View
216
Download
0
Category
Tags:
Preview:
Citation preview
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Certifying VotingSystems
Michael I. Shamos, Ph.D., J.D.Institute for Software ResearchSchool of Computer ScienceCarnegie Mellon University
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Background
• Computerized voting system examiner for– Pennsylvania (1980-2000)– Texas (1987-2000)– West Virginia (1982)– Delaware (1989)– Nevada (1995)
• Examined over 115 different voting systems• Testified before 3 Congressional committees,
Election Assistance Commission and 4 state legislatures
• Expert witness in 4 electronic voting cases
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Outline
• Certification/qualification• A model of electronic voting• Specific state requirements• The examination process• The Hursti exploit
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Certification• Most states require voting systems to be certified before they can be used, sold or offered for sale• What’s a “voting system”?
– HAVA has a very inclusive definition– In Maryland, “a method of casting and tabulating ballots or votes.” Md. Elec. Code §1-101(yy)– In Pennsylvania, “a system in which one or more voting devices are used to permit the registering or recording of votes and in which such votes are computed and tabulated by automatic tabulating equipment.” 25 P.S §3031.1
• What’s a “voting device”?– “apparatus by which … votes are registered electronically … [and] may be computed and tabulated by means of automatic tabulating equipment. 25 P.S §3031.1
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Qualification and Certification
• A vendor “may request the Secretary of the Commonwealth to examine such system if
– the voting system has been examined and approved by a federally recognized independent testing authority and
– if it meets any voting system performance and test
standards established by the Federal Government.” 25 P.S. §3031.5(a)
• Federal recognition (under HAVA) is by the EAC, with advice from the National Institute of Standards and Technology (NIST)
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Federal Qualification
• There are three federally recognized ITAs:– CIBER (Huntsville), SysTest (Denver), Wyle (Huntsville)
• They test to the 2002 Federal Voting System Standards developed by the FEC (now transferred to the EAC)
• 2005 Standards published; not yet used for testing• A system that has passed ITA testing is “federally
qualified” and is eligible for Pennsylvania testing
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
State Certification
• ITAs do not test for compliance with state law• Every state has unusual requirements; must be
examined by the state• “No electronic voting system shall, upon any
examination or reexamination, be approved by the Secretary of the Commonwealth, or by any examiner appointed by him, unless it be established that such system, at the time of such examination or reexamination [meets a list of mandatory requirements]” 25 P.S. §3031.7
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
PA Certification Requirements
• “Permanent physical record of every vote cast”• Voting in “absolute secrecy”• Be able to vote for all candidates and issues• Straight-party voting – Pennsylvania method• Undeclared write-ins• No overvoting• No voting for anyone more than once• Closed primaries• Change vote any time before casting• Capable of “absolute accuracy”• Provides acceptable ballot security procedures• Records correctly and computes and tabulates every valid vote• Safely transportable
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
PA Certification Requirements
• Voter may “readily learn the method of operating it”• Be able to vote for all candidates and issues• Public counter visible from outside of machine• Locks• No interim results• “Every person is precluded from tampering with the tabulating
element during the course of its operation
+ HAVA+ other requirements of PA law
The Voting Process
VOTER
REGISTRATIONAUTHORITY
ELECTIONAUTHORITY
18. TABULATEVOTES
1. PRESENTCREDENTIALS
2. RECEIVETOKEN A
CERTIFYINGAUTHORITYVENDOR
3. SUBMIT DEVICEAND SOFTWARE
4. CERTIFY DEVICEAND SOFTWARE
VOTING DEVICE
5. FURNISH DEVICETO COUNTY
6. FURNISHSOFTWARE
SETUPSLATE
7. “BALLOTPROGRAMMING”
PRESENTSLATE 8. LOAD
ELECTIONDATA
POLLAUTHORITY
ELECTIONDAY
9. TURN ONDEVICE
10. PRESENTTOKEN A
11. RECEIVEVOTING
TOKEN B
12. PRESENTVOTING
TOKEN B
13. PRESENTSLATE
14. MAKECHOICES CAPTURE
VOTE15. PROVIDE
VERIFICATION
RECORDVOTE
16. STOREVOTES
TABULATIONDEVICE
17. TRANSMIT VOTES
19. TRANSMIT TOTALS
WINNERS
20. CERTIFYRESULTS
Vulnerabilities
VOTER
REGISTRATIONAUTHORITY
ELECTIONAUTHORITY
18. TABULATEVOTES
1. PRESENTCREDENTIALS
2. RECEIVETOKEN A
CERTIFYINGAUTHORITYVENDOR
3. SUBMIT DEVICEAND SOFTWARE
4. CERTIFY DEVICEAND SOFTWARE
VOTING DEVICE
5. FURNISH DEVICETO COUNTY
6. FURNISHSOFTWARE
SETUPSLATE
7. “BALLOTPROGRAMMING”
PRESENTSLATE 8. LOAD
ELECTIONDATA
POLLAUTHORITY
ELECTIONDAY
9. TURN ONDEVICE
10. PRESENTTOKEN A
11. RECEIVEVOTING
TOKEN B
12. PRESENTVOTING
TOKEN B
13. PRESENTSLATE
14. MAKECHOICES CAPTURE
VOTE15. PROVIDE
VERIFICATION
RECORDVOTE
16. STOREVOTES
TABULATIONDEVICE
17. TRANSMIT VOTES
19. TRANSMIT TOTALS
WINNERS
20. CERTIFYRESULTS
BOGUSCREDENTIALS
FORGEDTOKENS
CORRUPT AUTHORITYINADEQUATE TESTINGPOOR DESIGNS
MALICIOUS CODE
NO CONTROL OVERSOFTWARE DISTRIBUTION
VERIFY CODE?
