Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Case Study in Computer System Vulnerability: Electronic Voting

Published byEsmond Ball Modified over 8 years ago

Similar presentations

Presentation on theme: "A Case Study in Computer System Vulnerability: Electronic Voting"— Presentation transcript:

1 A Case Study in Computer System Vulnerability: Electronic Voting
Avi Rubin Information Security Institute Johns Hopkins University

2 Two reports Analysis of an Electronic Voting System
July 23, 2003 with Kohno, Stubblefield, Wallach to appear in IEEE Symposium on Security & Privacy avirubin.com/vote A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE) January 21, 2004 with Jefferson, Simons, Wagner ServeSecurityReport.org

3 SERVE Built by Accenture for FVAP for $22 million Participating states
Arkansas, Florida, Hawaii, North Carolina, South Carolina, Utah, and Washington 50 counties Military and overseas civilians Use any PC anywhere running Windows running IE or Netscape Formed SPRG two 3-day meetings, design/review/demo

4 Key security concerns Insecure platform Denial of Service attacks
trojan horses, viruses, worms malicious hijacked system in cyber café at neighbor’s house roaming laptop Denial of Service attacks just look at MyDoom attacking SCO 30 day window, but most people vote on last day Phishing/man in the middle attack especially effective against privacy allows automated vote selling

5 Other concerns No voter verifiability Coercion Vote selling
Insider threat (Microsoft or Accenture) Software bugs Pretty much any problem with DREs…

6 Bye Bye SERVE Our report issued on January 21 Lots of press
NPR: All Things considered, and Morning Edition New York Times Front page of Washington Post AP, Reuters, CNN, FoxNews Channel February 5, 2004 Pentagon cancels SERVE due to “security concerns”

7 E-voting problems Washington Post 11/6
Software glitch in November’s election in Virginia Advanced Voting Solutions touchscreen machines “Voters in three precincts reported that when they attempted to vote for [Thompson], the machines initially displayed an ‘x’ next to her name but then, after a few seconds, the ‘x’ disappeared. In response to Thompson's complaints, county officials tested one of the machines in question yesterday and discovered that it seemed to subtract a vote for Thompson in about ‘one out of a hundred tries,’ said Margaret K. Luca, secretary of the county Board of Elections. ”

8 More e-voting problems
Indianapolis Star 11/9 Software glitch in November’s election 19,000 registered voters 144,000 votes tallied actual number of votes cast was 5,352 MicroVote touchscreen machines

9 Diebold voting machines
Case Study: Diebold voting machines

10 How touchscreens work

11 Background Voting machines companies: proprietary systems
Diebold system leaked on open ftp server identified by activist Bev Harris Call from David Dill of Stanford Recruited: two very eager students one eager colleague at Rice

12 Code analysis 56-bit DES in CBC mode with static IVs used to encrypt votes and audit logs (not compression, as Diebold claims in their “technical” analysis) #define DESKEY ((des_key*)"F2654hD4") Unkeyed public function (CRC) used for integrity protection No authentication of smartcard to voting terminal Insufficient code review

13 Diebold Election Systems
// LCG - Linear Conguential Generator // used to generate ballot serial numbers // A psuedo-random-sequence generator // (per Applied Cryptography, // by Bruce Schneier, Wiley, 1996) - BallotResults.cpp Diebold Election Systems

14 Diebold Election Systems
// LCG - Linear Conguential Generator // used to generate ballot serial numbers // A psuedo-random-sequence generator // (per Applied Cryptography, // by Bruce Schneier, Wiley, 1996) - BallotResults.cpp Diebold Election Systems “Unfortunately, linear congruential generators cannot be used for cryptography” - Page 369, Applied Cryptography by Bruce Schneier

15 “this is a bit of a hack for now.”
AudioPlayer.cpp “the BOOL beeped flag is a hack so we don't beep twice. This is really a result of the key handling being gorped.” WriteIn.cpp “the way we deal with audio here is a gross hack.” BallotSelDlg.cpp “need to work on exception *caused by audio*. I think they will currently result in double-fault.” BallotDlg.cpp

