Electronic Voting & Security Avi Rubin Information Security Institute Johns Hopkins University.

Slides:



Advertisements
Similar presentations
I Think I Voted. E-voting vs. Democracy Prof. David L. Dill Department of Computer Science Stanford University
Advertisements

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
Electronic Voting Systems
The Battle for Accountable Voting Systems Prof. David L. Dill Department of Computer Science Stanford University
Will Your Vote Count? Will your vote count? Voting machine choices N.C. Coalition for Verified Voting Joyce McCloy Pros and Cons of voting.
Internet Voting Technology and policy issues. Selective History of Voting (US) early 1800’s: public oral voting at County Hall 1800’s: free-form, non-secret.
Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.
Analysis of an Electronic Voting System
TGDC Meeting, Jan 2011 Evaluating risk within the context of the voting process Ann McGeehan Director of Elections Office of the Texas Secretary of State.
By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.
Charlie Daniels Arkansas Secretary of State HAVA Compliant Voting Systems Security Considerations General Recommendations to Enhance Security and Integrity.
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
Election Observer Training 2008 Elections Certification & Training Program
TGDC Meeting, July 2011 Review of VVSG 1.1 Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL
Computer Security Dan Boneh and David Mazieres CS 155 Spring 2007
Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, March 2010.
Computer Security Dan Boneh and John Mitchell CS 155 Spring 2006.
Voting Machine Technology Tom Trumpbour Computer Software Consultant United States.
Internet Voting Technology and policy issues David Wagner UC Berkeley.
Electronic Voting Network Security 1 Edward Bigos George Duval D. Seth Hunter Katie Schroth.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.
Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.
Electronic Voting Linh Nguyen. Electronic Voting  Voting Technologies  The Florida 2000 Election  Direct Recording Electronic Devices (DREs)‏ - Diebold.
17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 6: The Diebold Reports Michael I.
Internet Voting. What is Internet Voting? Internet voting is: an election process whereby people can cast their votes over the Internet, most likely through.
TESTING THE SECRUITY OF ELECTRONIC VOTING SYSTEM Presented By: NIPUN NANDA
Ballot Processing Systems February, 2005 Submission to OASIS EML TC and True Vote Maryland by David RR Webber.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
An Architecture For Electronic Voting Master Thesis Presentation Clifford Allen McCullough Department of Computer Science University of Colorado at Colorado.
Objectives Analyze how the administration of elections in the United States helps make democracy work. Define the role of local precincts and polling places.
Data and Applications Security Secure Electronic Voting Machines Lecture #30 Dr. Bhavani Thuraisingham The University of Texas at Dallas April 23, 2008.
Requirements for Electronic and Internet Voting Systems in Public Elections David Jefferson Compaq Systems Research Center Palo Alto, CA
SEC835 Database and Web application security Information Security Architecture.
A Case Study in Computer System Vulnerability: Electronic Voting
Demystifying the Independent Test Authority (ITA)
Chapter 7: The Electoral Process Section 2
25 October Elections and Voting. Punch Card Machine Punch cards stacked here Punched here.
Troubleshooting Windows Vista Security Chapter 4.
An Architecture For Electronic Voting Master Thesis Presentation Clifford Allen McCullough Department of Computer Science University of Colorado at Colorado.
E-Voting Dissent Sara Wilson, Katie Noto, John Massie, Will Sutherland, Molly Cooper.
UOCAVA Report Overview and Status July 2008 Andrew Regenscheid Computer Security Division National Institute of Standards and Technology.
Digital Democracy: A look at Voting Machines Presented by Justin Dugger April 2003.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
California Secretary of State Voting Systems Testing Summit November 28 & 29, 2005, Sacramento, California Remarks by Kim Alexander, President, California.
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line Trend Micro Confidential 1 Virus/ Trojans/ Worms etc and some Common issues.
Session 7 LBSC 690 Information Technology Security.
Andreas Steffen, , LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.
Nathanael Paul CRyptography Applications Bistro February 3, 2004.
Georgia Electronic Voting System Testing and Security Voting Systems Testing Summit November 29, 2005.
Electronic Voting: The 2004 Election and Beyond Prof. David L. Dill Department of Computer Science Stanford University
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
How and what to observe in e-enabled elections Presentation by Mats Lindberg, Election Adviser, Organisation for Security and Co-operation in Europe (OSCE)
Against E-Voting Ryan Egan, Amber Jones, Alyssa Sankin, Page Stephens, Amber Straight, Philip Sugg, and Diana Troisi Direct recording electronic (DRE)
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Electronic Voting: Danger and Opportunity
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
VVPAT Building Confidence in U.S. Elections. WHAT IS VVPAT ? Voter-verifiable paper audit trail Requires the voting system to print a paper ballot containing.
Elections - The ultimate time constrained project Marie Gregoire, PMP 1.
Evaluating risk within the context of the voting process
EVoting 23 October 2006.
Software Security Testing
E-voting …and why it’s good..
^ About the.
Cyber attacks on Democratic processes
Election Security Best Practices
Texas Secretary of State Elections Division
Election Security Best Practices
Security.
Presentation transcript:

