Download presentation
Presentation is loading. Please wait.
1
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Certifying Voting Systems Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University
2
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Background Computerized voting system examiner for –Pennsylvania (1980-2000) –Texas (1987-2000) –West Virginia (1982) –Delaware (1989) –Nevada (1995) Examined over 115 different voting systems Testified before 3 Congressional committees, Election Assistance Commission and 4 state legislatures Expert witness in 4 electronic voting cases
3
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Outline Certification/qualification A model of electronic voting Specific state requirements The examination process The Hursti exploit
4
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Certification Most states require voting systems to be certified before they can be used, sold or offered for sale What’s a “voting system”? –HAVA has a very inclusive definition –In Maryland, “a method of casting and tabulating ballots or votes.” Md. Elec. Code §1-101(yy) –In Pennsylvania, “a system in which one or more voting devices are used to permit the registering or recording of votes and in which such votes are computed and tabulated by automatic tabulating equipment.” 25 P.S §3031.1 What’s a “voting device”? –“apparatus by which … votes are registered electronically … [and] may be computed and tabulated by means of automatic tabulating equipment. 25 P.S §3031.1
5
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Qualification and Certification A vendor “may request the Secretary of the Commonwealth to examine such system if –the voting system has been examined and approved by a federally recognized independent testing authority and –if it meets any voting system performance and test standards established by the Federal Government.” 25 P.S. §3031.5(a) Federal recognition (under HAVA) is by the EAC, with advice from the National Institute of Standards and Technology (NIST)
6
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Federal Qualification There are three federally recognized ITAs: –CIBER (Huntsville), SysTest (Denver), Wyle (Huntsville) They test to the 2002 Federal Voting System Standards developed by the FEC (now transferred to the EAC) 2005 Standards published; not yet used for testing A system that has passed ITA testing is “federally qualified” and is eligible for Pennsylvania testing
7
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS State Certification ITAs do not test for compliance with state law Every state has unusual requirements; must be examined by the state “No electronic voting system shall, upon any examination or reexamination, be approved by the Secretary of the Commonwealth, or by any examiner appointed by him, unless it be established that such system, at the time of such examination or reexamination [meets a list of mandatory requirements]” 25 P.S. §3031.7
8
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS PA Certification Requirements “Permanent physical record of every vote cast” Voting in “absolute secrecy” Be able to vote for all candidates and issues Straight-party voting – Pennsylvania method Undeclared write-ins No overvoting No voting for anyone more than once Closed primaries Change vote any time before casting Capable of “absolute accuracy” Provides acceptable ballot security procedures Records correctly and computes and tabulates every valid vote Safely transportable
9
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS PA Certification Requirements Voter may “readily learn the method of operating it” Be able to vote for all candidates and issues Public counter visible from outside of machine Locks No interim results “Every person is precluded from tampering with the tabulating element during the course of its operation + HAVA + other requirements of PA law
10
The Voting Process VOTER REGISTRATION AUTHORITY ELECTION AUTHORITY 18. TABULATE VOTES 1. PRESENT CREDENTIALS 2. RECEIVE TOKEN A CERTIFYING AUTHORITY VENDOR 3. SUBMIT DEVICE AND SOFTWARE 4. CERTIFY DEVICE AND SOFTWARE VOTING DEVICE 5. FURNISH DEVICE TO COUNTY 6. FURNISH SOFTWARE SETUP SLATE 7. “BALLOT PROGRAMMING” PRESENT SLATE 8. LOAD ELECTION DATA POLL AUTHORITY ELECTION DAY 9. TURN ON DEVICE 10. PRESENT TOKEN A 11. RECEIVE VOTING TOKEN B 12. PRESENT VOTING TOKEN B 13. PRESENT SLATE 14. MAKE CHOICES CAPTURE VOTE 15. PROVIDE VERIFICATION RECORD VOTE 16. STORE VOTES TABULATION DEVICE 17. TRANSMIT VOTES 19. TRANSMIT TOTALS WINNERS 20. CERTIFY RESULTS
11
Vulnerabilities VOTER REGISTRATION AUTHORITY ELECTION AUTHORITY 18. TABULATE VOTES 1. PRESENT CREDENTIALS 2. RECEIVE TOKEN A CERTIFYING AUTHORITY VENDOR 3. SUBMIT DEVICE AND SOFTWARE 4. CERTIFY DEVICE AND SOFTWARE VOTING DEVICE 5. FURNISH DEVICE TO COUNTY 6. FURNISH SOFTWARE SETUP SLATE 7. “BALLOT PROGRAMMING” PRESENT SLATE 8. LOAD ELECTION DATA POLL AUTHORITY ELECTION DAY 9. TURN ON DEVICE 10. PRESENT TOKEN A 11. RECEIVE VOTING TOKEN B 12. PRESENT VOTING TOKEN B 13. PRESENT SLATE 14. MAKE CHOICES CAPTURE VOTE 15. PROVIDE VERIFICATION RECORD VOTE 16. STORE VOTES TABULATION DEVICE 17. TRANSMIT VOTES 19. TRANSMIT TOTALS WINNERS 20. CERTIFY RESULTS BOGUS CREDENTIALS FORGED TOKENS CORRUPT AUTHORITY INADEQUATE TESTING POOR DESIGNS MALICIOUS CODE NO CONTROL OVER SOFTWARE DISTRIBUTION VERIFY CODE? SETUP ERRORS LOADING ERRORS RELIABILITY ISSUES MALICIOUS CODE TRANSMISSION ERRORS TRANSMISSION ERRORS BOOT PROBLEMS HUMAN FACTORS FORGED TOKENS INVALIDATED VOTES PRIVACYPRIVACY
12
