CWRAF Vignette Details - Domain evoting
The MITRE Corporation Copyright © 2013
http://cwe.mitre.org/cwraf/
|
|
CWRAF version: 0.8.3 |
Date: April 3, 2013 |
Project Coordinator:
Bob Martin (MITRE)
|
Document Editor:
Steve Christey (MITRE)
|
CWRAF Vignettes - evoting
CWRAF Vignettes - evoting
Within the Common Weakness Risk Analysis
Framework (CWRAF), a vignette
provides a shareable, formalized way to define a particular
environment, the role that software plays within that environment, and
an organization's priorities with respect to software security. It
identifies essential resources and capabilities, as well as their
importance relative to security principles such as confidentiality,
integrity, and availability. For example, in an e-commerce context,
99.999% uptime may be a strong business requirement that drives the
interpretation of the severity of discovered weaknesses.
Vignettes allow CWSS to
support diverse audiences who may have different requirements for how
to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.
This page currently contains details for 4 vignettes within
the "evoting" domain. These are illustrative only; the CWRAF
community will help to refine these and develop others. Feedback is
welcome.
|
Vignette Summary
Vignette Summary
Vignette Details
Vignette Details
Vignette Definition: State Election Administration using remote Internet voting via absentee ballot
Name | State Election Administration using remote Internet voting via absentee ballot
| ID | elec-abs-int
| Maturity | stub
| Domain | evoting
| Desc | Internet-facing polling system supporting high-volume transactions, high
availability, Data-centric Database containing ballot information, Audit log
generation for each voter.
| Archetypes | General-purpose OS, Web browser, Web server |
Business Value Context (BVC) | Integrity and Availability considered highest priorities. Confidentiality is
required to protect voter and vote record anonymity. Authentication and
authorization are also high priorities to ensure only registered users vote and that
each user only votes once.
Help America Vote Act (HAVA) requirements mandate paper audit logs for use by
election officials.
Security incidents might facilitate fraud via malicious influence of election
process or outcomes, facilitate extortion, coercion, or vote selling, incur Federal
regulatory concerns, & erosion of voter confidence.
| Notes |
| References | No references recorded.
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | |
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | |
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | |
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | |
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | |
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | |
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
Vignette Definition: State or Local Elections using eVoting via Direct Recording Election Machines.
Name | State or Local Elections using eVoting via Direct Recording Election Machines.
| ID | evoting-DRE
| Maturity | under-development
| Domain | evoting
| Desc | DRE systems are not directly connected with the Internet. Vote data is uploaded to
a centralized server via modem. Election worker retrieves hardcopies of the voting
record from the machine and delivers the printouts to election officials. DRE
machines are programmed with firmware uploaded from a compact flash card. It is
generally accepted that the computer used to upload the firmware to the flash card
should not be connected to the Internet.
| Archetypes | Embedded Device, Endpoint System, Removable Storage Media, Proprietary Firmware, Modem Communications |
Business Value Context (BVC) | Integrity essential to election terminals as well as endpoint systems used in
pre-election device programming. Protecting PII less important than ensuring
accurate vote tabulation and audit trails. Physical security of devices also
essential. Help America Vote Act (HAVA) requirements mandate paper audit logs for
use by election officials.
Security incidents might facilitate fraud via malicious influence of election
process or outcomes as well as incur Federal regulatory concerns, and erosion of
voter confidence.
| Notes |
| References | No references recorded.
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | 10 | Modify or delete voter records within memory to facilitate malicious
influence of election process or outcomes, fraud, Cause memory corruption
resulting in DoS (crash) or corrupt voting data; in some cases, execute
arbitrary code on DRE system.
Modify or delete election data files, causing DoS or unreliable voting
results, or modify DRE system configuration.
Modify or delete voter record data, voting logs, or other core files
essential for the election; change votes or modify the voting records, or
modify cryptographic keys.
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | 9 | Read and monitor vote results in an unauthorized manner, capture
cryptographic keys used for encrypting vote data, recording voter
records.
Read voter record information or steal cryptographic keys used for
encrypting voting records prior to upload to voting server, or read
system/application configuration of the DRE machine.
Read voter record data, voting logs, or other core files essential for the
election; read votes or record the voting records in an unauthorized manner,
or steal cryptographic keys used to protect vote confidentiality.
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | 7 | Voters experience difficulty in using DRE machine, unpredictable firmware
behavior causes delays, lost votes, miscalculated votes, or erosion of voter
confidence affecting overall election results and turnout.
Printer fails to print out local record of vote result.
| DoS: unreliable execution | Application | 7 | Voter data cannot reach central server, voter records or logs are lost,
election delays and erosion of voter confidence due to down time.
| DoS: unreliable execution | Network | 0 | Network Connectivity is not present in DRE systems.
| DoS: unreliable execution | Enterprise | 6 | Voters experience slow or unresponsive user interface, unpredictable
firmware behavior including lag, delays between actions, causes incorrect
votes or confusion on the part of the voter. Overall voter confidence is
eroded.
| DoS: resource consumption | Application | 6 | Voters experience slow or unresponsive user interface, unpredictable
firmware behavior including lag, delays between actions, causes incorrect
votes or confusion on the part of the voter. Overall voter confidence is
eroded.
| DoS: resource consumption | Network | 0 | Network Connectivity is not present in DRE systems.