Electronic Voting & Security Avi Rubin Information Security Institute Johns Hopkins University

Two reports Analysis of an Electronic Voting System Analysis of an Electronic Voting System July 23, 2003 July 23, 2003 with Kohno, Stubblefield, Wallach with Kohno, Stubblefield, Wallach to appear in IEEE Symposium on Security & Privacy to appear in IEEE Symposium on Security & Privacy avirubin.com/vote avirubin.com/vote A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE) A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE) January 21, 2004 January 21, 2004 with Jefferson, Simons, Wagner with Jefferson, Simons, Wagner ServeSecurityReport.org ServeSecurityReport.org

Last Election Washington Post 11/6 Washington Post 11/6 Software glitch in November’s election in Virginia Software glitch in November’s election in Virginia Advanced Voting Solutions touchscreen machines Advanced Voting Solutions touchscreen machines “Voters in three precincts reported that when they attempted to vote for [Thompson], the machines initially displayed an ‘x’ next to her name but then, after a few seconds, the ‘x’ disappeared. In response to Thompson's complaints, county officials tested one of the machines in question yesterday and discovered that it seemed to subtract a vote for Thompson in about ‘one out of a hundred tries,’ said Margaret K. Luca, secretary of the county Board of Elections. ” “Voters in three precincts reported that when they attempted to vote for [Thompson], the machines initially displayed an ‘x’ next to her name but then, after a few seconds, the ‘x’ disappeared. In response to Thompson's complaints, county officials tested one of the machines in question yesterday and discovered that it seemed to subtract a vote for Thompson in about ‘one out of a hundred tries,’ said Margaret K. Luca, secretary of the county Board of Elections. ”

Last Election (Cont.) Indianapolis Star 11/9 Indianapolis Star 11/9 Software glitch in November’s election Software glitch in November’s election 19,000 registered voters19,000 registered voters 144,000 votes tallied144,000 votes tallied actual number of votes cast was 5,352actual number of votes cast was 5,352 MicroVote touchscreen machines MicroVote touchscreen machineshttp://

Case Study: Diebold voting machines

Background Voting machines companies: proprietary systems Voting machines companies: proprietary systems Diebold system leaked Diebold system leaked on open ftp server on open ftp server identified by activist Bev Harris identified by activist Bev Harris Call from David Dill of Stanford Call from David Dill of Stanford Recruited: Recruited: two very eager students two very eager students one eager colleague at Rice one eager colleague at Rice

56-bit DES in CBC mode with static IVs used to encrypt votes and audit logs (not compression, as Diebold claims in their “technical” analysis) 56-bit DES in CBC mode with static IVs used to encrypt votes and audit logs (not compression, as Diebold claims in their “technical” analysis) #define DESKEY ((des_key*)"F2654hD4") Unkeyed public function (CRC) used for integrity protection Unkeyed public function (CRC) used for integrity protection No authentication of smartcard to voting terminal No authentication of smartcard to voting terminal Insufficient code review Insufficient code review Code analysis

// LCG - Linear Conguential Generator // used to generate ballot serial numbers // A psuedo-random-sequence generator // (per Applied Cryptography, // by Bruce Schneier, Wiley, 1996) - BallotResults.cpp Diebold Election Systems

// LCG - Linear Conguential Generator // used to generate ballot serial numbers // A psuedo-random-sequence generator // (per Applied Cryptography, // by Bruce Schneier, Wiley, 1996) “Unfortunately, linear congruential generators cannot be used for cryptography” - Page 369, Applied Cryptography by Bruce Schneier - BallotResults.cpp Diebold Election Systems

