250 likes | 400 Views
Certifying Voting Systems. Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University. Background. Computerized voting system examiner for Pennsylvania (1980-2000) Texas (1987-2000) West Virginia (1982) Delaware (1989)
E N D
Certifying VotingSystems Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University
Background • Computerized voting system examiner for • Pennsylvania (1980-2000) • Texas (1987-2000) • West Virginia (1982) • Delaware (1989) • Nevada (1995) • Examined over 115 different voting systems • Testified before 3 Congressional committees, Election Assistance Commission and 4 state legislatures • Expert witness in 4 electronic voting cases
Outline • Certification/qualification • A model of electronic voting • Specific state requirements • The examination process • The Hursti exploit
Certification • Most states require voting systems to be certified before they can be used, sold or offered for sale • What’s a “voting system”? • HAVA has a very inclusive definition • In Maryland, “a method of casting and tabulating ballots or votes.” Md. Elec. Code §1-101(yy) • In Pennsylvania, “a system in which one or more voting devices are used to permit the registering or recording of votes and in which such votes are computed and tabulated by automatic tabulating equipment.” 25 P.S §3031.1 • What’s a “voting device”? • “apparatus by which … votes are registered electronically … [and] may be computed and tabulated by means of automatic tabulating equipment.25 P.S §3031.1
Qualification and Certification • A vendor “may request the Secretary of the Commonwealth to examine such system if • the voting system has been examined and approved by a federally recognized independent testing authority and • if it meets any voting system performance and test standards established by the Federal Government.” 25 P.S. §3031.5(a) • Federal recognition (under HAVA) is by the EAC, with advice from the National Institute of Standards and Technology (NIST)
Federal Qualification • There are three federally recognized ITAs: • CIBER (Huntsville), SysTest (Denver), Wyle (Huntsville) • They test to the 2002 Federal Voting System Standards developed by the FEC (now transferred to the EAC) • 2005 Standards published; not yet used for testing • A system that has passed ITA testing is “federally qualified” and is eligible for Pennsylvania testing
State Certification • ITAs do not test for compliance with state law • Every state has unusual requirements; must be examined by the state • “No electronic voting system shall, upon any examination or reexamination, be approved by the Secretary of the Commonwealth, or by any examiner appointed by him, unless it be established that such system, at the time of such examination or reexamination [meets a list of mandatory requirements]” 25 P.S. §3031.7
PA Certification Requirements • “Permanent physical record of every vote cast” • Voting in “absolute secrecy” • Be able to vote for all candidates and issues • Straight-party voting – Pennsylvania method • Undeclared write-ins • No overvoting • No voting for anyone more than once • Closed primaries • Change vote any time before casting • Capable of “absolute accuracy” • Provides acceptable ballot security procedures • Records correctly and computes and tabulates every valid vote • Safely transportable
PA Certification Requirements • Voter may “readily learn the method of operating it” • Be able to vote for all candidates and issues • Public counter visible from outside of machine • Locks • No interim results • “Every person is precluded from tampering with the tabulating element during the course of its operation + HAVA+ other requirements of PA law
3. SUBMIT DEVICE AND SOFTWARE 4. CERTIFY DEVICE AND SOFTWARE 2. RECEIVE TOKEN A 1. PRESENTCREDENTIALS 5. FURNISH DEVICE TO COUNTY 6. FURNISH SOFTWARE VOTING DEVICE 12. PRESENT VOTING TOKEN B SETUP SLATE PRESENT SLATE 8. LOAD ELECTIONDATA 13. PRESENT SLATE 7. “BALLOT PROGRAMMING” 14. MAKE CHOICES CAPTURE VOTE 15. PROVIDE VERIFICATION 16. STORE VOTES 10. PRESENT TOKEN A 19. TRANSMIT TOTALS 11. RECEIVE VOTING TOKEN B RECORD VOTE 20. CERTIFY RESULTS ELECTION DAY 9. TURN ON DEVICE 17. TRANSMIT VOTES WINNERS TABULATION DEVICE The Voting Process REGISTRATION AUTHORITY CERTIFYING AUTHORITY VENDOR VOTER ELECTION AUTHORITY POLL AUTHORITY 18. TABULATE VOTES
3. SUBMIT DEVICE AND SOFTWARE 4. CERTIFY DEVICE AND SOFTWARE 2. RECEIVE TOKEN A 1. PRESENTCREDENTIALS 5. FURNISH DEVICE TO COUNTY 6. FURNISH SOFTWARE VOTING DEVICE 12. PRESENT VOTING TOKEN B SETUP SLATE PRESENT SLATE 8. LOAD ELECTIONDATA 13. PRESENT SLATE HUMAN FACTORS 7. “BALLOT PROGRAMMING” 14. MAKE CHOICES CAPTURE VOTE 15. PROVIDE VERIFICATION 16. STORE VOTES 10. PRESENT TOKEN A 19. TRANSMIT TOTALS 11. RECEIVE VOTING TOKEN B RECORD VOTE 20. CERTIFY RESULTS ELECTION DAY 9. TURN ON DEVICE 17. TRANSMIT VOTES WINNERS TABULATION DEVICE Vulnerabilities CORRUPT AUTHORITY POOR DESIGNS MALICIOUS CODE INADEQUATE TESTING REGISTRATION AUTHORITY CERTIFYING AUTHORITY VENDOR NO CONTROL OVERSOFTWARE DISTRIBUTION BOGUS CREDENTIALS VERIFY CODE? FORGED TOKENS LOADING ERRORS SETUP ERRORS VOTER RELIABILITY ISSUES ELECTION AUTHORITY P R IVACY INVALIDATED VOTES MALICIOUS CODE FORGED TOKENS TRANSMISSION ERRORS TRANSMISSION ERRORS POLL AUTHORITY 18. TABULATE VOTES BOOT PROBLEMS
