USING STAMP FOR ANALYSIS OF SECURITY AND DATA PRIVACY

Nívio P. Souza, ITA

Cecília A. C. Cesar, ITA

Juliana M. Bezerra, ITA

Celso M. Hirata, ITA- hirata@ita.br

2019STAMPWorkshop http://sunnyday.mit.edu/March,25-28,2019,MIT,Cambridge

Disclaimer

TheconsiderationshereinexpressedareoftheauthorsofthispresentationanddonotreflecttheofficialpositionoftheTribunalSuperiorEleitoraldoBrasilortheBrazilian

Government.

Slide 2 of 76

Agenda

• Motivation

• Goal

• Some Background

• Using STAMP for safety, security, and privacy: a Proposal

• SiVES: System of e-Voting using Smartphone • Results and Analysis

• Conclusions

Slide 3 of 76

Motivation

• Morecomplexsystems,factorsnotonlytechnicalbutalsosociological,politicalandlegal

•  CyberSecurityisastrategicconcernformanybusinesses.

•  Privacygainingattentionduetotheincreasinglegalprotectionoftherighttodataprivacy.

•  STAMPallowsanalyzingemergentpropertiesintheconceptstage.•  Safety(STPA)and,morerecently,security(STPA-Sec).

• HowtoconsidersecurityandprivacyinSTAMP?

Slide 4 of 76

Goal

•  Proposeanapproachthatallowsanalyzingsafety,securityandprivacyofsystemsusingSTAMP/STPA-Secinordertoidentifyhazardouscontrolactionsandgeneraterequirements.

•  Theapproachemploysguidelinestoconsiderdataprivacy,safetyandsecurity.

• WeuseasanexampletheBrazilianelectronicvotingsystemtovoteusingsmartphones.

Slide 5 of 76

SomeBackground

•  STAMPandSTPA-Sec(Mondaysessions)

•  SomemoreSecurity

• DataPrivacy

Slide 6 of 76

Security

•  Security-concurrentexistenceofavailability,confidentiality,andintegrity.

• Availability-readinessforcorrectservice.

•  Confidentiality-absenceofunauthorizeddisclosureofinformation.

•  Integrity-absenceofnon-authorizedsystemalterations.

•  Securityanalysistechniquesallowelicitingsecurityrequirementsbyconsideringassets,vulnerabilities,threats,andrisks.

•  TechniquesusuallyemployedintheDesignPhase.

Slide 7 of 76

Security

•  Inanonlinebankingsite,clientsrequireconfidentialityofthetransaction,integrityofthedata,andserviceavailabilityinaccessingtheonlinebankingsite.

•  Securityoftheaccesstotheonlinebankingisdeterminedbytechnologicalmechanisms.

•  Mechanismsincludecomputeraccesscontrol,antivirussoftware,authentication,authorization,encryption,firewall,andintrusiondetectionsystem.

•  SecurityThreatmodels,suchasSTRIDE(Microsoft),canbeusedtoidentifyrequirements.

•  Spoofingofuseridentity,Tampering,Repudiation,Informationdisclosure(privacybreachordataleak),Denialofservice(DoS),Elevationofprivilege.

•  Threatmodelsareseenasmoreeffectivetoanalyzesecurityandgeneraterequirementsbecausetheyconsiderwiderspectrumofcauses.

Slide 8 of 76

DataPrivacy•  Privacy:needofconceptualization-legalandpolicydecisions

•  ‘‘therighttoinformationalself-determination’’,allowingindividualsto‘‘control,edit,manage,anddeleteinformationaboutthemselvesanddecidewhen,how,andtowhatextentthatinformationiscommunicatedtoothers’’[Hansen,2008]

•  Dataprotection-protectinganyinformationrelatingtoaperson,suchasnameandaddress.•  Stemsfromtherighttoprivacy-instrumentaltoexerciseotherrightsandfreedoms.

•  Dataprotectioninvolvesthreeentities:

•  datasubject-identifiableindividualtowhompersonaldatarelate)

•  dataprocessor-entitythatprocessespersonalinformation

•  datacontroller-whodeterminesthepurposesforwhichandthemannerinwhichanyitemofpersonalinformationisprocessed.

