Äänestysjärjestelmän auditointiraportti 2015 Ja tehdyt toimenpiteet
Transcription
Äänestysjärjestelmän auditointiraportti 2015 Ja tehdyt toimenpiteet
oc \V/AV// J((fl Jt’( fl OULUN YLIOPISTON YLIOPPILASKUNTA OTE KESKUSVAALILAUTAKUNNAN PÖYTÄKIRJASTA 18.9.2015 6 5 Sähköisen äänestysjärjesteLmän auditointiraportti ja toimenpiteet Vaalijärjestyksen 15 §:n mukaan käytettävän sähköisen vaalijärjestelmän tulee toteuttaa seuraavat ehdot: 1) vaalijärjestelmän tietoturvan taso on riittävä; 2) äänestäjän henkilöllisyys varmistetaan uskottavasti ennen äänestämistä; 3) äänestäjän henkilöllisyyttä ei pystytä jälkikäteen yhdistämään mihinkään tiettyyn anne ttuun ääneen; 4) äänestäjä voi käyttää äänioikeuttaan ainoastaan kerran; 5) vaalijärjestelmään tulee voida suorittaa annettujen äänten ja laskennan tarkistus kuitenkaan äänestyssalaisuutta vaarantamatta; sekä 6) vaalijärjestelmä perustuu avoimeen lähdekoodiin. Sähköiselle vaalijärjestelmälle tulee suorittaa aikaisintaan 4 kuukautta ennen vaalipäivää tietoturvatarkastus, jonka toimittaa keskusvaalilautakunnan nimeämä riippumaton taho. Tämän tahon voi nimetä myös edustajista. Tietoturvatarkarkastuksesta annettu loppuraportti on julkinen asiakirja sen saapuessa ylioppilaskuntaan. KVL käsitteli asiaa kokouksessaan 3/2015 ja päätti tilata auditoinnin Nord Softwarelta. Auditointiraportti on nyt valmistunut ja siinä esitetyt huomiot on viety tietoon äänestysjärjestelmän tekijöille. Lauri Heikkinen lähetti raportin pohjalta P5 Manniselle seuraavansisältöisen sähköpostiviestin: Hei, nyt olisi nuo kaikki korjaukset tehty. Korjasin juuri nuo tietoturvaan vaikuttaneet viat sekä auditoinnissa mainitut koodissa olevat bugit mutta en alkanut enään koodin luettavuuteen tai muihin laatu seikkoihin puuttumaan. Kaiken kaikkiaan aikaa kului noin 8h mukaan laskettuna auditoinnissa avustus. - Lauri P5 Manninen on tilannut päivittänyt serverille lisää tehoa raportissa mainitulla tavalla. Liite: Auditointiraportti Esittetijä: PS Manninen Päätösesitys: Merkitään tiedoksi auditointiraportti äänestysjärjestelmän kanssa aiotussa aikatauWssa. ja Lauri Heikkisen sähköpostiviesti. Edetään Päätös: Esityksen mukaan. OULUN YLIOPISTON YLIOPPILASKUNTA KIRJEET: PL 250,90014 OULUN YLIOPISTO. VIERAILUT: ERKKI KOISO KANT11LAN KATU, Xl OVI, 2. KRS, 90570 OULU. PUH: ÷35850 407 9623, TOIMISTO@O’rYFI, WWW.OY’Y.FI p nord 1.9.2015 age SOFTWAEIE Audit report — / OYY Sähköinen äänestysjärjestelmä Confidential OYY Sähköinen äänestys Audit Nord Software Senior Developer Kenneth Söderlund audited the electronic voting system of OYY (http://vaalit.ovv.fi/) during 31.8.2015 1.9.2015. — The focus of the audit was to ensure that basic proper information security was upheld and that the software was working as it should. At the same time, after discussion with developer Lauri Heikkinen, Kenneth decided to focus on creating improvement suggestions as well for the developers. No project management etc. practices were audited, as it became clear from a discussion with Lauri Heikkinen that that kind of audit was of no use, as the project team itself has aiready been disbanded. For the audit Kenneth used a few open source programs to check for different known security vuinerabilities, such as SSL-, XSS-, SQL-injection and CSRF-vulnerabilities. General conclusions - - - - - / strong recommendations Fix the few easy-to-fix bugs in the software Upgrade the server environment ASAP, the current server environment will not he able to withstand the type of internet traffic the election is going to have There are some rather serious information security problems with the software, they should be fixed prior to release No proper documentation has been done, and further development of the software is going to he hard without Lauri Heikkinen The basic code quality is rather shoddy Server environment Probiem: The code repository is straight under the /var/www/ -foider, which is accessible with a browser. This means, that files and folders like ‘sql•tables” and “.git” can he accessed with any browser. This makes the server insecure and prone for attacks. Solution: Create a new user on the server, for example www, and move the repository under /home/www/repos/. Then create symlinks (in —s) only to the necessary files and folders that are needed for the software to work. This wiIl reduce any possibilities for accessing important files and folders on the server. Probiem: The server itself is quite basic, with minimum hardware. 