Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
USING STAMP FOR ANALYSIS OF SECURITY AND DATA PRIVACY
Nívio P. Souza, ITA
Cecília A. C. Cesar, ITA
Juliana M. Bezerra, ITA
Celso M. Hirata, ITA- [email protected]
2019STAMPWorkshop http://sunnyday.mit.edu/March,25-28,2019,MIT,Cambridge
Disclaimer
TheconsiderationshereinexpressedareoftheauthorsofthispresentationanddonotreflecttheofficialpositionoftheTribunalSuperiorEleitoraldoBrasilortheBrazilian
Government.
Slide 2 of 76
Agenda
• Motivation
• Goal
• Some Background
• Using STAMP for safety, security, and privacy: a Proposal
• SiVES: System of e-Voting using Smartphone • Results and Analysis
• Conclusions
Slide 3 of 76
Motivation
• Morecomplexsystems,factorsnotonlytechnicalbutalsosociological,politicalandlegal
• CyberSecurityisastrategicconcernformanybusinesses.
• Privacygainingattentionduetotheincreasinglegalprotectionoftherighttodataprivacy.
• STAMPallowsanalyzingemergentpropertiesintheconceptstage.• Safety(STPA)and,morerecently,security(STPA-Sec).
• HowtoconsidersecurityandprivacyinSTAMP?
Slide 4 of 76
Goal
• Proposeanapproachthatallowsanalyzingsafety,securityandprivacyofsystemsusingSTAMP/STPA-Secinordertoidentifyhazardouscontrolactionsandgeneraterequirements.
• Theapproachemploysguidelinestoconsiderdataprivacy,safetyandsecurity.
• WeuseasanexampletheBrazilianelectronicvotingsystemtovoteusingsmartphones.
Slide 5 of 76
SomeBackground
• STAMPandSTPA-Sec(Mondaysessions)
• SomemoreSecurity
• DataPrivacy
Slide 6 of 76
Security
• Security-concurrentexistenceofavailability,confidentiality,andintegrity.
• Availability-readinessforcorrectservice.
• Confidentiality-absenceofunauthorizeddisclosureofinformation.
• Integrity-absenceofnon-authorizedsystemalterations.
• Securityanalysistechniquesallowelicitingsecurityrequirementsbyconsideringassets,vulnerabilities,threats,andrisks.
• TechniquesusuallyemployedintheDesignPhase.
Slide 7 of 76
Security
• Inanonlinebankingsite,clientsrequireconfidentialityofthetransaction,integrityofthedata,andserviceavailabilityinaccessingtheonlinebankingsite.
• Securityoftheaccesstotheonlinebankingisdeterminedbytechnologicalmechanisms.
• Mechanismsincludecomputeraccesscontrol,antivirussoftware,authentication,authorization,encryption,firewall,andintrusiondetectionsystem.
• SecurityThreatmodels,suchasSTRIDE(Microsoft),canbeusedtoidentifyrequirements.
• Spoofingofuseridentity,Tampering,Repudiation,Informationdisclosure(privacybreachordataleak),Denialofservice(DoS),Elevationofprivilege.
• Threatmodelsareseenasmoreeffectivetoanalyzesecurityandgeneraterequirementsbecausetheyconsiderwiderspectrumofcauses.
Slide 8 of 76
DataPrivacy• Privacy:needofconceptualization-legalandpolicydecisions
• ‘‘therighttoinformationalself-determination’’,allowingindividualsto‘‘control,edit,manage,anddeleteinformationaboutthemselvesanddecidewhen,how,andtowhatextentthatinformationiscommunicatedtoothers’’[Hansen,2008]
• Dataprotection-protectinganyinformationrelatingtoaperson,suchasnameandaddress.• Stemsfromtherighttoprivacy-instrumentaltoexerciseotherrightsandfreedoms.
• Dataprotectioninvolvesthreeentities:
• datasubject-identifiableindividualtowhompersonaldatarelate)
• dataprocessor-entitythatprocessespersonalinformation
• datacontroller-whodeterminesthepurposesforwhichandthemannerinwhichanyitemofpersonalinformationisprocessed.
