Embed Size (px)
DESCRIPTION
Electronic Voting: Danger and Opportunity. J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University. Joint work with …. Joe Calandrino. Ari Feldman. Ed Felten. 2000 Recount Debacle Legislative response: Help America Vote Act - PowerPoint PPT Presentation
Citation preview
Electronic Voting:Danger and Opportunity
J. Alex Halderman
Department of Computer ScienceCenter for Information Technology Policy
Princeton University
Joint work with …
Joe Calandrino Ari Feldman Ed Felten
2000 Recount Debacle
Legislative response:Help America Vote Act
Provided $3.9 billion to statesto upgrade voting machines by November 2006
DREs to the Rescue?
Direct Recording Electronic – Store votes in internal memory
DREs are Computers
BugsRootkits
VirusesAttacks
=
Diebold’s History of Secrecy
• Prevented states from allowing independent security audits – hid behind NDAs, trade secret law
• Source code leaked in 2003, researchers at Johns Hopkins found major flawsDiebold responded with vague legal threats,personal attacks, disinformation campaign
• Internal emails leaked in 2003 reveal poor security practices by developersDiebold tried to suppress sites with legal threats
We Get a Machine(2006)
Obtained legally from an anonymous private party
Software is 2002 version, but certified and used in actual elections
First complete, public, independent security audit of a DRE
Research Goals• Conduct independent security audit• Confirm findings of previous researchers
(Hursti, Kohno et al.)
• Verify threats by building demonstration attacks• Figure out how to do better
Who wants to know? Voters, candidates, election officials, policy makers, researchers
16 MB Flash
128 KB EPROM
SH3CPU
32 MBRAM
2 PCMCIA Slots
Boot Jumper Table
Software Problems
One Example:
DES-CBCK(BallotID:VoteBitmap), CRC-16(…)
Our Findings
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
[Feldman, Halderman & Felten 2007]
Correct result: George 5, Benedict 0
Our Findings
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute
[Feldman, Halderman & Felten 2007]
The Key
Our Findings
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute
• Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
[Feldman, Halderman & Felten 2007]
Voting Machine Virus
Viral Spread
Joe Calandrino Ari FeldmanBill Zeller Harlan YuAlex Halderman
Debra Bowen
California “Top-to-Bottom” Study
Hart Sequoia Diebold
California “Top-to-Bottom” Results
WHAT TO DO?
Voters prefer it
Faster reporting
Fewer undervotes
Improved accessibility
Potentially increased security*
E-Voting Advantages
WE CAN DO BETTER!
Electronic + Paper Records
Touch-screen (DRE) machine,plus voter-verifiable paper trail
Hand-marked paper ballot,machine-scanned immediately
Failure Modes
Paper BallotsPhysical tampering“Retail” fraudAfter the election
Redundancy + Different failure modes = Greater security
Electronic RecordsCyber-tampering“Wholesale” fraudBefore the election
But…Redundancy only helps if we use both records!
How to Use Paper Records?
Use a machine to count the paper records
Count all the paper records by hand
Check a random subset of paper records by hand…but which subset?
Too risky
Too expensive
Standard Approach
Pick some precincts randomly.Hand-count paper records.
Should match electronic records.
Statistical Auditing’s Goal
Establish, with high statistical confidence, that hand-counting all of the paper records would yield the same winner as the electronic tally.
Audit Example
Alice: 55%Bob: 45% Goal: Reject hypothesis that
≥ 5% of ballots differ between electronic and paper
For 95% confidence, hand-audit 60 precincts
Cost: about $100,000
An Alternative Approach
Precinct-based auditing
Ballot-based auditing
100 marbles, 10% blue 6300 beads, 10% blue
How large a sample do we need?
Audit Example
Alice: 55%Bob: 45% Goal: Reject hypothesis that
≥ 5% of ballots differ between electronic and paper
For 95% confidence, hand-audit 60 precincts
Cost: about $100,000
ballots
$1,000
Why Not Ballot-based?
VotingMachine
AliceBobAlice
● Alice○ Bob
○ Alice● Bob
● Alice○ Bob
Need to match up electronic with paper ballots.
Compromises the secret ballot!
Secret BallotPrevents coercion and vote-buying
Requirements: Nobody can tell how you voted. You can’t prove to anyone how you voted. You can be confident in these properties.
Serial Numbers
VotingMachine
1 Alice2 Bob3 Alice
1● Alice○ Bob
2○ Alice● Bob
3● Alice○ Bob
“Random” Identifiers
VotingMachine
325631 Alice218594 Bob810581 Alice
325631● Alice○ Bob
218594○ Alice● Bob
810581● Alice○ Bob
Machine-Assisted Auditing
[Calandrino, Halderman & Felten 2007]
=
○ Alice● Bob1
1 Bob2 Alice...929 Bob
Alice: 510Bob: 419
○ Alice● Bob
Step 1. Check electronic records against paper recordsusing a recount machine.
Machine-Assisted Auditing
[Calandrino, Halderman & Felten 2007]
=
○ Alice● Bob1
1 Bob2 Alice...929 Bob
Alice: 510Bob: 419
○ Alice● Bob
=
321 Bob716 Alice
Machine-Assisted Auditing
[Calandrino, Halderman & Felten 2007]
○ Alice● Bob1
1 Bob2 Alice...929 Bob
=
○ Alice● Bob321
● Alice○ Bob716
○ Alice● Bob1
Step 2. Audit the recount machine by selecting random ballots for human inspection.
We can use a machinewithout having to trust it!
Machine-Assisted Auditing
As efficient as ballot-based auditing,while protecting the secret ballot.
Machine Recount Manual Audit
Doing Even Better
Key idea: Probability of auditing a ballot should depend on how that ballot is marked
Full algorithm accounts for:multi-candidate racesmulti-seat racesundervotes and overvoteswrite-ins
Doing Even Better
Alice: 55%Bob: 45%
Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper
Goal: Reject hypothesis that ≥ 5% of ballots are marked electronically for Alice but on paper for Bob.
Only need to audit ballots marked for Alice.
Evaluation
2006 Virginia U.S. Senate race0.3% margin of victoryWe want 99% confidence
Precinct-
basedMachine-assisted
Content-sensitive
# ballots 1,141,900 2,339 1,179 # precincts 1,252 1,351 853
Electronic Voting:Danger and Opportunity
J. Alex Halderman
Department of Computer ScienceCenter for Information Technology Policy
Princeton University
Proposed Legislation
H.R. 811: Voter Confidence and Increased Accessibility Act
• Voter-verifiable paper record and random manual audits
• Access to voting software and source code, to verify security
• Additional money for states
Rep. Rush Holt