16 Zero Comments Code Fragment
void CBallotRelSet::Open(const CDistrict* district, const CBaseunit* baseunit, const CVGroup* vgroup1, const CVGroup* vgroup2) { ASSERT(m_pDB != NULL); ASSERT(m_pDB->IsOpen()); ASSERT(GetSize() == 0); ASSERT(district != NULL); ASSERT(baseunit != NULL); if (district->KeyId() == -1) { Open(baseunit, vgroup1); } else { const CDistrictItem* pDistrictItem = m_pDB->Find(*district); if (pDistrictItem != NULL) { const CBaseunitKeyTable& baseunitTable = pDistrictItem->m_BaseunitKeyTable; int count = baseunitTable.GetSize(); for (int i = 0; i < count; i++) { const CBaseunit& curBaseunit = baseunitTable.GetAt(i); if (baseunit->KeyId() == -1 || *baseunit == curBaseunit) { const CBallotRelationshipItem* pBalRelItem = NULL; while ((pBalRelItem = m_pDB->FindNextBalRel(curBaseunit, pBalRelItem))){ if (!vgroup1 || vgroup1->KeyId() == -1 || (*vgroup1 == pBalRelItem->m_VGroup1 && !vgroup2) || (vgroup2 && *vgroup2 == pBalRelItem->m_VGroup2 && *vgroup1 == pBalRelItem->m_VGroup1)) Add(pBalRelItem); } } } m_CurIndex = 0; m_Open = TRUE; } } } Zero Comments

17 Other problems Ballot definition file on removable media unprotected
Smartcards use no cryptography Votes kept in sequential order Several glaring errors in cryptography Inadequate security engineering practices Default Security PINs of 1111 on administrator cards

18 Voter verifiable audit
enables recounts voter confidence harder to tamper with the election probably involves paper surprise recounts The very piece of paper that is verified by the voter is used in the recount

19 Insider threat Easy to hide code in large software packages
Virtually impossible to detect back doors Skill level needed to hide malicious code is much lower than needed to find it Anyone with access to development environment is capable Requires background checks strict development rules physical security

20 Example Recent hidden trap door in Linux
Allows attacker to take over a computer Practically undetectable change Discovered by rigorous software engineering process - not code inspection schedule(); goto repeat; } if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; retval = -ECHILD; end_wait4: current->state = TASK_RUNNING;

21 Example #2 Rob Harris case - slot machines
an insider: worked for Gaming Control Board Malicious code in testing unit when testers checked slot machines downloaded malicious code to slot machine was never detected special sequence of coins activated “winning mode” Caught when greed sparked investigation $100,000 jackpot

22 Example #3 Breeder’s cup race
Upgrade of software to phone betting system Insider, Christopher Harn, rigged software Allowed him and accomplices to call in change the bets that were placed undetectable Caught when got greedy won $3 million

23 Software dangers Software is complex Windows Operating System
top metric for measuring number of flaws is lines of code Windows Operating System tens of millions of lines of code new “critical” security bug announced every week Unintended security flaws unavoidable Intentional security flaws undetectable

24 Other Studies SAIC report Ohio report RABA report Executive summary:
2/3 of the report redacted Executive summary: “The system as implemented in policy, procedure, and technology, is at high risk of compromise.” Ohio report cited “critical flaws” in top 4 vendors’ voting machines RABA report ex-NSA red team consulting company Executive Summary: “The State of Maryland election system (comprising technical, operational, and procedural components), as configured at the time of this report, contains considerable security risks that can cause moderate to severe disruption in an election.”

25 Diebold Press release headline: Company President:
“Maryland Security Study Validates Diebold Election Systems Equipment for March Primary:Findings Consistent With Prior SAIC Review” Company President: “Touch screen voting from Diebold Election Systems has evolved to be the most secure and accurate election system in the history of our democracy.”

