certifying voting systems

24
UMBC CMSC-491/691 APRIL 24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Certifying Voting Systems Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University

Upload: keagan

Post on 08-Jan-2016

57 views

Category:

Documents


1 download

DESCRIPTION

Certifying Voting Systems. Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University. Background. Computerized voting system examiner for Pennsylvania (1980-2000) Texas (1987-2000) West Virginia (1982) Delaware (1989) - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Certifying VotingSystems

Michael I. Shamos, Ph.D., J.D.Institute for Software ResearchSchool of Computer ScienceCarnegie Mellon University

Page 2: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Background

• Computerized voting system examiner for– Pennsylvania (1980-2000)– Texas (1987-2000)– West Virginia (1982)– Delaware (1989)– Nevada (1995)

• Examined over 115 different voting systems• Testified before 3 Congressional committees,

Election Assistance Commission and 4 state legislatures

• Expert witness in 4 electronic voting cases

Page 3: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Outline

• Certification/qualification• A model of electronic voting• Specific state requirements• The examination process• The Hursti exploit

Page 4: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Certification• Most states require voting systems to be certified before they can be used, sold or offered for sale• What’s a “voting system”?

– HAVA has a very inclusive definition– In Maryland, “a method of casting and tabulating ballots or votes.” Md. Elec. Code §1-101(yy)– In Pennsylvania, “a system in which one or more voting devices are used to permit the registering or recording of votes and in which such votes are computed and tabulated by automatic tabulating equipment.” 25 P.S §3031.1

• What’s a “voting device”?– “apparatus by which … votes are registered electronically … [and] may be computed and tabulated by means of automatic tabulating equipment. 25 P.S §3031.1

Page 5: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Qualification and Certification

• A vendor “may request the Secretary of the Commonwealth to examine such system if

– the voting system has been examined and approved by a federally recognized independent testing authority and

– if it meets any voting system performance and test

standards established by the Federal Government.” 25 P.S. §3031.5(a)

• Federal recognition (under HAVA) is by the EAC, with advice from the National Institute of Standards and Technology (NIST)

Page 6: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Federal Qualification

• There are three federally recognized ITAs:– CIBER (Huntsville), SysTest (Denver), Wyle (Huntsville)

• They test to the 2002 Federal Voting System Standards developed by the FEC (now transferred to the EAC)

• 2005 Standards published; not yet used for testing• A system that has passed ITA testing is “federally

qualified” and is eligible for Pennsylvania testing

Page 7: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

State Certification

• ITAs do not test for compliance with state law• Every state has unusual requirements; must be

examined by the state• “No electronic voting system shall, upon any

examination or reexamination, be approved by the Secretary of the Commonwealth, or by any examiner appointed by him, unless it be established that such system, at the time of such examination or reexamination [meets a list of mandatory requirements]” 25 P.S. §3031.7

Page 8: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

PA Certification Requirements

• “Permanent physical record of every vote cast”• Voting in “absolute secrecy”• Be able to vote for all candidates and issues• Straight-party voting – Pennsylvania method• Undeclared write-ins• No overvoting• No voting for anyone more than once• Closed primaries• Change vote any time before casting• Capable of “absolute accuracy”• Provides acceptable ballot security procedures• Records correctly and computes and tabulates every valid vote• Safely transportable

Page 9: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

PA Certification Requirements

• Voter may “readily learn the method of operating it”• Be able to vote for all candidates and issues• Public counter visible from outside of machine• Locks• No interim results• “Every person is precluded from tampering with the tabulating

element during the course of its operation

+ HAVA+ other requirements of PA law

Page 10: Certifying Voting Systems

The Voting Process

VOTER

REGISTRATIONAUTHORITY

ELECTIONAUTHORITY

18. TABULATEVOTES

1. PRESENTCREDENTIALS

2. RECEIVETOKEN A

CERTIFYINGAUTHORITYVENDOR

3. SUBMIT DEVICEAND SOFTWARE

4. CERTIFY DEVICEAND SOFTWARE

VOTING DEVICE

5. FURNISH DEVICETO COUNTY

6. FURNISHSOFTWARE

SETUPSLATE

7. “BALLOTPROGRAMMING”