Slide 9 of 76

Privacyattributes•  Unlinkability-hidingthelinkbetweentwoormoreactions,identities,andpiecesofinformation.

•  Anonymity-hidingthelinkbetweenanidentityandanactionorapieceofinformation.

•  Pseudonymity-possibletobuildaplausibledeniabilityreputationonapseudonym.

•  Plausibledeniability–possibletodenyhavingperformedanactionthatotherpartiescanneitherconfirmnorcontradict.

•  Undetectability-hidingtheuser’sactivities.

•  Confidentiality-hidingthedatacontentorcontrolledreleaseofdatacontent.

•  Contentawareness-userneedstobeawareoftheconsequencesofsharinginformation.

•  Consentcompliancerequiresthedatacontrollertoinformthedatasubjectaboutthesystem’sprivacypolicy,orallowthedatasubjecttospecifyconsentsincompliancewithlegislation.

•  [Deng,2010]

Slide 10 of 76

Dataprivacy

•  Inanonlinedrugstore,clientsrequiresecurityandprivacytotransact.

•  Clientswanttokeeptheirinformationprotected(identity,medicalprescription,drug).Theymightconsenttohavetheirinformationshared(forthepurposeofsomediscountprogram).

•  Clientsdonotwanttobeidentified.Theywanttobeabletorepudiateanylinkwiththetransaction.Theydonotwanttohavetheirinformationdisclosed(eventheaccesstothesite).Theywanttoknowabouttheconsentthattheyareprovidingandtheprivacypolicyofthestore.

•  Ingeneral,thesecurityandprivacyrequirementsaremetbythesametechnologicalmechanisms.Privacyrequiresomeadditionalmechanisms.

Slide 11 of 76

PrivacyThreatModel:LINDDUN

•  PrivacyThreatmodels,suchasLINDDUN,canbeusedtoidentifyrequirements.

•  Eachletterof‘‘LINDDUN’’standsforaprivacythreattypeobtainedbynegatingaprivacyproperty,indicatingaprivacythreatcategory.Thereisalmostone-to-onecorrespondencebetweenthreatsandattributes.

•  Linkabilityoftwoormoreitemsofinterest,Identifiabilityofasubject(anonymity,pseudonymity),Non-repudiation,Detectabilityofanitemofinterest,InformationDisclosure,ContentUnawareness,andPolicyandConsentNon-compliance.

Slide 12 of 76

UsingSTAMPforsafety,security,andprivacy:aProposal•  STAMPmodelstasks:Definesystemmission,purpose,goal,andkeyactivities,Identifyunacceptablelosses(accidents)andhazards/constraints,Modelthefunctionalcontrolstructure,andCheckFunctionalControlStructureModelforcompleteness.

• WeproposeanextensiontothetaskIdentifyunacceptablelossesandhazards/constraints.•  CharacterizationofUnacceptableLossesintermsofSecurityandPrivacy•  CharacterizationofHazardsintermsofSecurityandPrivacy

Slide 13 of 76

CharacterizationofUnacceptableLossesintermsofSecurityandPrivacy•  Lossreferstocompensatingcost,lossofcredibilityinaserviceorinstitution,politicaldamages,andsoon,duetoasecuritybreach,lackofsecurity,privacyviolationorlackofprivacy.

• Unacceptablelossintermsofoccurrenceofanunwantedevent,itsnumberorfrequency,anditsseverity.•  Forsomesystems,asingleoccurrenceofaneventisunacceptable.•  Thefrequencyandseverityofeventscanbedealteitherquantitativelyorqualitatively.Thequalification,quantification,andtheactofunacceptancearemadebyresponsiblestakeholders.

•  Frequencyismeasuredoveraperiodoftime.Thefrequencyofserviceeventsmustbemonitored.

Slide 14 of 76

CharacterizationofUnacceptableLossesintermsofSecurity• Unacceptablelosscanbethecharacterizedasacombinationoftheviolationsofsecurityattributesorrealizationsofsecuritythreats.

•  Lossofcredibilityduetounacceptablenumberandseverityofsecurityissues.