Certification Exams • Public (by policy, not statute) • Two examiners; one selected by Department of State for each exam • Examiner submits report to the Secretary • Secretary decides whether to approve certification • “No electronic voting system not so approved shall be used at any election” 25 P.S. §3031.5(c) • A county may use any approved system
Security Testing • Security testing requires a well-articulated threat model • Ideally, it should be done by a red team • It should be part of ITA testing, but isn’t • Therefore, security testing is ad hoc, based on potential vulnerabilities • Problem: it is impossible to evaluate the risk of exploit of a vulnerability
The Examination Process • Before exam • Read documentation, scan source code • Review performance of system in other states, news articles • Exam • Vendor inventory, presentation • Experimentation • Cast test ballots for legal compliance (not a stress test) • Tamper exercises • Software review • After exam • Write report to Secretary • Result: certified, not certified, certified with conditions
Attacks on Certification • Process is arbitrary and capricious • Requires judgment calls • No voting machine is “safe” without paper trails • All systems have vulnerabilities • No voting system is federally qualified • The EAC under HAVA has not yet certified any testing laboratories • Most voting systems are not sufficiently accessible
The Hursti Exploit • Discovered by Finnish security expert Harri Hursti • Works against Diebold optical scan voting machines • Diebold AccuVote OS has a PCMCIA memory card with ballot setup information, vote counters and predefined report formats PRINTER INSIDE OPTICAL BALLOT LCD DISPLAY BACK OF MACHINE FRONT OF MACHINE
Pennsylvania Law • The voting system “shall include the following mechanisms or capabilities:” • “a public counter … which shall show during any period of operation the total number of ballots entered for computation and tabulation.” (THE “PUBLIC COUNTER”) • “an element which generates a printed record at the beginning of its operation which verifies that the tabulating elements for each candidate position and each question and the public counter are all set to zero.” (THE “ZERO REPORT”) • “an element which generates a printed record at the finish of its operation of the total number of voters whose ballots have been tabulated [and] the total number of votes cast for each candidate whose name appears on the ballot.” (THE “TOTALS REPORT”)25 P.S. §3031.7(16)
Background of Exploit • Voting machines are used in multiple states • For ease of maintenance, Diebold uses a report generation language “AccuBasic” to satisfy the report requirements of different states • AccuBasic is like Basic, but only has read access to the memory card • “Compiled” AccuBasic is similar to Java bytecode • “Compiled” AccuBasic programs are loaded on the memory card automatically by a computer at the county • “Compiled” AccuBasic is interpreted by firmware on the scanner to produce printed reports on the onboard printer on Election Day • In Pennsylvania, the TOTALS REPORT signed by the election judges constitutes the official return
HACK ZERO REPORT PRESET VOTE TOTALS The Hursti Exploit Human Interface SOURCE: SCOOP.NZ
ATDIEBOLD Diebold creates AccuBasic source (.abs) files Diebold compiles .abs into AccuBasic “object” (.abo) files Diebold adds .abo files to its GEMS Election Management System County tests machine with memory card Election data, .abo files loaded on memory card County sets up election with GEMS County buys GEMSwith .abo files loaded for its state ATCOUNTY ATPOLLING PLACE County delivers machine to polling place Zero report printed out Voters cast ballots Totals report printed out POLLS OPENED POLLS CLOSED The Hursti Exploit HURSTI EXPLOIT OCCURS HERE
ELECTION DATA TO PRODUCE TABULATION: • CANDIDATE NAMES • PARTIES • BALLOT POSITIONS VOTE COUNTERS ACCUBASIC .ABO FILES FOR REPORTS, NOT TABULATION The Hursti Exploit • Counters are short integers;overflow is not trapped • Large positive numbers actas negative numbers, e.g.65,520 is equivalent to -16since 65,520+16 = 65,536 = 0 • Memory card created at county, inserted in machine: • Hursti Exploit, Part 1: Preload the card with some negative and some positive counts in a race. Make sure the net sum is zero. • Hursti Exploit, Part 2: Replace the zero report .abo file with one that always prints zeros regardless of counter values. • Result: Votes added to some candidates, subtracted from others, but the total count does not exceed the number of voters. • Result: When memory card counters are overwritten at the close of polls, no electronic record of the exploit exists. NOT CERTIFIED
Other Diebold Machines? • Accu-Vote Central Count optical scan does not use either Accu-Basic or memory cards. CERTIFIED • Accu-Vote TSx touchscreen uses Accu-Basic but • does not have candidate counters on memory card, so no pre-loading possible • has firmware that checks number of ballots voted, so zero totals can be verifiedCERTIFIED
Q A &