Slide 9 of 76
Privacyattributes• Unlinkability-hidingthelinkbetweentwoormoreactions,identities,andpiecesofinformation.
• Anonymity-hidingthelinkbetweenanidentityandanactionorapieceofinformation.
• Pseudonymity-possibletobuildaplausibledeniabilityreputationonapseudonym.
• Plausibledeniability–possibletodenyhavingperformedanactionthatotherpartiescanneitherconfirmnorcontradict.
• Undetectability-hidingtheuser’sactivities.
• Confidentiality-hidingthedatacontentorcontrolledreleaseofdatacontent.
• Contentawareness-userneedstobeawareoftheconsequencesofsharinginformation.
• Consentcompliancerequiresthedatacontrollertoinformthedatasubjectaboutthesystem’sprivacypolicy,orallowthedatasubjecttospecifyconsentsincompliancewithlegislation.
• [Deng,2010]
Slide 10 of 76
Dataprivacy
• Inanonlinedrugstore,clientsrequiresecurityandprivacytotransact.
• Clientswanttokeeptheirinformationprotected(identity,medicalprescription,drug).Theymightconsenttohavetheirinformationshared(forthepurposeofsomediscountprogram).
• Clientsdonotwanttobeidentified.Theywanttobeabletorepudiateanylinkwiththetransaction.Theydonotwanttohavetheirinformationdisclosed(eventheaccesstothesite).Theywanttoknowabouttheconsentthattheyareprovidingandtheprivacypolicyofthestore.
• Ingeneral,thesecurityandprivacyrequirementsaremetbythesametechnologicalmechanisms.Privacyrequiresomeadditionalmechanisms.
Slide 11 of 76
PrivacyThreatModel:LINDDUN
• PrivacyThreatmodels,suchasLINDDUN,canbeusedtoidentifyrequirements.
• Eachletterof‘‘LINDDUN’’standsforaprivacythreattypeobtainedbynegatingaprivacyproperty,indicatingaprivacythreatcategory.Thereisalmostone-to-onecorrespondencebetweenthreatsandattributes.
• Linkabilityoftwoormoreitemsofinterest,Identifiabilityofasubject(anonymity,pseudonymity),Non-repudiation,Detectabilityofanitemofinterest,InformationDisclosure,ContentUnawareness,andPolicyandConsentNon-compliance.
Slide 12 of 76
UsingSTAMPforsafety,security,andprivacy:aProposal• STAMPmodelstasks:Definesystemmission,purpose,goal,andkeyactivities,Identifyunacceptablelosses(accidents)andhazards/constraints,Modelthefunctionalcontrolstructure,andCheckFunctionalControlStructureModelforcompleteness.
• WeproposeanextensiontothetaskIdentifyunacceptablelossesandhazards/constraints.• CharacterizationofUnacceptableLossesintermsofSecurityandPrivacy• CharacterizationofHazardsintermsofSecurityandPrivacy
Slide 13 of 76
CharacterizationofUnacceptableLossesintermsofSecurityandPrivacy• Lossreferstocompensatingcost,lossofcredibilityinaserviceorinstitution,politicaldamages,andsoon,duetoasecuritybreach,lackofsecurity,privacyviolationorlackofprivacy.
• Unacceptablelossintermsofoccurrenceofanunwantedevent,itsnumberorfrequency,anditsseverity.• Forsomesystems,asingleoccurrenceofaneventisunacceptable.• Thefrequencyandseverityofeventscanbedealteitherquantitativelyorqualitatively.Thequalification,quantification,andtheactofunacceptancearemadebyresponsiblestakeholders.
• Frequencyismeasuredoveraperiodoftime.Thefrequencyofserviceeventsmustbemonitored.
Slide 14 of 76
CharacterizationofUnacceptableLossesintermsofSecurity• Unacceptablelosscanbethecharacterizedasacombinationoftheviolationsofsecurityattributesorrealizationsofsecuritythreats.
• Lossofcredibilityduetounacceptablenumberandseverityofsecurityissues.
• Wecanusesecurityattributestocharacterizealoss.• Lossofreputationduetoalargenumberofviolationsofconfidentiality.
