Data and Applications Security Secure Electronic Voting Machines Lecture #30References and DisclaimerProperties of a Good Voting SystemElectronic Voting SystemWhat is the problem?A solution?Certified Voting Systems and issuesSlide 8Slide 9What happened next?Security ThreatsRubin’s conclusionsAnalysis of Feldman et alSlide 14Data and Applications SecuritySecure Electronic Voting MachinesLecture #30Dr. Bhavani ThuraisinghamThe University of Texas at DallasApril 23, 2008References and DisclaimerAnalysis of an Electronic Voting System TADAYOSHI KOHNO ADAM STUBBLEFIELD AVIEL D. RUBIN DAN S. WALLACH IEEE Symposium on Security and Privacy 2004Security Analysis of the Diebold AccuVote-TS Voting Machine Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten http://itpolicy.princeton.edu/voting.The views expressed in this presentation are obtained entirely from the above two papers. Prof. Bhavani Thuraisingham has not carried out any analysis of the electronic voting machine discussed in this presentation.Properties of a Good Voting SystemThe anonymity of a voter’s ballot must be preserved, both to guarantee the voter’s safety and to guarantee that voters have no evidence that proves which candidates received their votes. The voting system must also be tamper-resistant to thwart a wide range of attacks ( including ballot stuffing by voters and incorrect tallying by insiders)“Butterfly ballots” in the Florida 2000 presidential election is the importance of human factors. A voting system must be comprehensible to and usable by the entire voting population, regardless of age, infirmity, or disability.Flaws in any of these aspects of a voting system can lead to indecisive/incorrect election results.Electronic Voting SystemAs a result of the Florida 2000 presidential election the inadequacies of widely-used punch card voting systems have become well understood by the general population. This has led to increasingly widespread adoption of “direct recording electronic” (DRE) voting systems. Voters go to their home precinct and prove that they are allowed to vote there by presenting say an ID card. The voter is then typically given a PIN, a smartcard, or some other tokenUser then enters the token at a voting terminal and then votes When the voter’s selection is complete, DRE systems will typically present a summary of the voter’s selectionsThe ballot is “cast” The most fundamental problem with such a voting system is that the entire election hinges on the correctness,What is the problem?The problem with such a voting system is that the entire election hinges on the correctness, robustness, and security of the software within the voting terminal. Should that code have security relevant flaws, they might be exploitable either by unscrupulous voters or by malicious insiders.If flaws are introduced into the voting system software then the results of the election cannot be assured to accurately reflect the votes legally cast by the voters.A solution?A solution for securing electronic voting machines is to introduce a “voter-verifiable audit trail”.A DRE system with a printer attachment, or even a traditional optical scan system will satisfy this requirement by having a piece of paper for voters to read and verify that their intent is correct reflected.This paper is stored in ballot boxes and is considered to be the primary record of a voter’s intent. If the printed paper has some kind of error, it is considered to be a “spoiled ballot” and can be mechanically destroyed, giving the voter the chance to vote again. The correctness of any voting software no longer matters; either a voting terminal prints correct ballots or it is taken out of service. If there is any discrepancy in the vote tally, the paper ballots will be available to be recountedCertified Voting Systems and issues“CERTIFIED” DRE SYSTEMS. Many government entities have adopted paperless DRE systems Such systems have been “certified” for use without any public release of the analyses The CVS source code repository for Diebold’s AccuVote-TS DRE voting system recently appeared on the Internet. Rubin et al discovered significant and wide-reaching security vulnerabilities in their analysis of the AccuVote-TS voting terminal Voters can easily program their own smartcards to simulate the behavior of valid smartcards used in the election. With such homebrew cards a voter can cast multiple ballots without leaving any trace. A voter can also perform actions that normally require administrative privileges (e.g. viewing partial results and terminating the election early)Certified Voting Systems and issuesThe protocols used when the voting terminals communicate with their home base both to fetch election configuration information and to report final election results do not use cryptographic techniques to authenticate either end of the connection nor do they check the integrity of the data in transit. Given that these voting terminals could potentially communicate over insecure phone lines or even wireless Internet connections, even unsophisticated attackers can perform untraceable “man-in-the-middle” attacks.Certified Voting Systems and issuesRubin et al considered both the specific ways that the code uses cryptographic techniques and the general software engineering quality of its construction. They state neither provides them with any confidence of the system’s correctness.Cryptography, when used at all, is used incorrectly. In many places where cryptography would seem obvious and necessary, none is used. No evidence of disciplined software engineering processes. Comments in the code and the revision change logs indicate the engineers were aware of some problemsNo evidence of any change-control process that might restrict a developer’s ability to insert arbitrary patches to the code. Software is written entirely in C++. Rubin et al state when programming in a language like C++, which is not type-safe, programmers must exercise tight discipline to prevent their programs from being vulnerable to buffer overflow attacks and other weaknesses.What happened next?Following the release of our results, the state of Maryland hired SAIC and RABA and the state of Ohio hired Compuware to perform independent analyses of Diebold’s AccuVote-TS systemsThese analyses
View Full Document
Unlocking...