“this is a bit of a hack for now.” “the BOOL beeped flag is a hack so we don't beep twice. This is really a result of the key handling being gorped.” “the way we deal with audio here is a gross hack.” “need to work on exception *caused by audio*. I think they will currently result in double-fault.” AudioPlayer.cpp WriteIn.cpp BallotSelDlg.cpp BallotDlg.cpp

void CBallotRelSet::Open(const CDistrict* district, const CBaseunit* baseunit, const CVGroup* vgroup1, const CVGroup* vgroup2) { ASSERT(m_pDB != NULL); ASSERT(m_pDB->IsOpen()); ASSERT(GetSize() == 0); ASSERT(district != NULL); ASSERT(baseunit != NULL); if (district->KeyId() == -1) { Open(baseunit, vgroup1); } else { const CDistrictItem* pDistrictItem = m_pDB->Find(*district); if (pDistrictItem != NULL) { const CBaseunitKeyTable& baseunitTable = pDistrictItem->m_BaseunitKeyTable; int count = baseunitTable.GetSize(); for (int i = 0; i KeyId() == -1 || *baseunit == curBaseunit) { const CBallotRelationshipItem* pBalRelItem = NULL; while ((pBalRelItem = m_pDB->FindNextBalRel(curBaseunit, pBalRelItem))){ if (!vgroup1 || vgroup1->KeyId() == -1 || (*vgroup1 == pBalRelItem->m_VGroup1 && !vgroup2) || (vgroup2 && *vgroup2 == pBalRelItem->m_VGroup2 && *vgroup1 == pBalRelItem->m_VGroup1)) Add(pBalRelItem); } } } m_CurIndex = 0; m_Open = TRUE; } } } Zero Comments Code Fragment

Other problems Ballot definition file on removable media unprotected Ballot definition file on removable media unprotected Smartcards use no cryptography Smartcards use no cryptography Votes kept in sequential order Votes kept in sequential order Several glaring errors in cryptography Several glaring errors in cryptography Inadequate security engineering practices Inadequate security engineering practices Default Security PINs of 1111 on administrator cards Default Security PINs of 1111 on administrator cards

Voter verifiable audit enables recounts enables recounts voter confidence voter confidence harder to tamper with the election harder to tamper with the election probably involves paper probably involves paper surprise recounts surprise recounts The very piece of paper that is verified by the voter is used in the recount

Insider threat Easy to hide code in large software packages Easy to hide code in large software packages Virtually impossible to detect back doors Virtually impossible to detect back doors Skill level needed to hide malicious code is much lower than needed to find it Skill level needed to hide malicious code is much lower than needed to find it Anyone with access to development environment is capable Anyone with access to development environment is capable Requires Requires background checks background checks strict development rules strict development rules physical security physical security

Example Recent hidden trap door in Linux Recent hidden trap door in Linux Allows attacker to take over a computer Allows attacker to take over a computer Practically undetectable change Practically undetectable change Discovered by rigorous software engineering process - not code inspection Discovered by rigorous software engineering process - not code inspection schedule(); goto repeat; } if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; retval = -ECHILD; end_wait4: current->state = TASK_RUNNING;

Example #2 Rob Harris case - slot machines Rob Harris case - slot machines an insider: worked for Gaming Control Board an insider: worked for Gaming Control Board Malicious code in testing unit Malicious code in testing unit when testers checked slot machines when testers checked slot machines downloaded malicious code to slot machinedownloaded malicious code to slot machine was never detected was never detected special sequence of coins activated “winning mode” special sequence of coins activated “winning mode” Caught when greed sparked investigation Caught when greed sparked investigation $100,000 jackpot $100,000 jackpot

Example #3 Breeder’s cup race Breeder’s cup race Upgrade of software to phone betting system Upgrade of software to phone betting system Insider, Christopher Harn, rigged software Insider, Christopher Harn, rigged software Allowed him and accomplices to call in Allowed him and accomplices to call in change the bets that were placedchange the bets that were placed undetectableundetectable Caught when got greedy Caught when got greedy won $3 millionwon $3 million

Software dangers Software is complex Software is complex top metric for measuring number of flaws is lines of code top metric for measuring number of flaws is lines of code Windows Operating System Windows Operating System tens of millions of lines of code tens of millions of lines of code new “critical” security bug announced every week new “critical” security bug announced every week Unintended security flaws unavoidable Unintended security flaws unavoidable Intentional security flaws undetectable Intentional security flaws undetectable