PRESENTSLATE 8. LOAD

ELECTIONDATA

POLLAUTHORITY

ELECTIONDAY

9. TURN ONDEVICE

10. PRESENTTOKEN A

11. RECEIVEVOTING

TOKEN B

12. PRESENTVOTING

TOKEN B

13. PRESENTSLATE

14. MAKECHOICES CAPTURE

VOTE15. PROVIDE

VERIFICATION

RECORDVOTE

16. STOREVOTES

TABULATIONDEVICE

17. TRANSMIT VOTES

19. TRANSMIT TOTALS

WINNERS

20. CERTIFYRESULTS

Page 11: Certifying Voting Systems

Vulnerabilities

VOTER

REGISTRATIONAUTHORITY

ELECTIONAUTHORITY

18. TABULATEVOTES

1. PRESENTCREDENTIALS

2. RECEIVETOKEN A

CERTIFYINGAUTHORITYVENDOR

3. SUBMIT DEVICEAND SOFTWARE

4. CERTIFY DEVICEAND SOFTWARE

VOTING DEVICE

5. FURNISH DEVICETO COUNTY

6. FURNISHSOFTWARE

SETUPSLATE

7. “BALLOTPROGRAMMING”

PRESENTSLATE 8. LOAD

ELECTIONDATA

POLLAUTHORITY

ELECTIONDAY

9. TURN ONDEVICE

10. PRESENTTOKEN A

11. RECEIVEVOTING

TOKEN B

12. PRESENTVOTING

TOKEN B

13. PRESENTSLATE

14. MAKECHOICES CAPTURE

VOTE15. PROVIDE

VERIFICATION

RECORDVOTE

16. STOREVOTES

TABULATIONDEVICE

17. TRANSMIT VOTES

19. TRANSMIT TOTALS

WINNERS

20. CERTIFYRESULTS

BOGUSCREDENTIALS

FORGEDTOKENS

CORRUPT AUTHORITYINADEQUATE TESTINGPOOR DESIGNS

MALICIOUS CODE

NO CONTROL OVERSOFTWARE DISTRIBUTION

VERIFY CODE?

SETUPERRORS

LOADING ERRORS

RELIABILITY ISSUES

MALICIOUSCODE

TRANSMISSIONERRORS

TRANSMISSIONERRORS

BOOTPROBLEMS

HUMANFACTORS

FORGEDTOKENS

INVALIDATEDVOTES

PRIVACY

Page 12: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Certification Exams

• Public (by policy, not statute)• Two examiners; one selected by Department of State

for each exam• Examiner submits report to the Secretary• Secretary decides whether to approve certification• “No electronic voting system not so approved shall be

used at any election” 25 P.S. §3031.5(c)

• A county may use any approved system

Page 13: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Security Testing

• Security testing requires a well-articulated threat model

• Ideally, it should be done by a red team• It should be part of ITA testing, but isn’t• Therefore, security testing is ad hoc, based on

potential vulnerabilities• Problem: it is impossible to evaluate the risk of exploit

of a vulnerability

Page 14: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

The Examination Process

• Before exam– Read documentation, scan source code

– Review performance of system in other states, news articles

• Exam– Vendor inventory, presentation– Experimentation

– Cast test ballots for legal compliance (not a stress test)– Tamper exercises

– Software review

• After exam– Write report to Secretary– Result: certified, not certified, certified with conditions

Page 15: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Attacks on Certification

• Process is arbitrary and capricious– Requires judgment calls

• No voting machine is “safe” without paper trails– All systems have vulnerabilities

