Taking Total Control of Voting Systems: Firmware Manipulations on an Optical Scan Voting Terminal Nicolas Nicolaou Voting Technology Research (VoTeR) Center.

Slides:



Advertisements
Similar presentations
VoTeR CenterUniversity of Connecticut Pre-Election Testing and Post-Election Audit of Optical Scan Voting Terminal Memory Cards Voting Technology Research.
Advertisements

Electronic Voting Systems
VoTeR Center University of Connecticut Voting Technology Research Center PI: Alexander Shvartsman Co-PIs: Aggelos Kiayias Laurent Michel Alexander Russell.
Voting Systems.  DS200 – new 2013  DS850 – new 2013  AutoMARK Voting Equipment.
ICT IN THE ELECTORAL PROCESS: LESSONS LEARNED Susanne Caarls International Electoral Affairs Symposium May 2012.
Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.
BIOMETRIC VOTING SYSTEM
Analysis of an Electronic Voting System
By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.
CS-334: Computer Architecture
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
Election Observer Training 2008 Elections Certification & Training Program
TGDC Meeting, July 2011 Review of VVSG 1.1 Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Certifying Voting Systems Michael I. Shamos, Ph.D., J.D. Institute for Software Research.
Design and Development of High Performance PC Based Logic Analyzer MSc Project by Rab Nawaz Advisor: Dr. Shahid Masud.
Midterm Exam. Problem 1: Short Answer Access Control –Subject, object, rights Common Criteria –Government Assurance Standard Originator Controlled Access.
17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 5: Direct Recording Electronic (DRE)
17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 6: The Diebold Reports Michael I.
E-Voting Machine - Design Presentation Group M1 Jessica Kim Chi Ho Yoon Jonathan Chiang Donald Cober Mon. Sept 8 Initial Design Secure Electronic Voting.
Optical Scan Ballot. January Prior to Primary Election Establish Election Precincts Establish Election Precincts Absentee precincts Absentee precincts.
Voting System Qualification How it happens and why.
TESTING THE SECRUITY OF ELECTRONIC VOTING SYSTEM Presented By: NIPUN NANDA
Ballot Processing Systems February, 2005 Submission to OASIS EML TC and True Vote Maryland by David RR Webber.
Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
1 Testing the Security of Real-World Electronic Voting Systems Sandhya Jognipalli.
Demystifying the Independent Test Authority (ITA)
October 22, 2008 CSC 682 Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan.
Fayoum University Faculty of Engineering Electrical Engineering Department E-voting system Using Smart Card Under the supervision Of: Dr. Magdy Amer.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
TOWARDS OPEN VOTE VERIFICATION METHOD IN E-VOTING Ali Fawzi Najm Al-Shammari17’th July2012 Sec Vote 2012.
VoTeR CenterUniversity of Connecticut Automating Voting Terminal Event Log Analysis Tigran Antonyan, Seda Davtyan, Sotirios Kentros, Aggelos Kiayias, Laurent.
VoTeR CenterUniversity of Connecticut Determining the Causes of AccuVote Optical Scan Voting Terminal Memory Card Failures Tigran Antonyan, Nicolas Nicolaou,
NIST Voting Data Formats Workshop Gaithersburg October, 2009 Parker Abercrombie EML for Open Voting.
Audit Trail
Georgia Electronic Voting System Testing and Security Voting Systems Testing Summit November 29, 2005.
Electronic Voting: The 2004 Election and Beyond Prof. David L. Dill Department of Computer Science Stanford University
COMPUTER HARDWARE Made By Anila Bhatti DA Public School (O&A Levels) - Seaview 1.
G53SEC 1 Reference Monitors Enforcement of Access Control.
Computer Organization & Assembly Language © by DR. M. Amer.
Voting System Grant Program. Help America Vote Act  Provides funding to help accomplish the various requirements of the Act.
Idaho Procedures M100 OPTICAL SCAN PRECINCT TABULATOR.
Political Process 3.6 Politics and Government. E- voting Electronic voting systems for electorates have been in use since the 1960s when punched card.
WHY THE vvpat has failed
Input/Output Problems Wide variety of peripherals —Delivering different amounts of data —At different speeds —In different formats All slower than CPU.
Electronic Voting: Danger and Opportunity
VVPAT Building Confidence in U.S. Elections. WHAT IS VVPAT ? Voter-verifiable paper audit trail Requires the voting system to print a paper ballot containing.
بسم الله الرحمن الرحيم MEMORY AND I/O.
12/9-10/2009 TGDC Meeting The VVSG Version 1.1 Overview John P. Wack National Institute of Standards and Technology
1 Device Controller I/O units typically consist of A mechanical component: the device itself An electronic component: the device controller or adapter.
Idaho Procedures M650 GREEN LIGHT OPTICAL SCAN TABULATOR.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
Association of World Election Bodies Contents ICT–based Election Management Voter Registration and Identification Voting and Counting Examples.
2015 Touch Screen Voting Device Training For AVPM and Non-AVPM TSX Counties Presented by: Derrick Cooper Elections Systems Training Specialist Mississippi.
Touch Screen Voting Device Training Election Systems & Software Presented by: Bill Lowe.
EVoting 23 October 2006.
E-voting …and why it’s good..
Con Electronic Voting Preston Pope, Zach White, Ankit Shrivastava, Max Alexander.
Electronic Voting Machine Using MSP430 With Voice Feedback System
Information and Network Security
Improving Reliability of Direct Recording Electronic Voting Systems
Texas Secretary of State Elections Division
Texas Secretary of State Elections Division
Texas Secretary of State Elections Division
Operating Systems Chapter 5: Input/Output Management
Computer components is a programmable machine that receives input, stores and manipulates data, and provides output in a useful format. Computer The computer.
Electronically Transmitted Postal Ballot System (ETPBS)
Presentation transcript:

