1

Erik Nordinerik.b.nordin@combitech.se

Fredrik Holgersson

fredrik.holgersson@combitech.se

Emilie Barseemilie.barse@combitech.se

Security assessment of the E-valg system

Agenda

Evalg 2011 - Introduction Technical solution Security assessment and results What happens next?

Introduction to Evalg 2011

On monday evening, September 12th 2011, experts and observers from around the world gathered in the auditorium of the government district, building R5, to witness the counting process of Norway's first electronic election for local governments.

This presentation deals with project experience, technical solution, results and future ...

Introduction film (7 min)

Customer

Ministry of local government and regional development [Kommunal- og regionaldepartementet (KRD)]

Christian Bull / responsible for security in Evalg project

Technical solution

Technical solution

V: voter

P: voter's computer

B: the ballot box

R: the receipt generator

D: the decryption service

A: the auditor

ElGamal Schnorr proof of knowledge

V:party1,party2,

…4l5+&sdkjf

5648d”k(nj

8318

V: party

-------------

8318->partyOK!

Locations

BBrønnøysund

DOslo

RTønsberg

Zeroknowledgeproof

EDB Ergogroup

Developed e-voting solution via the Internet. EDB ErgoGroup SYSteam is one of the leading IT

players with approximately 10 000 employees and annual sales of almost SEK 16 billion. The company is listed on the Oslo Stock Exchange with headquarters in Oslo and has a significant presence in both the Norwegian and Swedish market with 135 offices in 16 countries worldwide.

http://www.edbergogroup.com/

Scytl

Spanish company Subcontractor to EDB ErgoGroup Implementation of the security functions Scytl, worldwide leader in the development of secure

solutions for electoral modernization. http://www.scytl.com/

Combitech

Swedish IT consulting company Independent security evaluations http://www.combitech.se/

Security assessment

Transparency vs. Secrecy? Source Code and documentation Testing Methodology/Restrictions Results

http://source.evalg.stat.no

Iterative development process

iteration 1 iteration 2

iteration 3 iteration 4 iteration 5 iteration 6

Actual review begins

Ergo+Syctl CAB

Security review

Source code review General purpose code review Verification of the implementation of cryptographic protocols

Penetration tests External Internal

(Log analysis) Post election/test review

Source code review

The codebase ~160.000 lines of code Java – Admin, Authentication, Vote, Counting and

Cryptography

Aim: Identify flaws that could lead to: stored votes being manipulated invalid votes entered voting in another persons stead removal of valid votes (selectively) breach of the secrecy of the vote manipulation of the counting process

Methods

Automated – Sonar/Checkstyle/Findbugs Identify possible low hanging fruit

Sql-injection, cross site scripting… Error-/Exception handling

Manual – Eclipse, Understand Accessmethods Error-/Exceptionhandling Traceability/Accountability User interaction/input Database interaction (querys and connections) Implementation of the cryptographic protocol (Overall source code state – well formated, comments,

structure, variable/attribute usage, …)

SQL Injection?

sql = " select e.election_group_id, e.election_id, e.contest_id, v.voter_id"+ " FROM voter v"+ " JOIN contest_area ca ON true"+ " JOIN mv_area ac ON ac.mv_area_pk = ca.mv_area_pk"+ " JOIN mv_area a ON text2ltree(a.area_path) <@ text2ltree(ac.area_path) AND a.area_level = 5"+ " JOIN mv_election e ON e.election_event_pk = " + electionEventPk+ " AND v.country_id::text = a.country_id::text"+ " AND v.county_id::text = a.county_id::text"+ " AND v.municipality_id::text = a.municipality_id::text"+ " AND v.borough_id::text = a.borough_id::text"+ " AND v.polling_district_id::text = a.polling_district_id::text"+ " AND v.date_of_birth <= COALESCE(e.contest_end_date_of_birth, e.election_end_date_of_birth)"+ " JOIN voting cv ON cv.voter_pk = v.voter_pk AND cv.election_group_pk = e.election_group_pk"+ " WHERE e.election_level = 3"+ " and v.election_event_pk = " + electionEventPk+ " and v.municipality_id = '" + municipalityId + "'"+ " and cv.approved"+ " and ca.contest_pk = e.contest_pk"// order by is slow+ " order by v.voter_id, e.election_id";

SQL Injection?