• Wecanusethreats.STRIDEisanacronymforSpoofing,Tampering,Repudiation,InformationDisclosure,DenialofService,andElevationofPrivilege.• LossofrevenueduetosuccessfulDenialofServiceattacks.
Slide 15 of 76
CharacterizationofUnacceptableLossesintermsofPrivacyusingAttribute• Theideaistouseprivacyattributesorprivacythreats.
• Lossofcredibilityduetoviolationofprivacylossduetoanyoccurrenceoflinkabilitythatlinksavotertoavote
Slide 16 of 76
CharacterizingHazardsintermsofSecurityandPrivacy• Forphysicalsystems,hazardisassociatedtosomephysicalcondition,forinstance,distancebetweentwoaircrafts.
• Cyberphysicalsystemsmaychangestatesuponreceivingandprocessingmessagesandreactingbysendingmessages(events).
• Theseeventsmaynotcharacterizeanychangeofphysicalcondition.
• Weproposetoemploystatethatleadstotheoccurrenceofsecurityandprivacythreatsorviolationsofsecurityandprivacyattributes.
Slide 17 of 76
CharacterizingHazardsintermsofSecurityandPrivacy• Inthevotingsystem,fortheunacceptableloss“Lossofcredibilityduetoviolationofprivacylossduetoanyoccurrenceoflinkabilitythatlinksavotertoavote”,weidentifytwohazards:• Statethatallowsinformationdisclosurethatlinksvotertovote(linkability).Thestateischaracterizedwhenthevotingtransactionisundisclosed.
• Statethatdoesnotallowavotertodenyforwhomhe/shevoted.(Non-repudiation).Thestateischaracterizedwhenthefollowingelectionreport(aftertallyingthevotes)ispossible:“Allthevotescollectedinanelectoralareaweregiventoonecandidate”
• Thechallengeistofindthesestates.Thisrequiresthinkingofstatesthatleadtotheunacceptablelossesusingattributesandthreatstosecurityandprivacy.
Slide 18 of 76
SiVES:Systemofe-VotingusingSmartphone• Weapplythecharacterizationsofsecurityandprivacyinanexample.
• STAMPmodelsareconstructedusingthefollowingdescriptions:thesystempurpose,systemdescription,unacceptablelosses,hazards,andthefunctionalcontrolstructureforsafety,securityandprivacyanalysis.
• Thepurposeofthesystemistoallowvotingofusersusingsmartphones,meetingElectoralHigherCourtguidelines,throughtheregistrationofbiometricdata’svotersintheelectoraloffice,systemsetup,callforvoting,appinstallation,voting,tallying,andverificationtocontributetotheBraziliandemocracy.
• Keystakeholdersarevoters,ElectoralHigherCourt(knownasTSEinBrazil),InformationTechnologySecretary(STI)andvirtualstores(AppleStoreandGooglePlay).
Slide 19 of 76
SiVES:AssumptionsandRestrictions• SiVESisasmartphoneelectronicvotingsystembasedontheassumptionsandrestrictionsdescribedasfollows.
• Thebiometryisfingerprintandtheenrollmentsofvotersarealreadymade.
• Forvoters,SiVEShasthreemethods:applicationinstallationonsmartphones,operation(voting),andverificationofthevote.SiVESmustallowthevotertovoteandverifythatthevotewascorrectlycounted(verifiability).
• SiVEShastheservercomponent(SiVES-S)thatrunsonservercomputersinSTIandtheclientcomponent(SiVES-C)thatrunsinthevoter'ssmartphone.Thevotingprocessallows‘revoting’.Thevalidvoteisthelastone.
• SiVESisavailabletovotersforagivenperiod.Afterwards,onlytheinpersonvotingispossible.
• SiVESmustallowthevotertoverifythatthesystemhascountedhis/hervotecorrectly(verifiability).Theverificationoccursinverificationmachinesinsideelectoraloffice.
Slide 20 of 76
SiVESKeyActivities
• WefocusonOperation.Developmentisnotaddressedhere.
