CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWRAF > CWE List > CWRAF Vignette Details - Domain evoting  
ID

CWRAF Vignette Details - Domain evoting

The MITRE Corporation
Copyright © 2013
http://cwe.mitre.org/cwraf/

CWRAF version: 0.8.3

Date: April 3, 2013

Project Coordinator:

Bob Martin (MITRE)

Document Editor:

Steve Christey (MITRE)
CWRAF Vignettes - evoting
CWRAF Vignettes - evoting

Within the Common Weakness Risk Analysis Framework (CWRAF), a vignette provides a shareable, formalized way to define a particular environment, the role that software plays within that environment, and an organization's priorities with respect to software security. It identifies essential resources and capabilities, as well as their importance relative to security principles such as confidentiality, integrity, and availability. For example, in an e-commerce context, 99.999% uptime may be a strong business requirement that drives the interpretation of the severity of discovered weaknesses.

Vignettes allow CWSS to support diverse audiences who may have different requirements for how to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.

This page currently contains details for 4 vignettes within the "evoting" domain. These are illustrative only; the CWRAF community will help to refine these and develop others. Feedback is welcome.

Vignette Summary
Vignette Summary
NameDescription
State Election Administration using remote Internet voting via absentee ballotInternet-facing polling system supporting high-volume transactions, high availability, Data-centric Database containing ballot information, Audit log generation for each voter.
State or Local Elections using eVoting via Direct Recording Election Machines.DRE systems are not directly connected with the Internet. Vote data is uploaded to a centralized server via modem. Election worker retrieves hardcopies of the voting record from the machine and delivers the printouts to election officials. DRE machines are programmed with firmware uploaded from a compact flash card. It is generally accepted that the computer used to upload the firmware to the flash card should not be connected to the Internet.
State or Local Elections using eVoting via an Internet web applicationInternet-facing polling systems are connected to the Internet and are designed to support high-volume transactions and high availability. A Data-centric Database is used to collect ballot information, Audit logs are generated for each voter.
Corporate Shareholder Internet votingCorporate Shareholder voting using remote Internet voting.
Vignette Details
Vignette Details

Vignette Definition: State Election Administration using remote Internet voting via absentee ballot

NameState Election Administration using remote Internet voting via absentee ballot
IDelec-abs-int
Maturitystub
Domainevoting
DescInternet-facing polling system supporting high-volume transactions, high availability, Data-centric Database containing ballot information, Audit log generation for each voter.
ArchetypesGeneral-purpose OS, Web browser, Web server
Business Value Context (BVC)Integrity and Availability considered highest priorities. Confidentiality is required to protect voter and vote record anonymity. Authentication and authorization are also high priorities to ensure only registered users vote and that each user only votes once.

Help America Vote Act (HAVA) requirements mandate paper audit logs for use by election officials.

Security incidents might facilitate fraud via malicious influence of election process or outcomes, facilitate extortion, coercion, or vote selling, incur Federal regulatory concerns, & erosion of voter confidence.

Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication
Hide activitiesNetwork
Hide activitiesEnterprise

Vignette Definition: State or Local Elections using eVoting via Direct Recording Election Machines.

NameState or Local Elections using eVoting via Direct Recording Election Machines.
IDevoting-DRE
Maturityunder-development
Domainevoting
DescDRE systems are not directly connected with the Internet. Vote data is uploaded to a centralized server via modem. Election worker retrieves hardcopies of the voting record from the machine and delivers the printouts to election officials. DRE machines are programmed with firmware uploaded from a compact flash card. It is generally accepted that the computer used to upload the firmware to the flash card should not be connected to the Internet.
ArchetypesEmbedded Device, Endpoint System, Removable Storage Media, Proprietary Firmware, Modem Communications
Business Value Context (BVC)Integrity essential to election terminals as well as endpoint systems used in pre-election device programming. Protecting PII less important than ensuring accurate vote tabulation and audit trails. Physical security of devices also essential. Help America Vote Act (HAVA) requirements mandate paper audit logs for use by election officials.

Security incidents might facilitate fraud via malicious influence of election process or outcomes as well as incur Federal regulatory concerns, and erosion of voter confidence.

Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication10Modify or delete voter records within memory to facilitate malicious influence of election process or outcomes, fraud, Cause memory corruption resulting in DoS (crash) or corrupt voting data; in some cases, execute arbitrary code on DRE system.

Modify or delete election data files, causing DoS or unreliable voting results, or modify DRE system configuration.

Modify or delete voter record data, voting logs, or other core files essential for the election; change votes or modify the voting records, or modify cryptographic keys.

Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication9Read and monitor vote results in an unauthorized manner, capture cryptographic keys used for encrypting vote data, recording voter records.

Read voter record information or steal cryptographic keys used for encrypting voting records prior to upload to voting server, or read system/application configuration of the DRE machine.

Read voter record data, voting logs, or other core files essential for the election; read votes or record the voting records in an unauthorized manner, or steal cryptographic keys used to protect vote confidentiality.

Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem7Voters experience difficulty in using DRE machine, unpredictable firmware behavior causes delays, lost votes, miscalculated votes, or erosion of voter confidence affecting overall election results and turnout.

Printer fails to print out local record of vote result.