26 Recommendation #1 Separate vote casting from tabulating
Touch screen machine produces paper ballot need not be as trusted as today’s DREs voter can use or destroy scanning and tabulating machine small code base open source extensive testing and certification different manufacturer from touch screen

27 Recommendation #2 Transparency
Require designs of machines to be public Require security audit of machines by qualified experts Require public report of this audit Require open source for vote tabulation code necessary but not sufficient

28 Recommendation #3 Quality control
Establish criteria for testing the expertise of manufacturers NIST could play this role Require source code analysis for certification Establish standards for policies and procedures Aim for simplicity: The more complicated and burdensome, the less likely to be followed

29 Conclusions & Advice Security of voting should be a non-partisan issue
Too much is at stake for party politics Keys to future work on voting systems: transparency openness accountability & audit public review Computer Scientists and Politicians should work together

Download ppt "A Case Study in Computer System Vulnerability: Electronic Voting"

Similar presentations

I Think I Voted. E-voting vs. Democracy Prof. David L. Dill Department of Computer Science Stanford University

I Think I Voted. E-voting vs. Democracy Prof. David L. Dill Department of Computer Science Stanford University
Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
Electronic Voting Systems

Electronic Voting Systems
ELECTRONIC VOTING (HK) FEBRUARY 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Voting: The Technology of Democracy Michael I. Shamos, Ph.D., J.D.

ELECTRONIC VOTING (HK) FEBRUARY 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Voting: The Technology of Democracy Michael I. Shamos, Ph.D., J.D.
The Battle for Accountable Voting Systems Prof. David L. Dill Department of Computer Science Stanford University

The Battle for Accountable Voting Systems Prof. David L. Dill Department of Computer Science Stanford University
Will Your Vote Count? Will your vote count? Voting machine choices N.C. Coalition for Verified Voting www.ncvoter.net Joyce McCloy Pros and Cons of voting.

Will Your Vote Count? Will your vote count? Voting machine choices N.C. Coalition for Verified Voting Joyce McCloy Pros and Cons of voting.
ICT IN THE ELECTORAL PROCESS: LESSONS LEARNED Susanne Caarls International Electoral Affairs Symposium 30-31 May 2012.

ICT IN THE ELECTORAL PROCESS: LESSONS LEARNED Susanne Caarls International Electoral Affairs Symposium May 2012.
Internet Voting Technology and policy issues. Selective History of Voting (US) early 1800’s: public oral voting at County Hall 1800’s: free-form, non-secret.

Internet Voting Technology and policy issues. Selective History of Voting (US) early 1800’s: public oral voting at County Hall 1800’s: free-form, non-secret.
Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.

Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.
Analysis of an Electronic Voting System

Analysis of an Electronic Voting System
TGDC Meeting, Jan 2011 Evaluating risk within the context of the voting process Ann McGeehan Director of Elections Office of the Texas Secretary of State.

TGDC Meeting, Jan 2011 Evaluating risk within the context of the voting process Ann McGeehan Director of Elections Office of the Texas Secretary of State.
By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.

By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.
Charlie Daniels Arkansas Secretary of State HAVA Compliant Voting Systems Security Considerations General Recommendations to Enhance Security and Integrity.

Charlie Daniels Arkansas Secretary of State HAVA Compliant Voting Systems Security Considerations General Recommendations to Enhance Security and Integrity.
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.

1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
Election Observer Training 2008 Elections Certification & Training Program 360.902.4180.

Election Observer Training 2008 Elections Certification & Training Program
Computer Security Dan Boneh and David Mazieres CS 155 Spring 2007

Computer Security Dan Boneh and David Mazieres CS 155 Spring 2007
Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, 18-19 March 2010.

Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, March 2010.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Computer Security Dan Boneh and John Mitchell CS 155 Spring 2006.

Computer Security Dan Boneh and John Mitchell CS 155 Spring 2006.
Voting Machine Technology Tom Trumpbour Computer Software Consultant United States.

Voting Machine Technology Tom Trumpbour Computer Software Consultant United States.

Similar presentations

Ads by Google