• Wecanusesecurityattributestocharacterizealoss.•  Lossofreputationduetoalargenumberofviolationsofconfidentiality.

• Wecanusethreats.STRIDEisanacronymforSpoofing,Tampering,Repudiation,InformationDisclosure,DenialofService,andElevationofPrivilege.•  LossofrevenueduetosuccessfulDenialofServiceattacks.

Slide 15 of 76

CharacterizationofUnacceptableLossesintermsofPrivacyusingAttribute•  Theideaistouseprivacyattributesorprivacythreats.

•  Lossofcredibilityduetoviolationofprivacylossduetoanyoccurrenceoflinkabilitythatlinksavotertoavote

Slide 16 of 76

CharacterizingHazardsintermsofSecurityandPrivacy•  Forphysicalsystems,hazardisassociatedtosomephysicalcondition,forinstance,distancebetweentwoaircrafts.

•  Cyberphysicalsystemsmaychangestatesuponreceivingandprocessingmessagesandreactingbysendingmessages(events).

•  Theseeventsmaynotcharacterizeanychangeofphysicalcondition.

• Weproposetoemploystatethatleadstotheoccurrenceofsecurityandprivacythreatsorviolationsofsecurityandprivacyattributes.

Slide 17 of 76

CharacterizingHazardsintermsofSecurityandPrivacy•  Inthevotingsystem,fortheunacceptableloss“Lossofcredibilityduetoviolationofprivacylossduetoanyoccurrenceoflinkabilitythatlinksavotertoavote”,weidentifytwohazards:•  Statethatallowsinformationdisclosurethatlinksvotertovote(linkability).Thestateischaracterizedwhenthevotingtransactionisundisclosed.

•  Statethatdoesnotallowavotertodenyforwhomhe/shevoted.(Non-repudiation).Thestateischaracterizedwhenthefollowingelectionreport(aftertallyingthevotes)ispossible:“Allthevotescollectedinanelectoralareaweregiventoonecandidate”

•  Thechallengeistofindthesestates.Thisrequiresthinkingofstatesthatleadtotheunacceptablelossesusingattributesandthreatstosecurityandprivacy.

Slide 18 of 76

SiVES:Systemofe-VotingusingSmartphone• Weapplythecharacterizationsofsecurityandprivacyinanexample.

•  STAMPmodelsareconstructedusingthefollowingdescriptions:thesystempurpose,systemdescription,unacceptablelosses,hazards,andthefunctionalcontrolstructureforsafety,securityandprivacyanalysis.

•  Thepurposeofthesystemistoallowvotingofusersusingsmartphones,meetingElectoralHigherCourtguidelines,throughtheregistrationofbiometricdata’svotersintheelectoraloffice,systemsetup,callforvoting,appinstallation,voting,tallying,andverificationtocontributetotheBraziliandemocracy.

•  Keystakeholdersarevoters,ElectoralHigherCourt(knownasTSEinBrazil),InformationTechnologySecretary(STI)andvirtualstores(AppleStoreandGooglePlay).

Slide 19 of 76

SiVES:AssumptionsandRestrictions•  SiVESisasmartphoneelectronicvotingsystembasedontheassumptionsandrestrictionsdescribedasfollows.

•  Thebiometryisfingerprintandtheenrollmentsofvotersarealreadymade.

•  Forvoters,SiVEShasthreemethods:applicationinstallationonsmartphones,operation(voting),andverificationofthevote.SiVESmustallowthevotertovoteandverifythatthevotewascorrectlycounted(verifiability).

•  SiVEShastheservercomponent(SiVES-S)thatrunsonservercomputersinSTIandtheclientcomponent(SiVES-C)thatrunsinthevoter'ssmartphone.Thevotingprocessallows‘revoting’.Thevalidvoteisthelastone.

•  SiVESisavailabletovotersforagivenperiod.Afterwards,onlytheinpersonvotingispossible.

•  SiVESmustallowthevotertoverifythatthesystemhascountedhis/hervotecorrectly(verifiability).Theverificationoccursinverificationmachinesinsideelectoraloffice.

Slide 20 of 76

SiVESKeyActivities

• WefocusonOperation.Developmentisnotaddressedhere.