sql = " select e.election_group_id, e.election_id, e.contest_id, v.voter_id"+ " FROM voter v"+ " JOIN contest_area ca ON true"+ " JOIN mv_area ac ON ac.mv_area_pk = ca.mv_area_pk"+ " JOIN mv_area a ON text2ltree(a.area_path) <@ text2ltree(ac.area_path) AND a.area_level = 5"+ " JOIN mv_election e ON e.election_event_pk = " + electionEventPk+ " AND v.country_id::text = a.country_id::text"+ " AND v.county_id::text = a.county_id::text"+ " AND v.municipality_id::text = a.municipality_id::text"+ " AND v.borough_id::text = a.borough_id::text"+ " AND v.polling_district_id::text = a.polling_district_id::text"+ " AND v.date_of_birth <= COALESCE(e.contest_end_date_of_birth, e.election_end_date_of_birth)"+ " JOIN voting cv ON cv.voter_pk = v.voter_pk AND cv.election_group_pk = e.election_group_pk"+ " WHERE e.election_level = 3"+ " and v.election_event_pk = " + electionEventPk+ " and v.municipality_id = '" + municipalityId + "'"+ " and cv.approved"+ " and ca.contest_pk = e.contest_pk"+ " order by v.voter_id, e.election_id";

Penetration testing- logical view of network

PublicEvote

Return codes

Voter

MinID SMS tjänst

Filtered tunnel

Penetration testing- logical view of network

PublicEvote

Return codes

Voter

MinID SMS tjänst

Filtered tunnel

Penetration testing- logical view of network

PublicEvote

Return codes

Voter

MinID SMS tjänst

Filtered tunnel

Penetration testing- logical view of network

PublicEvote

Return codes

Voter

MinID SMS tjänst

Filtered tunnel

Penetration testing- logical view of network

PublicEvote

Return codes

Voter

MinID SMS tjänst

Filtered tunnel

Goal of penetration test A secure and robust production system

Test applications in their final environment Identify weaknesses in the realization of the design Find forgotten test ”features” Create a check list of vulnerabilities that needs to be eliminated or mitigated

… and it is always nice to get a root prompt

Penetration test Methodology

OSSTMM (Open Source Security Testing Methodology Manual) Penetration testing framework

(http://www.vulnerabilityassessment.co.uk/)

Tools: Port scanning - Nmap Vulnerability scanning - Nessus, Openvas Web application testing - BurpSuite, Nikto, W3AF Network traffic analysis - Wireshark, TCPdump, Urlsnarf ARP spoofing - Ettercap Port redirection, File transfer - Netcat

Platforms och services: Mainly Linux based system with web applications

External penetration test

Port scanning Vulnerability scanning Testing the web application server and client software

Internal penetration test Two sites tested at the same time Test the separation between the sites and towards the Internet Check that no sensitive data is sent in clear text Generell security assessment – patch level, unnecessary

services, … Segmentation of internal systems

Pentest – exampels of resultARP spoofing

ARP spoofing – necessary to be able to sniff network traffic between servers and check that no sensitive traffic was sent in clear text

IP-filters prevented direct access to some servers – sniffing made it possible to see which servers they allowed access from

101hacker.com

Kodgranskning – exempel på xss

The vulnerable link which was identified during the test is the following:

https://195.43.61.60/voting/applet/error.do?eeid=VALG2007&errorCode=welcomeController.error.eeid&lang=XSS (replacing XSS with a malicious script)

XSS - description

Log analysis

Splunk Collects web application logs Debugging Forensic/incident investigation

What happens next?

Election results

County

Percentage of voters who voted

electronically

Percentage of voters who voted

in advance

E-voters percent of voters who voted in

advance

Bodø 29,07 % 41,40 % 70,21 %

Bremanger 20,96 % 30,87 % 67,89 %

Hammerfest 25,89 % 41,44 % 62,47 %

Mandal 19,78 % 30,41 % 65,04 %

Radøy 31,15 % 38,55 % 80,82 %

Re 22,46 % 29,58 % 75,92 %

Sandnes 27,00 % 33,89 % 79,68 %

Tynset 31,60 % 39,86 % 79,28 %

Vefsn 21,54 % 33,55 % 64,20 %

Ålesund 26,42 % 37,60 % 70,26 %

Total 26,40 % 36,43 % 72,48 %

Norway 22,20 %

More information

Project web site: http://e-valg.dep.no

The source code is available on the Internet: http://source.evalg.stat.no

The election system:http://evalg.stat.no

24/7 monitoring

Christian Bull was interviewed in Computer Sweden 2012-04-23http://computersweden.idg.se/2.2683/1.444711

The future

2017: Full scale national election in Norway? Common criteria evaluation? Sweden?

Is E-valg secure?

Is E-valg more secure than current systems?

Questions?