• Inoperation,weidentifythefollowingkeyactivities:registrationofbiometricdata’svotersintheelectoraloffice,systemsetup,callforvoting,appinstallation,voting,tallying(itisconsideredforthecontrolstructure,butitisnotanalyzed),andverification.
• Wedonotconsidertheactivityofregistrationofbiometricdata’svotersintheelectoralofficeforelaboratingthefunctionalcontrolstructure.
Slide 21 of 76
SiVESKeyActivities• Systemsetupisaboutinstallingallthehardwareandsoftware,includingthenetwork,toruntheserversystem.ItalsoincludestheuploadoftheinstallationpackageintheappstoresbySTI.
• Callforvotingisthepubliccalltoallthevoters.ItistheresponsibilityofTSE.
• Applicationinstallationreferstoinstallationoftheappinthesmartphone.Installationistheresponsibilityofvoters.
• Invoting,thevoterauthenticatesherself/himselfinthesystemandvotes.
• Intallying,STItalliesthevotesandTSEmakestheresultspublic.Itisconsideredforthefunctionalcontrolstructure,butitisnotbeanalyzedhere.
• Inverification,thevotergoestotheelectoralofficeandcheckshis/hervote.
• Weperformtheanalysisforsystemsetup,callforvoting,applicationinstallation,votingandverification-activitieswherethevotersinteractwiththesystem.
Slide 22 of 76
SiVES:UnacceptableLosses
• WeidentifythefollowingUnacceptableSecurityandPrivacyLosses:UL1:UnacceptablenumberofeligiblevoterswhoareunabletovoteUL2:Unacceptablenumberofeligiblevoterswhoareunabletoverifythevote.UL3:Lossofcredibilityduetounacceptablenumberandseverityofsecurityissues.UL4:Lossofcredibilityduetoviolationofdataprivacy
• Weassumethatdefinitionsofthenumbersofeligiblevoterswhoareunabletovoteandverifythevotearedefinedbyaproperresponsiblerole.
Slide 23 of 76
SiVES:Hazards
• Weidentifythefollowinghazards:
H1:Votersunabletovoteduetoreliability,availabilityandmissionassuranceissues.(UL1)H1.1:Statethatdoesnotallowalegitimatevotertovote(toassurethemission).H1.2:Statethatpreventsvotingduetothesystem’sunavailabilityandreliabilityissues.
H2:Votersunabletoverifythevote(reliability,availabilityandmissionassuranceissues).(UL2)H2.1:Statethatdoesnotallowalegitimatevoterwhovotedtoverifyhis/herownvote(toassurethemission).H2.2:Statethatpreventstoverifythevoteduetothesystem’sunavailabilityandreliabilityissues.
Slide 24 of 76
SiVES:Hazards
• Weidentifythefollowinghazards:
H3:Statethatallowssecurityviolations(securityissues).(UL3)H3.1:Statethatallowsunauthorizedaccesstoprivateinformation(data,vote,etc.).H3.2:Statethatallowsanunauthorizedpersontovote.H3.3:Statethatallowsforunduealterationofthevoter'svote.
H4:Statethatallowsdataprivacyloss(privacyissues)(UL4)H4.1:Statethatallowsinformationdisclosurethatlinksvotertoavote.H4.2:Statethatdoesnotallowavotertodenytowhomhe/shevotedfor.
Slide 25 of 76
SiVES:FunctionalControlStructure
• Usingthekeyactivities(registrationofbiometricdata’svoters,systemsetup,callforvoting,appinstallation,voting,tallying,andverification)toidentifymodelelements.
• Identifyresponsibilitiesofmodelelementsincarryingouteachofthekeyactivitiesnecessarytoconductthemission.
• Identifycontrolrelationships.