•  Inoperation,weidentifythefollowingkeyactivities:registrationofbiometricdata’svotersintheelectoraloffice,systemsetup,callforvoting,appinstallation,voting,tallying(itisconsideredforthecontrolstructure,butitisnotanalyzed),andverification.

• Wedonotconsidertheactivityofregistrationofbiometricdata’svotersintheelectoralofficeforelaboratingthefunctionalcontrolstructure.

Slide 21 of 76

SiVESKeyActivities•  Systemsetupisaboutinstallingallthehardwareandsoftware,includingthenetwork,toruntheserversystem.ItalsoincludestheuploadoftheinstallationpackageintheappstoresbySTI.

•  Callforvotingisthepubliccalltoallthevoters.ItistheresponsibilityofTSE.

•  Applicationinstallationreferstoinstallationoftheappinthesmartphone.Installationistheresponsibilityofvoters.

•  Invoting,thevoterauthenticatesherself/himselfinthesystemandvotes.

•  Intallying,STItalliesthevotesandTSEmakestheresultspublic.Itisconsideredforthefunctionalcontrolstructure,butitisnotbeanalyzedhere.

•  Inverification,thevotergoestotheelectoralofficeandcheckshis/hervote.

•  Weperformtheanalysisforsystemsetup,callforvoting,applicationinstallation,votingandverification-activitieswherethevotersinteractwiththesystem.

Slide 22 of 76

SiVES:UnacceptableLosses

• WeidentifythefollowingUnacceptableSecurityandPrivacyLosses:UL1:UnacceptablenumberofeligiblevoterswhoareunabletovoteUL2:Unacceptablenumberofeligiblevoterswhoareunabletoverifythevote.UL3:Lossofcredibilityduetounacceptablenumberandseverityofsecurityissues.UL4:Lossofcredibilityduetoviolationofdataprivacy

• Weassumethatdefinitionsofthenumbersofeligiblevoterswhoareunabletovoteandverifythevotearedefinedbyaproperresponsiblerole.

Slide 23 of 76

SiVES:Hazards

• Weidentifythefollowinghazards:

H1:Votersunabletovoteduetoreliability,availabilityandmissionassuranceissues.(UL1)H1.1:Statethatdoesnotallowalegitimatevotertovote(toassurethemission).H1.2:Statethatpreventsvotingduetothesystem’sunavailabilityandreliabilityissues.

H2:Votersunabletoverifythevote(reliability,availabilityandmissionassuranceissues).(UL2)H2.1:Statethatdoesnotallowalegitimatevoterwhovotedtoverifyhis/herownvote(toassurethemission).H2.2:Statethatpreventstoverifythevoteduetothesystem’sunavailabilityandreliabilityissues.

Slide 24 of 76

SiVES:Hazards

• Weidentifythefollowinghazards:

H3:Statethatallowssecurityviolations(securityissues).(UL3)H3.1:Statethatallowsunauthorizedaccesstoprivateinformation(data,vote,etc.).H3.2:Statethatallowsanunauthorizedpersontovote.H3.3:Statethatallowsforunduealterationofthevoter'svote.

H4:Statethatallowsdataprivacyloss(privacyissues)(UL4)H4.1:Statethatallowsinformationdisclosurethatlinksvotertoavote.H4.2:Statethatdoesnotallowavotertodenytowhomhe/shevotedfor.

Slide 25 of 76

SiVES:FunctionalControlStructure

• Usingthekeyactivities(registrationofbiometricdata’svoters,systemsetup,callforvoting,appinstallation,voting,tallying,andverification)toidentifymodelelements.

•  Identifyresponsibilitiesofmodelelementsincarryingouteachofthekeyactivitiesnecessarytoconductthemission.

•  Identifycontrolrelationships.