DoS: unreliable executionApplication7Voter data cannot reach central server, voter records or logs are lost, election delays and erosion of voter confidence due to down time.
DoS: unreliable executionNetwork0Network Connectivity is not present in DRE systems.
DoS: unreliable executionEnterprise6Voters experience slow or unresponsive user interface, unpredictable firmware behavior including lag, delays between actions, causes incorrect votes or confusion on the part of the voter. Overall voter confidence is eroded.
DoS: resource consumptionApplication6Voters experience slow or unresponsive user interface, unpredictable firmware behavior including lag, delays between actions, causes incorrect votes or confusion on the part of the voter. Overall voter confidence is eroded.
DoS: resource consumptionNetwork0Network Connectivity is not present in DRE systems.
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication10
Execute unauthorized code or commandsNetwork0Network Connectivity is not present in DRE systems.
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem10Attacker can perform functions as the application admin.
Gain privileges / assume identityApplication10Attacker can perform functions as the system admin.
Gain privileges / assume identityNetwork0Network Connectivity is not present in DRE systems.
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication7Avoid detection of attacks and maintain a persistent attack posture within the DRE system
Bypass protection mechanismNetwork0Network Connectivity is not present in DRE systems.
Bypass protection mechanismEnterprise
Hide activitiesSystem7Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesApplication7Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesNetwork0Network Connectivity is not present in DRE systems.
Hide activitiesEnterprise

Vignette Definition: State or Local Elections using eVoting via an Internet web application

NameState or Local Elections using eVoting via an Internet web application
IDevoting-Internet
Maturitystub
Domainevoting
DescInternet-facing polling systems are connected to the Internet and are designed to support high-volume transactions and high availability. A Data-centric Database is used to collect ballot information, Audit logs are generated for each voter.
ArchetypesWeb application, Web browser, Development Framework, General-purpose OS, Internet Communications
Business Value Context (BVC)Integrity and Availability considered highest priorities. Greatest concern is ensuring the integrity of votes, which can potentially be intercepted and modified while traversing the Internet. Confidentiality is required to protect voter and vote record anonymity. Authentication and authorization are also high priorities to ensure only registered users vote and that each user only votes once.

Federal Voting Assistance Program (FVAP) conducted a Pilot internet voting experiment (i.e. the VOI and SERVE initiatives) which were cancelled due to security concerns prior to the implementation phase.

Security incidents might facilitate fraud via malicious influence of election process or outcomes, facilitate extortion, coercion, or vote selling, incur Federal regulatory concerns, and erosion of voter confidence.

Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication10Modify or delete voter records within memory to facilitate malicious influence of election process or outcomes, fraud, Cause memory corruption resulting in DoS (crash or downtime) or corrupt voting data; possibly execute arbitrary code on Internet Voting system.

Modify or delete election data files, causing DoS or unreliable voting results, or modify Internet Voting system configuration.

Modify or delete voter record data, voting logs, or other core files essential for the election; change votes or modify the voting records, or modify cryptographic keys

Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication8Read and monitor vote results in an unauthorized manner, capture cryptographic keys used for encrypting vote data, record voter records.

Read voter record information or steal cryptographic keys used for encrypting voting records prior to upload to voting server, or read system/application configuration of the Internet Voting system.

Read voter record data, voting logs, or other core files essential for the election; read votes or record the voting records in an unauthorized manner, or steal cryptographic keys used to protect vote confidentiality.

Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication7Voter data cannot reach central server, voter records or logs are lost, election delays and erosion of voter confidence due to down time, printer fails to print out local record of vote result.
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication8Denial of Service attacks can cause downtime, election delays, and a loss of voter confidence.

Voters experience difficulty in using Internet Voting System, unpredictable firmware behavior causes delays, lost votes, miscalculated votes, or erosion of voter confidence affecting overall election results and turnout.

Voters experience slow or unresponsive user interface, unpredictable firmware behavior including lag, delays between actions, causes incorrect votes or confusion on the part of the voter. Overall voter confidence is eroded.

DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem10Modify voting UI to cause incorrect voting choices, steal votes, or install/uninstall critical software or drivers.
Execute unauthorized code or commandsApplication10Read or modify voter records, vote results, or cryptographic keys. Cause denial of service thereby delaying the election.
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication10Attacker can perform administrative functions as the application admin.
Gain privileges / assume identityNetwork10Attackers could masquerade as voters due to the ability to perform TCP/IP Hijacking or MITM web sessions to the Internet Voting system.
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication8Avoid detection of attacks; possibly steal data; pose as others.
Bypass protection mechanismNetwork8Ability of an attacker to spoof, masquerade, MITM, or otherwise hide their tracks.
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication8Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution. A greater risk with Internet Voting due to the ability of attacks to spoof, masquerade, MITM, or otherwise hide their tracks.
Hide activitiesNetwork8Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution. A greater risk with Internet Voting due to the ability of attacks to spoof, masquerade, MITM, or otherwise hide their tracks.
Hide activitiesEnterprise

Vignette Definition: Corporate Shareholder Internet voting

NameCorporate Shareholder Internet voting
IDcorp-vote
Maturitystub
Domainevoting
DescCorporate Shareholder voting using remote Internet voting.
ArchetypesGeneral-purpose OS, Web browser, Web server
Business Value Context (BVC)TBD.
Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication
Hide activitiesNetwork
Hide activitiesEnterprise
Page Last Updated: January 18, 2017