• No voting system is federally qualified– The EAC under HAVA has not yet certified any testing

laboratories

• Most voting systems are not sufficiently accessible

Page 16: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

The Hursti Exploit• Discovered by Finnish security expert Harri Hursti• Works against Diebold optical scan voting machines• Diebold AccuVote OS has a PCMCIA memory card with ballot

setup information, vote counters and predefined report formats

PRINTERINSIDE

OPTICALBALLOT

LCDDISPLAY

BACK OF MACHINEFRONT OF MACHINE

Page 17: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Pennsylvania Law

• The voting system “shall include the following mechanisms or capabilities:”

1. “a public counter … which shall show during any period of operation the total number of ballots entered for computation and tabulation.” (THE “PUBLIC COUNTER”)

2. “an element which generates a printed record at the beginning of its operation which verifies that the tabulating elements for each candidate position and each question and the public counter are all set to zero.” (THE “ZERO REPORT”)

3. “an element which generates a printed record at the finish of its operation of the total number of voters whose ballots have been tabulated [and] the total number of votes cast for each candidate whose name appears on the ballot.” (THE “TOTALS REPORT”)

25 P.S. §3031.7(16)

Page 18: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Background of Exploit

• Voting machines are used in multiple states• For ease of maintenance, Diebold uses a report generation

language “AccuBasic” to satisfy the report requirements of different states

• AccuBasic is like Basic, but only has read access to the memory card

• “Compiled” AccuBasic is similar to Java bytecode• “Compiled” AccuBasic programs are loaded on the memory card

automatically by a computer at the county• “Compiled” AccuBasic is interpreted by firmware on the scanner to

produce printed reports on the onboard printer on Election Day• In Pennsylvania, the TOTALS REPORT signed by the election

judges constitutes the official return

Page 19: Certifying Voting Systems

SOURCE: SCOOP.NZ

The Hursti Exploit

HACKZEROREPORT

PRESETVOTETOTALSHuman Interface

Page 20: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

The Hursti Exploit

Diebold createsAccuBasic source

(.abs) files

Diebold compiles.abs into AccuBasic“object” (.abo) files

Diebold adds .abo filesto its GEMS ElectionManagement System

ATDIEBOLD

County buys GEMSwith .abo files

loaded for its state

County sets up electionwith GEMS

Election data,.abo files loadedon memory card

County testsmachine withmemory card

ATCOUNTY

County deliversmachine to

polling place

Zero reportprinted

out

Voterscast

ballots

Totals reportprinted

out

ATPOLLINGPLACE

POLLSOPENED

POLLSCLOSED

HURSTIEXPLOITOCCURS

HERE

Page 21: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

The Hursti Exploit• Memory card created at county, inserted in machine:

VOTE COUNTERS

ACCUBASIC .ABOFILES FOR REPORTS,

NOT TABULATION

• CANDIDATE NAMES• PARTIES• BALLOT POSITIONS

ELECTION DATA TOPRODUCE TABULATION:

• Counters are short integers;overflow is not trapped

• Large positive numbers actas negative numbers, e.g.65,520 is equivalent to -16since 65,520+16 = 65,536 = 0

• Hursti Exploit, Part 1: Preload the card with some negative and some positive counts in a race. Make sure the net sum is zero.

• Hursti Exploit, Part 2: Replace the zero report .abo file with one that always prints zeros regardless of counter values.

• Result: Votes added to some candidates, subtracted from others, but the total count does not exceed the number of voters.

• Result: When memory card counters are overwritten at the close of polls, no electronic record of the exploit exists. NOT CERTIFIED

Page 22: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Other Diebold Machines?

• Accu-Vote Central Count optical scan does not use either Accu-Basic or memory cards. CERTIFIED

• Accu-Vote TSx touchscreen uses Accu-Basic but– does not have candidate counters on memory

card, so no pre-loading possible– has firmware that checks number of ballots voted,

so zero totals can be verifiedCERTIFIED

Page 23: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

Paul DeGregorioCommissioner,

Election Assistance Commission

Page 24: Certifying Voting Systems

UMBC CMSC-491/691 APRIL

24, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

QA&