• Foreachcontrollerelement•  Identifycontrolactionsnecessarytoexecuteitsresponsibilities• Developdescriptionoftheprocessmodel

•  Identifytheprocessmodelvariables•  Foreachvariable,identifythevaluesandthefeedbackorcommunicationlink

Slide 26 of 76

SiVES:IdentifyModelElements

Method(Keyactivity)

ModelElements Description

Systemsetup,callforvotingandapplicationinstallation

TSE,STI,VirtualStores,Voter,SmartphoneElementsthathaveresponsibilitiesinthesystemsetup,callforvotingandapplicationinstallation

Voting STI,SiVES-S,SiVESServers,SiVES-C,VoterElementsthathaveresponsibilitiesinthevoting

Tallying TSE,STI,SiVES-SElementsthathaveresponsibilitiesinthetallying

VerificationSTI,ElectoralZone,VerificationMachine,VerificationMachineSoftware(VMS),SiVES-S,SiVESServers,Voter

Elementsthathaveresponsibilitiesintheverification

Slide 27 of 76

SiVES:IdentifyresponsibilitiesofmodelelementsforVoting.

Slide 28 of 76

ModelElement Responsibilityfor“Voting”

STI -MakeSiVES-Savailabletovotingmethod

Voter

-FollowsecurityandprivacyTSEguidelines-Authenticate-Accepttheprivacyagreement-Vote

SiVES-C

-CapturebiometricdataforSiVES-C-SendrequestofauthenticationtoSiVES-S-Presentresultoftheauthentication-Offerprivacyagreement-SendtheacceptanceoftheprivacyagreementtoSiVES-S-Sendthevote-Presentvotingconfirmationorerror

SiVES-S

-Provideauthentication-Sendresultoftheauthentication-Registertheacceptanceoftheprivacyagreement-RegisterthevotesentbySiVES-C-Sendthevotingconfirmationorerror

SiVES:IdentifycontrolactionsforVoterandSiVES-CFollowsecurityandprivacyTSEguidelines;Authenticate;Accepttheprivacyagreement;andVote

ControllerElement ControlAction CANr

Voter

-Followsecurityandprivacyguidelines(repeated)-Providebiometricdata-Accepttheprivacyagreement-Vote-Receivevotingconfirmation-Finalizesession

081314151617

Slide 29 of 76

CapturebiometricdataforSiVES-C;SendrequestofauthenticationtoSiVES-S;Presentresultoftheauthentication;Offerprivacyagreement;SendtheacceptanceoftheprivacyagreementtoSiVES-S;Sendthevote;andPresentvotingconfirmationorerror

ControllerElement ControlAction CANr

SiVES-C

-Capturebiometricdataforauthentication-Sendtheuser'sbiometricdatatoSiVES-S-DisplaytheSiVES-Sresponseaboutuserauthentication-Offertheprivacyagreementtothevoter-SendtherequiredacceptanceoftheprivacyagreementtoSiVES-S-Sendthevoter'svotetoSiVES-S-Displayandstorevotingconfirmationordisplayerrorstatus

18192021222324

SiVES:Developdescriptionoftheprocessmodel

ModelElement CANr ProcessModelVariable Values SensororControlled

Process Hazards

STI 6 sti_validation_status_ok Yes/No system_validation H1,H3,H4

SiVES-S15,19,23 sives_s_available_status_ok Yes/No system_operations H1toH4

15,23,27,29 sives_s_authenticated_user Yes/No Authentication H1toH4

SiVES-C15,18 sives_c_updated_in_virtual_stores Yes/No update_clients H3.1,H3.2,H4.1

18,25 sives_c_is_installed_and_updated Yes/No update_clients H1,H3,H4

VMS 38 vms_available_status_ok Yes/No vms_operation H2

Voter 29 voter_accepted_privacy_agreement Yes/No Agreement H1.1,H2toH4

Slide 30 of 76

FunctionalControlStructure

Slide 31 of 76

Evaluationoftheapproach

• TheevaluationoftheapproachconsistedofperformingtheStep1andanalyzingtheresults.

• Step1• Foreachcontroller,weanalyzeeachcontrolactiontofindwhenitishazardous.Tohelpthediscoveryofthecases,weuseContextTables.

• Acontexttableisdefinedasthecombinationofallprocessmodelvariablesandvalues,withissuanceofcontrolaction.