Other Studies SAIC report SAIC report 2/3 of the report redacted 2/3 of the report redacted Executive summary: Executive summary: “ The system as implemented in policy, procedure, and technology, is at high risk of compromise.”“ The system as implemented in policy, procedure, and technology, is at high risk of compromise.” Ohio report Ohio report cited “critical flaws” in top 4 vendors’ voting machines cited “critical flaws” in top 4 vendors’ voting machines RABA report RABA report ex-NSA red team consulting company ex-NSA red team consulting company Executive Summary: Executive Summary: “The State of Maryland election system (comprising technical, operational, and procedural components), as configured at the time of this report, contains considerable security risks that can cause moderate to severe disruption in an election.”“The State of Maryland election system (comprising technical, operational, and procedural components), as configured at the time of this report, contains considerable security risks that can cause moderate to severe disruption in an election.”

Diebold Press release headline: Press release headline: “Maryland Security Study Validates Diebold Election Systems Equipment for March Primary:Findings Consistent With Prior SAIC Review” “Maryland Security Study Validates Diebold Election Systems Equipment for March Primary:Findings Consistent With Prior SAIC Review” Company President: Company President: “Touch screen voting from Diebold Election Systems has evolved to be the most secure and accurate election system in the history of our democracy.” “Touch screen voting from Diebold Election Systems has evolved to be the most secure and accurate election system in the history of our democracy.”

Recommendation #1 Separate vote casting from tabulating Separate vote casting from tabulating Touch screen machine produces paper ballot Touch screen machine produces paper ballot need not be as trusted as today’s DREsneed not be as trusted as today’s DREs voter can use or destroy voter can use or destroy scanning and tabulating machine scanning and tabulating machine small code basesmall code base open sourceopen source extensive testing and certificationextensive testing and certification different manufacturer from touch screendifferent manufacturer from touch screen

Recommendation #2 Transparency Transparency Require designs of machines to be public Require designs of machines to be public Require security audit of machines by qualified experts Require security audit of machines by qualified experts Require public report of this auditRequire public report of this audit Require open source for vote tabulation code Require open source for vote tabulation code necessary but not sufficientnecessary but not sufficient

Recommendation #3 Quality control Quality control Establish criteria for testing the expertise of manufacturers Establish criteria for testing the expertise of manufacturers NIST could play this roleNIST could play this role Require source code analysis for certification Require source code analysis for certification Establish standards for policies and procedures Establish standards for policies and procedures Aim for simplicity:Aim for simplicity: The more complicated and burdensome, the less likely to be followed The more complicated and burdensome, the less likely to be followed

SERVE Built by Accenture for FVAP Built by Accenture for FVAP Participating states Participating states Arkansas, Florida, Hawaii, North Carolina, South Carolina, Utah, and Washington Arkansas, Florida, Hawaii, North Carolina, South Carolina, Utah, and Washington 50 counties 50 counties Military and overseas civilians Military and overseas civilians Use any PC anywhere Use any PC anywhere running Windows running Windows running IE or Netscape running IE or Netscape Formed SPRG Formed SPRG two 3-day meetings, design/review/demo two 3-day meetings, design/review/demo

Key security concerns Insecure platform Insecure platform trojan horses, viruses, worms trojan horses, viruses, worms malicious hijacked system malicious hijacked system in cyber caféin cyber café at neighbor’s houseat neighbor’s house roaming laptoproaming laptop Denial of Service attacks Denial of Service attacks just look at MyDoom attacking SCO just look at MyDoom attacking SCO 30 day window, but most people vote on last day 30 day window, but most people vote on last day Phishing/man in the middle attack Phishing/man in the middle attack especially effective against privacy especially effective against privacy allows automated vote selling allows automated vote selling

Conclusions & Advice Security of voting should be a non-partisan issue Security of voting should be a non-partisan issue Only democrats have approached me: Only democrats have approached me: Holt, Kucinich, Moseley-Braun, Kaptur, DNCHolt, Kucinich, Moseley-Braun, Kaptur, DNC Too much is at stake for party politics Too much is at stake for party politics Keys to future work on voting systems: Keys to future work on voting systems: transparency transparency openness openness accountability & audit accountability & audit public review public review Computer Scientists and Politicians should work together Computer Scientists and Politicians should work together