Taking Total Control of Voting Systems: Firmware Manipulations on an Optical Scan Voting Terminal Nicolas Nicolaou Voting Technology Research (VoTeR) Center Department of Computer Science and Engineering University of Connecticut 24th Annual ACM Symposium on Applied Computing SAC 2009, Honolulu, Hawaii Joint work with: Seda Davtyan, Sotiris Kentros, Aggelos Kiayias, Laurent Michel, Alexander Russell, Narasimha Shashidhar, Andrew See and Alexander A. Shvartsman

Motivation  Electronic Voting Technologies  Direct Recording Electronic (DRE)  Touch Screen w/ or w/out printer, not directly voter-verifiable  Optical Scan (OS) tabulator  VVPAT – Voter Verifiable Paper Audit Trail  Used in over 50% of counties in 2008  Case Study, Premier AccuVote-OS (AVOS):  Wide use in US elections, but…  C an be tampered with if memory card is removed [Hursti’05]  Can be tampered with if memory card is sealed in [EVT’07]  Reports by other workers and CA, CT, FL, AL,…  Safe-use procedures can be followed, but all under the assumption that firmware is trusted 10/8/20152VoTeR Center – SAC’09

Question Can the Firmware of Voting Machines be Trusted? In particular: Can the Firmware of AccuVote tabulator be Trusted? 10/8/20153VoTeR Center – SAC’09 Work performed by the UConn VoTeR Center on request of the Connecticut Secretary of the State as a part of the overall effort to evaluate voting equipment, and to enable and perform effective technological audits, pre- and post-election.

Our Findings  Firmware of AVOS can be analyzed  Without access to vendor specifications or source code  Using off-the-shelf third party tools (<$300)  Under the contractual right to “display or disseminate all information and data related to election results”  Three firmware manipulations targeting:  Enabling Effective Auditing:  Faithful and fast memory dumping  Audit Improvement (also potential Privacy Violation):  “Leak” Ballot Contents  Revealing Weaknesses: Alteration of Election Result  Swapping candidate counters 10/8/20154VoTeR Center – SAC’09

Understanding the System  Election Management System (GEMS):  Ballot Design and Central Tabulation  Serial port communication with AVOS  Transferred data stored on the AVOS memory card  AVOS Terminal:  Hardware Components  Software Components  Firmware  Memory Card Contents 10/8/20155VoTeR Center – SAC’09

Hardware  External  LCD  Dot Matrix Printer  Ballot Reader  Input Buttons  128K 40 Pin Epson Memory Card  Internal  8Mhz MicroController  Emulates an Intel  128K SRAM  128K Firmware EPROM 10/8/20156VoTeR Center – SAC’09