• Foreachcontrollerelement• Identifycontrolactionsnecessarytoexecuteitsresponsibilities• Developdescriptionoftheprocessmodel
• Identifytheprocessmodelvariables• Foreachvariable,identifythevaluesandthefeedbackorcommunicationlink
Slide 26 of 76
SiVES:IdentifyModelElements
Method(Keyactivity)
ModelElements Description
Systemsetup,callforvotingandapplicationinstallation
TSE,STI,VirtualStores,Voter,SmartphoneElementsthathaveresponsibilitiesinthesystemsetup,callforvotingandapplicationinstallation
Voting STI,SiVES-S,SiVESServers,SiVES-C,VoterElementsthathaveresponsibilitiesinthevoting
Tallying TSE,STI,SiVES-SElementsthathaveresponsibilitiesinthetallying
VerificationSTI,ElectoralZone,VerificationMachine,VerificationMachineSoftware(VMS),SiVES-S,SiVESServers,Voter
Elementsthathaveresponsibilitiesintheverification
Slide 27 of 76
SiVES:IdentifyresponsibilitiesofmodelelementsforVoting.
Slide 28 of 76
ModelElement Responsibilityfor“Voting”
STI -MakeSiVES-Savailabletovotingmethod
Voter
-FollowsecurityandprivacyTSEguidelines-Authenticate-Accepttheprivacyagreement-Vote
SiVES-C
-CapturebiometricdataforSiVES-C-SendrequestofauthenticationtoSiVES-S-Presentresultoftheauthentication-Offerprivacyagreement-SendtheacceptanceoftheprivacyagreementtoSiVES-S-Sendthevote-Presentvotingconfirmationorerror
SiVES-S
-Provideauthentication-Sendresultoftheauthentication-Registertheacceptanceoftheprivacyagreement-RegisterthevotesentbySiVES-C-Sendthevotingconfirmationorerror
SiVES:IdentifycontrolactionsforVoterandSiVES-CFollowsecurityandprivacyTSEguidelines;Authenticate;Accepttheprivacyagreement;andVote
ControllerElement ControlAction CANr
Voter
-Followsecurityandprivacyguidelines(repeated)-Providebiometricdata-Accepttheprivacyagreement-Vote-Receivevotingconfirmation-Finalizesession
081314151617
Slide 29 of 76
CapturebiometricdataforSiVES-C;SendrequestofauthenticationtoSiVES-S;Presentresultoftheauthentication;Offerprivacyagreement;SendtheacceptanceoftheprivacyagreementtoSiVES-S;Sendthevote;andPresentvotingconfirmationorerror
ControllerElement ControlAction CANr
SiVES-C
-Capturebiometricdataforauthentication-Sendtheuser'sbiometricdatatoSiVES-S-DisplaytheSiVES-Sresponseaboutuserauthentication-Offertheprivacyagreementtothevoter-SendtherequiredacceptanceoftheprivacyagreementtoSiVES-S-Sendthevoter'svotetoSiVES-S-Displayandstorevotingconfirmationordisplayerrorstatus
18192021222324
SiVES:Developdescriptionoftheprocessmodel
ModelElement CANr ProcessModelVariable Values SensororControlled
Process Hazards
STI 6 sti_validation_status_ok Yes/No system_validation H1,H3,H4
SiVES-S15,19,23 sives_s_available_status_ok Yes/No system_operations H1toH4
15,23,27,29 sives_s_authenticated_user Yes/No Authentication H1toH4
SiVES-C15,18 sives_c_updated_in_virtual_stores Yes/No update_clients H3.1,H3.2,H4.1
18,25 sives_c_is_installed_and_updated Yes/No update_clients H1,H3,H4
VMS 38 vms_available_status_ok Yes/No vms_operation H2
Voter 29 voter_accepted_privacy_agreement Yes/No Agreement H1.1,H2toH4
Slide 30 of 76
FunctionalControlStructure
Slide 31 of 76
Evaluationoftheapproach
• TheevaluationoftheapproachconsistedofperformingtheStep1andanalyzingtheresults.
• Step1• Foreachcontroller,weanalyzeeachcontrolactiontofindwhenitishazardous.Tohelpthediscoveryofthecases,weuseContextTables.
• Acontexttableisdefinedasthecombinationofallprocessmodelvariablesandvalues,withissuanceofcontrolaction.