Slide 32 of 76

SiVES:ContexttableforthecontrolactionSiVES-CsendsthevotetoSiVES-S

CANr23:SiVES-Csendsthevoter'svotetoSiVES-S

VariablesControlActionprovided

ControlActionnotprovidedsives_s_authenticated

_usersives_s_available

_status_ok

Yes Yes H1.1

Yes No H1.1

No Yes H1.1,H3.1,H4.2

No No H1.1,H3.1,H4.2

Slide 33 of 76

SiVES:Excerptofcontexttableforthecontrolaction“Votervotes”:4firstentries

CANr15:VotervotesVariables

ControlActionprovided

ControlActionnotprovided

sives_s_authenticated_user

sives_s_available

_status_ok

sives_c_is_installed_and

updated

voter_acceptedprivacy_agreem

ent

Yes Yes Yes Yes H3.1,H4.2

Yes Yes Yes No H3.2,H3.3,H4

Yes Yes No Yes H3.2,H3.3,H4

Yes Yes No No H3.2,H3.3,H4

Slide 34 of 76

CA HazardousControlAction(CAwithacontext:variableswithvalue)

AssociatedConstraint Hazards

06 STIprovidedsendSiVES-C installationpackagefile toVirtualStoreswhensti_validation_status_okisno(provided)

STI must not send installation package to virtual storeswhentheappisnotvalidatedbyTSE.

H1,H3,H4

15

Voterprovidedvotewhensives_s_available_status_okisnoors i v e s _ s _ a u t h e n t i c a t e d _ u s e r i s n o o rs i v e s _ c _ i s _ i n s t a l l e d _ a n d _ u p d a t e d i s n o o rvoter_accepted_privacy_agreementisno(provided)

Voter must not be allowed to vote if the server is notavailableorthevoterisnotauthenticatedortheupdatedapp is not installed or the voter has not accepted theprivacyagreement.

H3.2,H3.3,H4

18SiVES-C provided capture biometric data for authenticationwhen sives_c_updated_in_virtual_stores is yes andsives_c_is_installed_and_updatedisno(provided)

Appmustnotcapturebiometricdataforauthenticationiftheappisupdatedinvirtualstore,buttheupdatedappisnotinstalled.

H3.1 , H3 .2 ,H4.1

19 SiVES-C provided send the user’s biometric data toSiVES-Swhensives_s_available_status_okisno(provided)

Appmustnotsendbiometricdatatoserverifserverisnotavailabletoreceive.

H1

23 SiVES-C provided send the voter’s vote to SiVES-S whensives_s_authenticated_userisno(provided)

App must not send vote to server if the user is notauthenticated.

H1.1 , H3 .1 ,H4.2

25 SiVES-S provided receive biometric user data whensives_c_is_installed_and_updatedisno(provided)

Servermustnot receivebiometricuserdata if theapp isnotupdated.

H1

27SiVES-S provided response, informing whether the user isauthenticatedasavoter,whensives_s_authenticated_user isno(provided)

SiVES-S must not provide response, informing whetherthe user i s authent icated as a voter, whensives_s_authenticated_userisno.

H1

29SiVES-S provided receive and store the vote from SiVES-Cw h e n s i v e s _ s _ a u t h e n t i c a t e d _ u s e r i s n ovoter_accepted_privacy_agreementisyes(provided)

Servermustnotreceiveandstorethevotefromappiftheuser is not authenticated, even if the user accepted theprivacyagreement.

H3.1,H3.3

38 Electoral Office provided provide verification service whenvms_available_status_okisno(provided)

ElectoralOfficemustnotprovideverificationserviceiftheverificationmachineserverisnotavailable.

H2

39

V o t e r p r o v i d e d v e r i f y t h e v o t e w h e ns i v e s _ s _ a v a i l a b l e _ s t a t u s _ o k i s n o o rs i v e s _ s _ a u t h e n t i c a t e d _ u s e r i s n o o rvoter_accepted_privacy_agreementisno(provided)

Votermustnotbeallowedtoverifythevoteiftheserveris not available or the voter is not authenticated or thevoterhasnotacceptedtheprivacyagreement.