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Certification Exams Public (by policy, not statute) Two examiners; one selected by Department of State for each exam Examiner submits report to the Secretary Secretary decides whether to approve certification “No electronic voting system not so approved shall be used at any election” 25 P.S. §3031.5(c) A county may use any approved system
13
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Security Testing Security testing requires a well-articulated threat model Ideally, it should be done by a red team It should be part of ITA testing, but isn’t Therefore, security testing is ad hoc, based on potential vulnerabilities Problem: it is impossible to evaluate the risk of exploit of a vulnerability
14
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS The Examination Process Before exam –Read documentation, scan source code –Review performance of system in other states, news articles Exam –Vendor inventory, presentation –Experimentation –Cast test ballots for legal compliance (not a stress test) –Tamper exercises –Software review After exam –Write report to Secretary –Result: certified, not certified, certified with conditions
15
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Attacks on Certification Process is arbitrary and capricious –Requires judgment calls No voting machine is “safe” without paper trails –All systems have vulnerabilities No voting system is federally qualified –The EAC under HAVA has not yet certified any testing laboratories Most voting systems are not sufficiently accessible
16
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS The Hursti Exploit Discovered by Finnish security expert Harri Hursti Works against Diebold optical scan voting machines Diebold AccuVote OS has a PCMCIA memory card with ballot setup information, vote counters and predefined report formats PRINTER INSIDE OPTICAL BALLOT LCD DISPLAY BACK OF MACHINE FRONT OF MACHINE
17
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Pennsylvania Law The voting system “shall include the following mechanisms or capabilities:” 1.“a public counter … which shall show during any period of operation the total number of ballots entered for computation and tabulation.” (THE “PUBLIC COUNTER”) 2.“an element which generates a printed record at the beginning of its operation which verifies that the tabulating elements for each candidate position and each question and the public counter are all set to zero.” (THE “ZERO REPORT”) 3.“an element which generates a printed record at the finish of its operation of the total number of voters whose ballots have been tabulated [and] the total number of votes cast for each candidate whose name appears on the ballot.” (THE “TOTALS REPORT”) 25 P.S. §3031.7(16)
18
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Background of Exploit Voting machines are used in multiple states For ease of maintenance, Diebold uses a report generation language “AccuBasic” to satisfy the report requirements of different states AccuBasic is like Basic, but only has read access to the memory card “Compiled” AccuBasic is similar to Java bytecode “Compiled” AccuBasic programs are loaded on the memory card automatically by a computer at the county “Compiled” AccuBasic is interpreted by firmware on the scanner to produce printed reports on the onboard printer on Election Day In Pennsylvania, the TOTALS REPORT signed by the election judges constitutes the official return
19
SOURCE: SCOOP.NZSCOOP.NZ The Hursti Exploit HACK ZERO REPORT PRESET VOTE TOTALS Human Interface
20
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS The Hursti Exploit Diebold creates AccuBasic source (.abs) filesabs Diebold compiles.abs into AccuBasic “object” (.abo) filesabo Diebold adds.abo files to its GEMS Election Management System AT DIEBOLD County buys GEMS with.abo files loaded for its state County sets up election with GEMS Election data,.abo files loaded on memory card County tests machine with memory card AT COUNTY County delivers machine to polling place Zero report printed out Voters cast ballots Totals report printed out AT POLLING PLACE POLLS OPENED POLLS CLOSED HURSTI EXPLOIT OCCURS HERE
21
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS The Hursti Exploit Memory card created at county, inserted in machine: VOTE COUNTERS ACCUBASIC.ABO FILES FOR REPORTS, NOT TABULATION CANDIDATE NAMES PARTIES BALLOT POSITIONS ELECTION DATA TO PRODUCE TABULATION: Counters are short integers; overflow is not trapped Large positive numbers act as negative numbers, e.g. 65,520 is equivalent to -16 since 65,520+16 = 65,536 = 0 Hursti Exploit, Part 1: Preload the card with some negative and some positive counts in a race. Make sure the net sum is zero. Hursti Exploit, Part 2: Replace the zero report.abo file with one that always prints zeros regardless of counter values. Result: Votes added to some candidates, subtracted from others, but the total count does not exceed the number of voters. Result: When memory card counters are overwritten at the close of polls, no electronic record of the exploit exists. NOT CERTIFIED
22
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Other Diebold Machines? Accu-Vote Central Count optical scan does not use either Accu-Basic or memory cards. CERTIFIED Accu-Vote TSx touchscreen uses Accu-Basic but –does not have candidate counters on memory card, so no pre-loading possible –has firmware that checks number of ballots voted, so zero totals can be verified CERTIFIED
23
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Paul DeGregorio Commissioner, Election Assistance Commission
24
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Q A &
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.