Slide 32 of 76
SiVES:ContexttableforthecontrolactionSiVES-CsendsthevotetoSiVES-S
CANr23:SiVES-Csendsthevoter'svotetoSiVES-S
VariablesControlActionprovided
ControlActionnotprovidedsives_s_authenticated
_usersives_s_available
_status_ok
Yes Yes H1.1
Yes No H1.1
No Yes H1.1,H3.1,H4.2
No No H1.1,H3.1,H4.2
Slide 33 of 76
SiVES:Excerptofcontexttableforthecontrolaction“Votervotes”:4firstentries
CANr15:VotervotesVariables
ControlActionprovided
ControlActionnotprovided
sives_s_authenticated_user
sives_s_available
_status_ok
sives_c_is_installed_and
updated
voter_acceptedprivacy_agreem
ent
Yes Yes Yes Yes H3.1,H4.2
Yes Yes Yes No H3.2,H3.3,H4
Yes Yes No Yes H3.2,H3.3,H4
Yes Yes No No H3.2,H3.3,H4
Slide 34 of 76
CA HazardousControlAction(CAwithacontext:variableswithvalue)
AssociatedConstraint Hazards
06 STIprovidedsendSiVES-C installationpackagefile toVirtualStoreswhensti_validation_status_okisno(provided)
STI must not send installation package to virtual storeswhentheappisnotvalidatedbyTSE.
H1,H3,H4
15
Voterprovidedvotewhensives_s_available_status_okisnoors i v e s _ s _ a u t h e n t i c a t e d _ u s e r i s n o o rs i v e s _ c _ i s _ i n s t a l l e d _ a n d _ u p d a t e d i s n o o rvoter_accepted_privacy_agreementisno(provided)
Voter must not be allowed to vote if the server is notavailableorthevoterisnotauthenticatedortheupdatedapp is not installed or the voter has not accepted theprivacyagreement.
H3.2,H3.3,H4
18SiVES-C provided capture biometric data for authenticationwhen sives_c_updated_in_virtual_stores is yes andsives_c_is_installed_and_updatedisno(provided)
Appmustnotcapturebiometricdataforauthenticationiftheappisupdatedinvirtualstore,buttheupdatedappisnotinstalled.
H3.1 , H3 .2 ,H4.1
19 SiVES-C provided send the user’s biometric data toSiVES-Swhensives_s_available_status_okisno(provided)
Appmustnotsendbiometricdatatoserverifserverisnotavailabletoreceive.
H1
23 SiVES-C provided send the voter’s vote to SiVES-S whensives_s_authenticated_userisno(provided)
App must not send vote to server if the user is notauthenticated.
H1.1 , H3 .1 ,H4.2
25 SiVES-S provided receive biometric user data whensives_c_is_installed_and_updatedisno(provided)
Servermustnot receivebiometricuserdata if theapp isnotupdated.
H1
27SiVES-S provided response, informing whether the user isauthenticatedasavoter,whensives_s_authenticated_user isno(provided)
SiVES-S must not provide response, informing whetherthe user i s authent icated as a voter, whensives_s_authenticated_userisno.
H1
29SiVES-S provided receive and store the vote from SiVES-Cw h e n s i v e s _ s _ a u t h e n t i c a t e d _ u s e r i s n ovoter_accepted_privacy_agreementisyes(provided)
Servermustnotreceiveandstorethevotefromappiftheuser is not authenticated, even if the user accepted theprivacyagreement.
H3.1,H3.3
38 Electoral Office provided provide verification service whenvms_available_status_okisno(provided)
ElectoralOfficemustnotprovideverificationserviceiftheverificationmachineserverisnotavailable.
H2
39
V o t e r p r o v i d e d v e r i f y t h e v o t e w h e ns i v e s _ s _ a v a i l a b l e _ s t a t u s _ o k i s n o o rs i v e s _ s _ a u t h e n t i c a t e d _ u s e r i s n o o rvoter_accepted_privacy_agreementisno(provided)
Votermustnotbeallowedtoverifythevoteiftheserveris not available or the voter is not authenticated or thevoterhasnotacceptedtheprivacyagreement.
