Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.

Similar presentations


Presentation on theme: "Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University."— Presentation transcript:

1

2 Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University

3

4 Joint work with … Joe CalandrinoAri FeldmanEd Felten

5

6 2000 Recount Debacle Legislative response: Help America Vote Act Provided $3.9 billion to states to upgrade voting machines by November 2006

7 DREs to the Rescue? Direct Recording Electronic – Store votes in internal memory

8 DREs are Computers Bugs Rootkits Viruses Attacks =

9

10

11 Diebold’s History of Secrecy Prevented states from allowing independent security audits – hid behind NDAs, trade secret law Source code leaked in 2003, researchers at Johns Hopkins found major flaws Diebold responded with vague legal threats, personal attacks, disinformation campaign Internal s leaked in 2003 reveal poor security practices by developers Diebold tried to suppress sites with legal threats

12 We Get a Machine (2006) Obtained legally from an anonymous private party Software is 2002 version, but certified and used in actual elections First complete, public, independent security audit of a DRE

13 Research Goals Conduct independent security audit Confirm findings of previous researchers (Hursti, Kohno et al.) Verify threats by building demonstration attacks Figure out how to do better Who wants to know? Voters, candidates, election officials, policy makers, researchers

14 16 MB Flash 128 KB EPROM SH3 CPU 32 MB RAM 2 PCMCIA Slots Boot Jumper Table

15

16 Software Problems One Example: DES-CBC K (BallotID:VoteBitmap), CRC-16(…)

17 Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs [Feldman, Halderman & Felten 2007]

18 Correct result: George 5, Benedict 0

19

20

21 Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute [Feldman, Halderman & Felten 2007]

22

23 The Key

24

25 Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus [Feldman, Halderman & Felten 2007]

26 Voting Machine Virus

27 Viral Spread

28

29 Joe CalandrinoAri Feldman Bill ZellerHarlan YuAlex Halderman Debra Bowen California “Top-to-Bottom” Study

30 HartSequoiaDiebold California “Top-to-Bottom” Results

31

32

33 Voters prefer it Faster reporting Fewer undervotes Improved accessibility Potentially increased security* E-Voting Advantages

34

35 Electronic + Paper Records Touch-screen (DRE) machine, plus voter-verifiable paper trail Hand-marked paper ballot, machine-scanned immediately

36 Failure Modes Paper Ballots Physical tampering “Retail” fraud After the election Redundancy + Different failure modes = Greater security Electronic Records Cyber-tampering “Wholesale” fraud Before the election But…Redundancy only helps if we use both records!

37 How to Use Paper Records? Use a machine to count the paper records Count all the paper records by hand Check a random subset of paper records by hand …but which subset? Too risky Too expensive

38 Standard Approach Pick some precincts randomly. Hand-count paper records. Should match electronic records.

39 Statistical Auditing’s Goal Establish, with high statistical confidence, that hand-counting all of the paper records would yield the same winner as the electronic tally.

40 Audit Example Alice: 55% Bob: 45% Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper For 95% confidence, hand-audit 60 precincts Cost: about $100,000

41 An Alternative Approach Precinct-based auditing Ballot-based auditing

42 100 marbles, 10% blue6300 beads, 10% blue How large a sample do we need?

43 Audit Example Alice: 55% Bob: 45% Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper For 95% confidence, hand-audit 60 precincts Cost: about $100,000 ballots $1,000

44 Why Not Ballot-based? Voting Machine Alice Bob Alice ● Alice ○ Bob ○ Alice ● Bob ● Alice ○ Bob Need to match up electronic with paper ballots. Compromises the secret ballot!

45 Secret Ballot Prevents coercion and vote-buying Requirements: Nobody can tell how you voted. You can’t prove to anyone how you voted. You can be confident in these properties.

46 Serial Numbers Voting Machine 1 Alice 2 Bob 3 Alice 1 ● Alice ○ Bob 2 ○ Alice ● Bob 3 ● Alice ○ Bob

47 “Random” Identifiers Voting Machine Alice Bob Alice ● Alice ○ Bob ○ Alice ● Bob ● Alice ○ Bob

48 Machine-Assisted Auditing [Calandrino, Halderman & Felten 2007] = ○ Alice ● Bob 1 1 Bob 2 Alice Bob Alice: 510 Bob: 419 ○ Alice ● Bob Step 1. Check electronic records against paper records using a recount machine.

49 Machine-Assisted Auditing [Calandrino, Halderman & Felten 2007] = ○ Alice ● Bob 1 1 Bob 2 Alice Bob Alice: 510 Bob: 419 ○ Alice ● Bob

50 = 321 Bob 716 Alice Machine-Assisted Auditing [Calandrino, Halderman & Felten 2007] ○ Alice ● Bob 1 1 Bob 2 Alice Bob = ○ Alice ● Bob 321 ● Alice ○ Bob 716 ○ Alice ● Bob 1 Step 2. Audit the recount machine by selecting random ballots for human inspection.

51 We can use a machine without having to trust it! Machine-Assisted Auditing As efficient as ballot-based auditing, while protecting the secret ballot. Machine RecountManual Audit

52 Doing Even Better Key idea: Probability of auditing a ballot should depend on how that ballot is marked Full algorithm accounts for: multi-candidate races multi-seat races undervotes and overvotes write-ins

53 Doing Even Better Alice: 55% Bob: 45% Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper Goal: Reject hypothesis that ≥ 5% of ballots are marked electronically for Alice but on paper for Bob. Only need to audit ballots marked for Alice.

54 Evaluation 2006 Virginia U.S. Senate race 0.3% margin of victory We want 99% confidence Precinct- based Machine- assisted Content- sensitive # ballots1,141,9002,3391,179 # precincts1,2521,351853

55

56 Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University

57 Proposed Legislation H.R. 811: Voter Confidence and Increased Accessibility Act Voter-verifiable paper record and random manual audits Access to voting software and source code, to verify security Additional money for states Rep. Rush Holt


Download ppt "Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University."

Similar presentations


Ads by Google