1CPU with 1GB RAM, wiIl not handle a bigger load on the server. If there are hundreds of simultaneous users online, the site might crash, or slow down considerably. Nord Software Oy Runeberginkatu 43 B 12, 00100 Helsinki © Nord Software oy 2015. Ali rights reserved. — — Company 10 F109091295 pj nord SOFTWARE Audit report — 1.9.2015 Page2/ OYY Sähköinen äänestysjärjestelmä Confidential Solution: lncrease RAM at Ieast to 2GB (mayhe even 4GB) and at least add another CPU. Front-end Probiem: javascript few a back-end, administration In the nuII app.js:7 of className’ property set Cannot Uncaught TypeError: errors occurs: Uncaught TypeError: $.bigfoot is not a function (template•adm.php:13) Solution: The above errors are easily fixed by changing the code. 1 Websecurify scan The Websecurify scan did not generate any results for XSS attacks. 2 Subgraph Vega scan The Vega scan generated the following results: Hih uriority problems 1) Session Cookie Without Secure Flag Probiem Vega has detected that a known session cookie may have been set without the secure flag. Impact Cookies can be exposed to network eavesdroppers. Session cookies are authentication credentials; attackers who obtain them can get unauthorized access to affected web applications. Remediation When creating the cookie in the code, set the secure tlag to true. 1 http://www.websecurifv.com 2 https://subgraph.com/vea/ Nord Software Oy Runeberginkatu 43 B 12, 00100 Helsinki © Nord Software Oy 2015. Ali rights reserved. — — Company ID F109091295 pj nord 1.9.2015 age3/ SOFTWAAE Audit report — OYY Sähköinen äänestysjärjestelmä Confidentiai 2) SSLv3 Supported (POODLE attack, others) Probiem Vega detected server support for SSL 3.0. This versiori of the protocol has numerous known weaknesses and is considered deprecated in favor of newer versions of TLS. Some of the known weaknesses can resuit in a compromise ofsensitive data such as user session tokens. Impact Data security is at risk due to multiple known weaknesses in SSL 3.0. This includes the POODLE attack, which could allow decryption ofsensitive data, such as session cookies. it should he noted that an attacker with MITM capabilities may be abie to force clients to use SSL 3.0. Remediation Remove support for SSLv3. Moziiia has recommended settings for Apache, Nginx, Haproxy and others. These settings include explicitiy supporting TLS [whiie exciuding SSLv2, SSLv3). It is likely that the HTTPS server must be restarted for any configuration change to take effect. Medium priority probiems 1) Ciient Ciphersuite Preference Probiem The server can override ciient ciphersuite prioritization during the TLS handshake. This is usefui for enforcing better, more secure ciphersuites for ali visiting ciients. Vega has detected that this is not configured in the server, potentiaily ieaving oider ciients at risk. Impact User browsers may select less secure cipher suites creating opportunities for attack. Remediation HTTPS server should be configured to enforce server ciphersuite preferences. How this is configured wili vary by server. Moziiia has inciuded guidelines for configuring server ciphersuite preference for various implementations. Nord Software Oy Runeberginkatu 43 8 12, 00100 Helsinki © Nord Software Oy 2015. Ali rights reserved. — — Company 10 F109091295 p nord SOFTWAlE Audit report — 1.9.2015 age / OYY Sähköinen äänestysjärjestelmä Confidential Low priority problems 1) Form Password Field with Autocomplete Enabied Probiem Vega detected a form that included a password input field. The autocomplete attribute was not set to off. This may resuit in some browsers storing values input by users Iocaily, where they may be retrieved by thircl parties. Impact A password value may he stored on the local filesystem of the client. Locally stored passwords could he retrieved hy other users or malicious code. Remediation The form deciaration should have an autocomplete attribute with its value set to “off”. Zed Attack Proxy scan 3 The ZED scan generated the following results: Medium priority 1) X-Frame-Options Header Not Set Probiem X-Frame-Options