H2,H3.1,H4
Slide 35 of 76
Results
INFORMATION QUANTITY
UnacceptableLosses 5
Hazards 13
Constraints 11
ControlActions 41
HazardousControlActions
81
Slide 36 of 76
HazardousControlActiondueto
Quantity
H1(Reli,Avail,Mission) 17
H2 7
H3(Security) 1
H4(Privacy) 2
H1andH2 4
H1andH3 2
H1andH4 2
H2andH3 0
H2andH4 1
H3andH4 29
H1,H2andH3 1
H1,H2andH4 0
H1,H3andH4 6
H2, H3 and H4 7
Total 81
Analysis
• ControlactionsthatarehazardousduetoH3(securityhazards)accountfor46and42ofthemarealsohazardousduetoH4(dataprivacyhazards).• Thereare4HCAsduetoH3thatarenotduetoH4.• Thisresultshowsthatwhenacontrolactionishazardoustosecurity,itisgenerallyhazardoustoprivacy.
• Theresultalsoshowsthatthese4HCAsrequirespecificfocusonsecurityissues.
Slide 37 of 76
Analysis• Forinstance,thehazardouscontrolactionSiVES-Sdoesnotoverwritepreviousvoteincaseof“revoting”mayleadtothestatethatallowsforunduealterationofthevoter'svote(H3.3)ifthenewvoteisdifferentfromthepreviousvote.
Slide 38 of 76
CA HazardousControlActionduetoprivacyviolationandnotsecurityviolation
Hazardsdueto
04 TSEdoesrequestchangesofSiVEStoSTI H1,H2,H3.2
27 SiVES-Sdoesnotrespond,informingiftheuserisauthenticatedasavoterwhensives_s_authenticated_userisyes
H1.1,H3.1,H3.2
29 SiVESreceivesandstoresthevotefromSiVES-Cwhensives_s_authenticated_userisNoandvoter_accepted_privacy_agreementisYes
H3.1,H3.3
30 SiVES-Sdoesnotoverwritepreviousvoteincaseof“revoting” H1.1,H3.3
MostofHCAsduetoPrivacybutnotSecurityarerelatedtothecorrectprocessingofdataprivacyagreement.
CA HazardousControlActionduetoprivacyviolationandnotsecurityviolation
Hazardsdueto
14 Voterdoesnotaccepttheprivacyagreement H4
19 SiVES-C(orVMS)doesnotsendtheuser'sbiometricdatatoSiVES-Swhensives_s_available_status_okisYes
H1.1,H4.1
22 SiVES-C(orVMS)doesnotsendtherequiredacceptanceoftheprivacyagreementtoSiVES-S
H4
28 SiVES-Sdoesnotregistertheacceptanceoftheprivacyagreement H2,H4
29 SiVESreceivesandstoresthevotefromSiVES-Cwhensives_s_authenticated_userisYesandvoter_accepted_privacy_agreementisNo
H1.1,H4.2
Slide 39 of 76
ConcludingRemarks
• TheproposedSTAMP-basedapproach,withSTPA-SecStep1,allowsidentifyingsafety,securityandprivacyhazardouscontrolactionsandassociatedconstraints.
• Weobservedthatingeneralcontrolactionsthatarehazardousduetosecurityissuesarealsohazardousduetoprivacyissuesandvice-versa.
• Wedidnotidentifysecurityandprivacyrequirementsyet.WeareemplyingSTRIDEandLINDDUNforthis.Wehavesomepreliminaryresults.
Slide 40 of 76
Result Quantity
Unacceptable Losses 5
Hazards 13
Constraints 11
Control Actions 41
Hazardous Control Actions 82
Scenarios + STRIDE 26 + 16 (61,5%)
Associated Security Constraints 82
Requirements + STRIDE 26 + 23 (88,5%)
Preliminary results using STPA Scenarios, Information Life Cycle, and STRIDE
USING STAMP FOR ANALYSIS OF SECURITY AND DATA PRIVACY
Nívio P. Souza, ITA
Cecília A. C. Cesar, ITA
Juliana M. Bezerra, ITA
Celso Massaki Hirata, ITA- [email protected]
2019STAMPWorkshop http://sunnyday.mit.edu/March,25-28,2019,MIT,Cambridge