SETUPERRORS
LOADING ERRORS
RELIABILITY ISSUES
MALICIOUSCODE
TRANSMISSIONERRORS
TRANSMISSIONERRORS
BOOTPROBLEMS
HUMANFACTORS
FORGEDTOKENS
INVALIDATEDVOTES
PRIVACY
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Certification Exams
• Public (by policy, not statute)• Two examiners; one selected by Department of State
for each exam• Examiner submits report to the Secretary• Secretary decides whether to approve certification• “No electronic voting system not so approved shall be
used at any election” 25 P.S. §3031.5(c)
• A county may use any approved system
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Security Testing
• Security testing requires a well-articulated threat model
• Ideally, it should be done by a red team• It should be part of ITA testing, but isn’t• Therefore, security testing is ad hoc, based on
potential vulnerabilities• Problem: it is impossible to evaluate the risk of exploit
of a vulnerability
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
The Examination Process
• Before exam– Read documentation, scan source code
– Review performance of system in other states, news articles
• Exam– Vendor inventory, presentation– Experimentation
– Cast test ballots for legal compliance (not a stress test)– Tamper exercises
– Software review
• After exam– Write report to Secretary– Result: certified, not certified, certified with conditions
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Attacks on Certification
• Process is arbitrary and capricious– Requires judgment calls
• No voting machine is “safe” without paper trails– All systems have vulnerabilities
• No voting system is federally qualified– The EAC under HAVA has not yet certified any testing
laboratories
• Most voting systems are not sufficiently accessible
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
The Hursti Exploit• Discovered by Finnish security expert Harri Hursti• Works against Diebold optical scan voting machines• Diebold AccuVote OS has a PCMCIA memory card with ballot
setup information, vote counters and predefined report formats
PRINTERINSIDE
OPTICALBALLOT
LCDDISPLAY
BACK OF MACHINEFRONT OF MACHINE
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Pennsylvania Law
• The voting system “shall include the following mechanisms or capabilities:”
1. “a public counter … which shall show during any period of operation the total number of ballots entered for computation and tabulation.” (THE “PUBLIC COUNTER”)
2. “an element which generates a printed record at the beginning of its operation which verifies that the tabulating elements for each candidate position and each question and the public counter are all set to zero.” (THE “ZERO REPORT”)
3. “an element which generates a printed record at the finish of its operation of the total number of voters whose ballots have been tabulated [and] the total number of votes cast for each candidate whose name appears on the ballot.” (THE “TOTALS REPORT”)
25 P.S. §3031.7(16)
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Background of Exploit
• Voting machines are used in multiple states• For ease of maintenance, Diebold uses a report generation
language “AccuBasic” to satisfy the report requirements of different states
• AccuBasic is like Basic, but only has read access to the memory card
• “Compiled” AccuBasic is similar to Java bytecode• “Compiled” AccuBasic programs are loaded on the memory card
automatically by a computer at the county• “Compiled” AccuBasic is interpreted by firmware on the scanner to
produce printed reports on the onboard printer on Election Day• In Pennsylvania, the TOTALS REPORT signed by the election
judges constitutes the official return
SOURCE: SCOOP.NZ
The Hursti Exploit
HACKZEROREPORT
PRESETVOTETOTALSHuman Interface
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
The Hursti Exploit
Diebold createsAccuBasic source
(.abs) files
Diebold compiles.abs into AccuBasic“object” (.abo) files
Diebold adds .abo filesto its GEMS ElectionManagement System
ATDIEBOLD
County buys GEMSwith .abo files
loaded for its state
County sets up electionwith GEMS
Election data,.abo files loadedon memory card
County testsmachine withmemory card
ATCOUNTY
County deliversmachine to
polling place
Zero reportprinted
out
Voterscast
ballots
Totals reportprinted
out
ATPOLLINGPLACE
POLLSOPENED
POLLSCLOSED
HURSTIEXPLOITOCCURS
HERE
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
The Hursti Exploit• Memory card created at county, inserted in machine:
VOTE COUNTERS
ACCUBASIC .ABOFILES FOR REPORTS,
NOT TABULATION
• CANDIDATE NAMES• PARTIES• BALLOT POSITIONS
ELECTION DATA TOPRODUCE TABULATION:
• Counters are short integers;overflow is not trapped
• Large positive numbers actas negative numbers, e.g.65,520 is equivalent to -16since 65,520+16 = 65,536 = 0
• Hursti Exploit, Part 1: Preload the card with some negative and some positive counts in a race. Make sure the net sum is zero.
• Hursti Exploit, Part 2: Replace the zero report .abo file with one that always prints zeros regardless of counter values.
• Result: Votes added to some candidates, subtracted from others, but the total count does not exceed the number of voters.
• Result: When memory card counters are overwritten at the close of polls, no electronic record of the exploit exists. NOT CERTIFIED
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Other Diebold Machines?
• Accu-Vote Central Count optical scan does not use either Accu-Basic or memory cards. CERTIFIED
• Accu-Vote TSx touchscreen uses Accu-Basic but– does not have candidate counters on memory
card, so no pre-loading possible– has firmware that checks number of ballots voted,
so zero totals can be verifiedCERTIFIED
UMBC CMSC-491/691 APRIL
24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS
Paul DeGregorioCommissioner,
Election Assistance Commission
Recommended