header is not included in the HTTP response to protect against ‘Clickjacking’ attacks. Solution Most modern Web browsers support the X-Frame-Options HTTP header. Ensure its set on ali web pages returned by your site (ifyou expect the page to he framed only hy pages on your server (e.g. it’s part of a FRAMESET) then you’li want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you shouid use DENY. ALLOW FROM aliows specific websites to frame the web page in supported web browsers). https://www.owasp.org/index.ohp/OWASP Zed Attack Proxy Proiect Nord Software oy Runeberginkatu 43 0 12, 00100 Helsinki © Nord Software IJy 2015. Ali rights reserved. — — Company 1D F109091295 p nord 1.9.2015 age SOFTWARE Audit report — / OYY Sähköinen äänestysjärjestelmä Confidential Low priority 1)Web Browser XSS Protection Not Enabled Probiem Web Browser XSS Protection is not enabled, or is disabled by the configuration of the ‘X XSS-Protection’ HTTP response header on the web server Other info The X-XSS-Protection HTTP response header allows the web server to enahle or disahle the web browsers XSS protection mechanism. The following values would attempt to enable it: X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; report=http://www.example.com/xss The following values would disable it: X-XSS-Protection: 0 The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chronie and Safari (WebKit). Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length). Solution Ensure that the web browser’s XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to 1. Nord Software Oy Runeberginkatu 43 B 12, 00100 Helsinki © Nord Software Oy 2015. Ali rights reserved. — — Company ID F109091295 pj nord SO F TWA R E Audit report — 1.9.20 15 Page 6/7 OYY Sähköinen äänestysjärjestelmä Confidential Code quality and coding standards There is room for improvements in the code quaiity, for exampie, following a coding standard makes the code more readabie. PSR1/PSR2 is a good standard to follow when coding PHP. If using a good IDE, the coding standard is usually configurable, and easy to apply to ali code. There are practicaliy no comments in the code, which makes it hard to understand what the software does, if a new person starts working on the project. It’s a good practice to comment at least functions and ciasses. There are at least a few typos in the code, which resuits in bugs, for exampie in controliers/controlier.php:2 12-215: Here the if-check is for sort-order”, but in the switch-case statement “sortorder” is used. In many of the if-checks, only two equai signs (== and !=) are used, which might in some cases cause unexpected behavior. It is better to use strict checking (=== and 1==) everywhere. This can he easiiy amended by using coding standards and configure the editor to use them. header(’Location: ‘); exit; is used in many of the controller actions, this could be moved into an own function to reduce code duplication. In workersontrolier.php:110-113 there are no checks that the electionid is found in the POST-array, and that it exists. If someone were to change the eiectionid in the HTML before posting the form, this might resuit in unexpected behavior and even voting in wrong election. Nord Software Oy Runeberginkatu 43 B 12, 00100 Helsinki © Nord Software Oy 2015. Ali rights reserved. — — Company lD F109091295 pj nord S0FTWAFE Audit report — 1.9.2015 Page7/7 OYY Sähköinen äänestysjärjestelmä Confidential Important notes Probiem: The election ID can be changed in the HTML form, and no errors are displayed when posting the form. Tested by creating two elections, changing the election id for one of them, and then vote empty. This generated no errors whatsoever. When trying to vote in the same election again, no candidates were shown, only empty vote. This might resuit in voting on random elections, which are not, or should not be open for voting. Solution: Wherever using POST or GET, always check that you get what you expect. Check that the ID is set in the array, and then make sure the election id is found. Good practice is also to enable CSRF validation, which will handle changes in the HTML form and validate the form. Nord Software Oy— Runeberginkatu 43 B 12, 00100 Helsinki © Nord Software Oy 2015. Ali rights reserved. — Company ID F109091295