H2,H3.1,H4

Slide 35 of 76

Results

INFORMATION QUANTITY

UnacceptableLosses 5

Hazards 13

Constraints 11

ControlActions 41

HazardousControlActions

81

Slide 36 of 76

HazardousControlActiondueto

Quantity

H1(Reli,Avail,Mission) 17

H2 7

H3(Security) 1

H4(Privacy) 2

H1andH2 4

H1andH3 2

H1andH4 2

H2andH3 0

H2andH4 1

H3andH4 29

H1,H2andH3 1

H1,H2andH4 0

H1,H3andH4 6

H2, H3 and H4 7

Total 81

Analysis

•  ControlactionsthatarehazardousduetoH3(securityhazards)accountfor46and42ofthemarealsohazardousduetoH4(dataprivacyhazards).•  Thereare4HCAsduetoH3thatarenotduetoH4.•  Thisresultshowsthatwhenacontrolactionishazardoustosecurity,itisgenerallyhazardoustoprivacy.

•  Theresultalsoshowsthatthese4HCAsrequirespecificfocusonsecurityissues.

Slide 37 of 76

Analysis•  Forinstance,thehazardouscontrolactionSiVES-Sdoesnotoverwritepreviousvoteincaseof“revoting”mayleadtothestatethatallowsforunduealterationofthevoter'svote(H3.3)ifthenewvoteisdifferentfromthepreviousvote.

Slide 38 of 76

CA HazardousControlActionduetoprivacyviolationandnotsecurityviolation

Hazardsdueto

04 TSEdoesrequestchangesofSiVEStoSTI H1,H2,H3.2

27 SiVES-Sdoesnotrespond,informingiftheuserisauthenticatedasavoterwhensives_s_authenticated_userisyes

H1.1,H3.1,H3.2

29 SiVESreceivesandstoresthevotefromSiVES-Cwhensives_s_authenticated_userisNoandvoter_accepted_privacy_agreementisYes

H3.1,H3.3

30 SiVES-Sdoesnotoverwritepreviousvoteincaseof“revoting” H1.1,H3.3

MostofHCAsduetoPrivacybutnotSecurityarerelatedtothecorrectprocessingofdataprivacyagreement.

CA HazardousControlActionduetoprivacyviolationandnotsecurityviolation

Hazardsdueto

14 Voterdoesnotaccepttheprivacyagreement H4

19 SiVES-C(orVMS)doesnotsendtheuser'sbiometricdatatoSiVES-Swhensives_s_available_status_okisYes

H1.1,H4.1

22 SiVES-C(orVMS)doesnotsendtherequiredacceptanceoftheprivacyagreementtoSiVES-S

H4

28 SiVES-Sdoesnotregistertheacceptanceoftheprivacyagreement H2,H4

29 SiVESreceivesandstoresthevotefromSiVES-Cwhensives_s_authenticated_userisYesandvoter_accepted_privacy_agreementisNo

H1.1,H4.2

Slide 39 of 76

ConcludingRemarks

•  TheproposedSTAMP-basedapproach,withSTPA-SecStep1,allowsidentifyingsafety,securityandprivacyhazardouscontrolactionsandassociatedconstraints.

• Weobservedthatingeneralcontrolactionsthatarehazardousduetosecurityissuesarealsohazardousduetoprivacyissuesandvice-versa.

• Wedidnotidentifysecurityandprivacyrequirementsyet.WeareemplyingSTRIDEandLINDDUNforthis.Wehavesomepreliminaryresults.

Slide 40 of 76

Result Quantity

Unacceptable Losses 5

Hazards 13

Constraints 11

Control Actions 41

Hazardous Control Actions 82

Scenarios + STRIDE 26 + 16 (61,5%)

Associated Security Constraints 82

Requirements + STRIDE 26 + 23 (88,5%)

Preliminary results using STPA Scenarios, Information Life Cycle, and STRIDE

USING STAMP FOR ANALYSIS OF SECURITY AND DATA PRIVACY

Nívio P. Souza, ITA

Cecília A. C. Cesar, ITA

Juliana M. Bezerra, ITA

Celso Massaki Hirata, ITA- hirata@ita.br

2019STAMPWorkshop http://sunnyday.mit.edu/March,25-28,2019,MIT,Cambridge