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | 10 |
| Execute unauthorized code or commands | Network | 0 | Network Connectivity is not present in DRE systems.
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | 10 | Attacker can perform functions as the application admin.
| Gain privileges / assume identity | Application | 10 | Attacker can perform functions as the system admin.
| Gain privileges / assume identity | Network | 0 | Network Connectivity is not present in DRE systems.
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | 7 | Avoid detection of attacks and maintain a persistent attack posture within
the DRE system
| Bypass protection mechanism | Network | 0 | Network Connectivity is not present in DRE systems.
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | 7 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution.
| Hide activities | Application | 7 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution.
| Hide activities | Network | 0 | Network Connectivity is not present in DRE systems.
| Hide activities | Enterprise | |
|
Vignette Definition: State or Local Elections using eVoting via an Internet web application
Name | State or Local Elections using eVoting via an Internet web application
| ID | evoting-Internet
| Maturity | stub
| Domain | evoting
| Desc | Internet-facing polling systems are connected to the Internet and are designed to
support high-volume transactions and high availability. A Data-centric Database is
used to collect ballot information, Audit logs are generated for each voter.
| Archetypes | Web application, Web browser, Development Framework, General-purpose OS, Internet Communications |
Business Value Context (BVC) | Integrity and Availability considered highest priorities. Greatest concern is
ensuring the integrity of votes, which can potentially be intercepted and modified
while traversing the Internet. Confidentiality is required to protect voter and vote
record anonymity. Authentication and authorization are also high priorities to
ensure only registered users vote and that each user only votes once.
Federal Voting Assistance Program (FVAP) conducted a Pilot internet voting
experiment (i.e. the VOI and SERVE initiatives) which were cancelled due to security
concerns prior to the implementation phase.
Security incidents might facilitate fraud via malicious influence of election
process or outcomes, facilitate extortion, coercion, or vote selling, incur Federal
regulatory concerns, and erosion of voter confidence.
| Notes |
| References | No references recorded.
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | 10 | Modify or delete voter records within memory to facilitate malicious
influence of election process or outcomes, fraud, Cause memory corruption
resulting in DoS (crash or downtime) or corrupt voting data; possibly
execute arbitrary code on Internet Voting system.
Modify or delete election data files, causing DoS or unreliable voting
results, or modify Internet Voting system configuration.
Modify or delete voter record data, voting logs, or other core files
essential for the election; change votes or modify the voting records, or
modify cryptographic keys
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | 8 | Read and monitor vote results in an unauthorized manner, capture
cryptographic keys used for encrypting vote data, record voter records.
Read voter record information or steal cryptographic keys used for
encrypting voting records prior to upload to voting server, or read
system/application configuration of the Internet Voting system.
Read voter record data, voting logs, or other core files essential for the
election; read votes or record the voting records in an unauthorized manner,
or steal cryptographic keys used to protect vote confidentiality.
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | 7 | Voter data cannot reach central server, voter records or logs are lost,
election delays and erosion of voter confidence due to down time, printer
fails to print out local record of vote result.
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | 8 | Denial of Service attacks can cause downtime, election delays, and a loss
of voter confidence.
Voters experience difficulty in using Internet Voting System,
unpredictable firmware behavior causes delays, lost votes, miscalculated
votes, or erosion of voter confidence affecting overall election results and
turnout.
Voters experience slow or unresponsive user interface, unpredictable
firmware behavior including lag, delays between actions, causes incorrect
votes or confusion on the part of the voter. Overall voter confidence is
eroded.
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | 10 | Modify voting UI to cause incorrect voting choices, steal votes, or
install/uninstall critical software or drivers.
| Execute unauthorized code or commands | Application | 10 | Read or modify voter records, vote results, or cryptographic keys. Cause
denial of service thereby delaying the election.
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | 10 | Attacker can perform administrative functions as the application
admin.
| Gain privileges / assume identity | Network | 10 | Attackers could masquerade as voters due to the ability to perform TCP/IP
Hijacking or MITM web sessions to the Internet Voting system.
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | 8 | Avoid detection of attacks; possibly steal data; pose as others.
| Bypass protection mechanism | Network | 8 | Ability of an attacker to spoof, masquerade, MITM, or otherwise hide their
tracks.
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | 8 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution. A greater risk with Internet Voting due to the
ability of attacks to spoof, masquerade, MITM, or otherwise hide their
tracks.
| Hide activities | Network | 8 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution. A greater risk with Internet Voting due to the
ability of attacks to spoof, masquerade, MITM, or otherwise hide their
tracks.
| Hide activities | Enterprise | |
|
Vignette Definition: Corporate Shareholder Internet voting
Name | Corporate Shareholder Internet voting
| ID | corp-vote
| Maturity | stub
| Domain | evoting
| Desc | Corporate Shareholder voting using remote Internet voting.
| Archetypes | General-purpose OS, Web browser, Web server |
Business Value Context (BVC) | TBD.
| Notes |
| References | No references recorded.
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | |
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | |
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | |
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | |
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | |
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | |
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
More information is available — Please edit the custom filter or select a different filter.
|