The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting...
Transcript of The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting...
![Page 1: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/1.jpg)
The Return of Insecure Brazilian
Voting MachinesDiego F. Aranha, Aarhus [email protected]
@dfaranha
Joint work with Pedro Barbosa, Thiago Cardoso, Caio Lüders, Paulo Matias
![Page 2: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/2.jpg)
2
Brazilian elections are special:
- Massive (140M voters, 81% turnout)
- Held every 2 years
- Became electronic in 1996 (fully in 2000)
- Controlled/executed/judged by TSE (SEC – Superior Electoral Court)
Context
![Page 3: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/3.jpg)
3
Context
Source: Diebold
![Page 4: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/4.jpg)
4
Brazilian paperless DRE voting machines:
- Claimed 100% secure (but only tested in 2012...)
- Hardware by Diebold (> 0.5M)
- Software by SEC since 2006 (> 24M LOCs)
- Adopted GNU/Linux in 2008 (after Windows CE...)
- Experimented with paper records in 2002
- Fingerprint identification since 2011 (> 50%)
- Highly vulnerable against insiders
Quick facts
![Page 5: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/5.jpg)
Election workflow
![Page 6: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/6.jpg)
1. Software installation (a card installs 50 machines)
2. Zero tape printed (7-8 AM)
3. Voting session opened
4. Votes cast
5. Voting session closed (5PM) and poll tape printed
6. Media written with public files (PT, DRV, LOG)
7. Public products transmitted to central tabulator
6
Election workflow
![Page 7: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/7.jpg)
7
Objective: Untraceable violation of ballot integrity/privacy
Extremely restricted tests:
1. No pen/paper for source code
2. 3 days to inspect code, 4 days to mount attacks
3. Participants pre-approved by SEC
4. Attacks pre-approved by SEC
5. No guarantees about software (correct or recent?)
6. Intrinsic conflict of interests
Public Security Tests
![Page 8: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/8.jpg)
9
- Serious vulnerability in vote shuffling mechanism
- Massive sharing and insecure storage of keys
- Voting software checks itself through signatures
- No ballot secrecy or integrity of software/results
- Insecure development process
- Inadequate threat model
- Internal culture lacks transparency
Vulnerabilities from 2012
![Page 9: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/9.jpg)
10
Digital Record of the Votes (DRV)
![Page 10: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/10.jpg)
11
Warning: Advanced Cryptanalysis
![Page 11: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/11.jpg)
12
grep -r rand *
![Page 12: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/12.jpg)
13
Match in DRV.cpp! Seed?
![Page 13: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/13.jpg)
14
srand(time(NULL))
![Page 14: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/14.jpg)
15
![Page 15: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/15.jpg)
16
File 1/1: lew.jpg File name : lew.jpg File size : 47009 Bytes MIME type : image/jpeg Image size : 276 x 360 Camera make : Canon Camera model : Canon EOS-1Ds Mark III Image timestamp : 2010:10:03 11:20:37
Defense in depth?
![Page 16: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/16.jpg)
- Trivial to recover votes in order
- Trivial to recover vote cast at specific time
Eliminate the DRV and do not store metadata!
"Fixed" by custom algorithm seeded with system entropy, although voting machine has two hardware RNGs
17
Conclusions from 2012
![Page 17: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/17.jpg)
18
Installation as attack vector
![Page 18: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/18.jpg)
- Install cards encrypted with AES-XTS-256', key embedded in the kernel.
- Digital signatures for integrity checking, both
in userland and kernel mode.
Keys for signing results stored in install cards,
encrypted under another embedded key.
19
Lots of cryptography...
![Page 19: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/19.jpg)
20
Encryption chain
Bootloader
Kernel
MINIX File System
Authentication keys
AES256-ECB
AES256-XTS' AES256-CBC
![Page 20: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/20.jpg)
21
2017: Researchers would not have access to cryptographic keys...
![Page 21: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/21.jpg)
22
...but only because they erased them!
![Page 22: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/22.jpg)
23
grep -r KEY *
![Page 23: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/23.jpg)
24
Match in ueminix.c!
![Page 24: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/24.jpg)
25
#define UEMINIX_BLOCK_KEY {0x34, …}
![Page 25: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/25.jpg)
26
Encryption chain
Bootloader
Kernel
MINIX File System
Authentication keys
AES256-ECB
AES256-XTS' AES256-CBCX
![Page 26: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/26.jpg)
27
Authentication chainMSD
BIOSBootloader
Kernel
Detached signatures (VST)
Sharedlibraries
ECDSA
ECC-Elgamal
RSA-4096
Executablebinaries
![Page 27: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/27.jpg)
- Found two shared libraries without detached signatures (libapilog.so and libhkdf.so)
- Problem with kernel-side verification too:
uint32_t check = loader_sig_verify(...);
If (check >= 0) looks_good();
Voting software was linked against both!28
Issues with authentication
![Page 28: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/28.jpg)
29
Authentication chainMSD
BIOSBootloader
Kernel
Detached signatures (VST)
Sharedlibraries
ECDSA
ECC-Elgamal
RSA-4096
Executablebinaries
X
X
![Page 29: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/29.jpg)
- Manipulated LOG contents
- Tampered with key generation for DRV
- USB keyboard to issue commands
- Changed software version/screen contents
- Manipulated how votes were stored
Manipulating vote counting follows directly!
30
Arbitrary injection/execution
![Page 30: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/30.jpg)
![Page 31: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/31.jpg)
![Page 32: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/32.jpg)
- Insecure encryption of install cards
- Insecure integrity checking
- Another team found the encryption key without source (fully external attack)
Automate signing, deploy proper key management!
"Fixed" by deriving keys from BIOS, still shared by all voting machines and vulnerable to insiders.
33
Conclusions from 2017
![Page 33: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/33.jpg)
1. Software is secret for > 20 years
2. Software is demonstrably insecure
3. No paper record for recount
4. No effective means to audit the system
5. Conflicts of interest everywhere
6. Insider attacks completely disregarded
34
Current problems
![Page 34: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/34.jpg)
1. Deploy software-independent systems
2. Risk-limiting audits on physical record
3. Engage society/technical community
35
How to solve problems
![Page 35: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/35.jpg)
- Internet voting
- Blockchain voting
36
How not to solve them
![Page 36: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/36.jpg)
1. Voter-Verified Paper Audit Trail for security
2. Auditable software for transparency
3. Social control mechanisms for participation
With increasing political polarization, it is critical that elections can be independently verified.
37
Future
![Page 37: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/37.jpg)
Thanks! Questions?
Diego F. Aranha, Aarhus [email protected]@dfaranha
References:[1] Software vulnerabilities in the Brazilian voting machine.
In: Design, Development, and Use of Secure Electronic Voting Systems (2014) [2] Crowdsourced integrity verification of election results. (2016)
[3] The Good, the Bad and the Ugly: Two Decades of E-Voting in Brazil (2018)
[4] The Return of Software Vulnerabilities in the Brazilian voting machine. (2018)
![Page 38: The Return of Insecure Brazilian Voting Machines · The Return of Insecure Brazilian Voting Machines Diego F. Aranha, Aarhus University ... Encryption chain Bootloader Kernel MINIX](https://reader036.fdocuments.net/reader036/viewer/2022070806/5f042ffb7e708231d40cbe8f/html5/thumbnails/38.jpg)
39
Bonus round from 2016Poll tapes could be
changed after the
fact by forging
checksum.
Use a MAC instead!