Software  Firmware  Version  Stored in a UV light erasable 128K EPROM  Responsible for all the functions of the terminal  Unencrypted / Unauthenticated: the terminal will boot modified firmware without a single warning  Memory Card contents  Programmed through GEMS  Election-specific programming  Election Data and Control Flags depending on the Elections 10/8/20157VoTeR Center – SAC’09

Understanding Memory Card Format  Crucial for Auditing purposes  Memory Card can be divided in 5 major sections:  Header  Log  Election Data  Bytecode (AccuBasic)  Counters 10/8/20158VoTeR Center – SAC’09

Gaining Access: Serial Port  Control over the transmission  One way communication from terminal via a serial line  Identified AVOS communication Methodology  Place byte to be sent in a buffer  Unmask the serial transmission interrupt to place the byte from the byte on the wire. 10/8/20159VoTeR Center – SAC’09

Manipulation 1: AVOS as a Card Reader  Goal: Transmit MC data from AVOS to PC  Improve Auditing  Obtain clean and faithful image of the card contents  Enable auditing of large number of cards  Motivation  AVOS built-in dumping procedure  Unfaithful transmission of the contents  Potential modification of the audit log  Too slow for mass auditing ( ~2min per card)  Card Reader/Writer are very hard to find and are slow  This type of memory cards discontinued ca  Even if available, the commercial reader can take 1/2 hour 10/8/201510VoTeR Center – SAC’09

Manipulation 1: AVOS as a Card Reader  Delivery of Memory Card Data:  Inject a function to read the memory card contents  Utilizing Memory Card access control  Transmit one byte at a time to the serial line  Utilizing Serial Port access control  Speeding Up Card Dumping:  Implemented standard Run Lengths Encoding algorithm  Large part of card data contains sequences of identical values  Reduced card dumping from 2min to 20sec  Enabled the dump and inspection of large number of cards  Avoid alteration of card contents, e.g., audit log 10/8/201511VoTeR Center – SAC’09

Manipulation 2: Leaking Ballot Data  Dual Significance of the Result:  Benign alteration of firmware: Enhance Hand Count Audit  Potential malicious alteration: Violation of Voter Privacy  Implementation  AVOS side:  Transmit the candidate counters after each ballot cast  PC side:  Wait for incoming counters  Upon receipt of counters compute the difference of current counter image and the locally stored counter image  Counter difference reveal the ballot votes 10/8/201512VoTeR Center – SAC’09

Manipulation 2: Leaking Ballot Data  Used in Hand Count Audit  Ballot as read by AVOS presented on the screen  Poll worker may verify validity of the ballot  Reduces audit time  Reduces audit errors  Reveals ballot read errors  Demonstrates Possible Violation of Voter Privacy  Using the same technique during the election  Extract order of the ballots cast  Next: Hybrid OS terminal that displays votes as cast  Voter could verify their votes as recorded by the machine 10/8/201513VoTeR Center – SAC’09

Manipulation 3: Swapping Candidate Counters  Time Bomb Attack during Election  Behave “nicely” during pre-election testing  “Hit” during the actual elections  Implementing vote swapping:  Swap votes for predefined candidates  If votes < threshold do not swap  Also avoids pre-election testing detection  Otherwise swap after the elections are closed  Swap is done at the closing of elections and before the election report is printed. 10/8/201514VoTeR Center – SAC’09

 Demonstration T=10: Pre-Election Testing Manipulation 3: Swapping Candidate Counters Original Firmware Modified Firmware 10/8/201515VoTeR Center – SAC’09

 Demonstration T=10: At Poll Closing Manipulation 3: Swapping Candidate Counters Original Firmware Modified Firmware 10/8/201516VoTeR Center – SAC’09

Conclusions and Discussion  Demonstrated 3 AVOS firmware manipulations  Used for: Fast and Faithful Memory Card dumping  Potential for: Leaking Ballot Data  Potential for: Swapping Candidate Counters  Our results underscore the need for  Pre and Post election audits  Incorporation of firmware cryptographic integrity check at the hardware level  Answer to our question:  Firmware of an e-voting terminal is not necessarily trustworthy 10/8/201517VoTeR Center – SAC’09

Thank you! Questions? 10/8/201518VoTeR Center – SAC’09

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.