerabilities:\bigskip - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{C2a.c}}} - - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{center} +\includegraphics[scale=0.56]{pics/Voting3.png} +\end{center} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Payloads\end{tabular}} -\begin{itemize} -\item the idea is you store some code as part to the buffer -\item you then override the return address to execute this payload\medskip -\item normally you start a root-shell\pause -\item difficulty is to guess the right place where to ``jump'' -\end{itemize} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] -\frametitle{\begin{tabular}{c}Payloads (2)\end{tabular}} - -\begin{itemize} -\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}: \begin{center} -\texttt{xorl \%eax, \%eax} +\includegraphics[scale=0.56]{pics/Voting4.png} \end{center} -\end{itemize}\bigskip\bigskip - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{app5.c}}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Format String Vulnerability\end{tabular}} - -\small -\texttt{string} is nowhere used:\bigskip - -{\lstset{language=Java}\fontsize{8}{10}\selectfont% -\texttt{\lstinputlisting{programs/C4.c}}}\bigskip - -this vulnerability can be used to read out the stack - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Protections against BO Attacks\end{tabular}} - -\begin{itemize} -\item use safe library functions -\item ensure stack data is not executable (can be defeated) -\item address space randomisation (makes one-size-fits-all more difficult) -\item choice of programming language (one of the selling points of Java) - -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Security Goals\end{tabular}} - -\begin{itemize} -\item Prevent common vulnerabilities from occurring (e.g. buffer overflows)\pause -\item Recover from attacks (traceability and auditing of security-relevant actions)\pause -\item Monitoring (detect attacks)\pause -\item Privacy, confidentiality, anonymity (to protect secrets)\pause -\item Authenticity (needed for access control)\pause -\item Integrity (prevent unwanted modification or tampering)\pause -\item Availability and reliability (reduce the risk of DoS attacks) -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{\begin{tabular}{c}Homework\end{tabular}} - -\begin{itemize} -\item Assume format string attacks allow you to read out the stack. What can you do - with this information?\bigskip - -\item Assume you can crash a program remotely. Why is this a problem? -\end{itemize} - \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%