Analysis of the Security of E-Voting Systems
DescriptionElectronic voting systems have been introduced to improve the voting process. Since their inception, they have been controversial, because both the technologists and the general public realized that they were losing direct control over an important part of the voting process: counting the votes. A quote attributed to Stalin says: "Those who cast the votes decide nothing. Those who count the votes decide everything." It is clear that voting systems represent a critical component of a democracy. Although the consequences of a malfunctioning electronic voting system are not as readily apparent as those for air traffic control or nuclear power plant control systems, they are just as important, because the well-being of a society depends on them. While most critical systems are continuously scrutinized and evaluated for safety and correctness, electronic voting systems are not subject to the same level of scrutiny. A number of recent studies have shown that most (if not all) of the electronic voting systems being used today are fatally flawed, and that their quality does not match the importance of the task that they are supposed to carry out. In the Summer of 2007, the Security Group of UCSB participated in the Top-To-Bottom Review (TTBR) of the electronic voting systems used in California. This was a first-of-its-kind review, where the evaluators had unprecedented access to the systems' source code, hardware, and associated documentation. In Fall 2007, our team also participated in the EVEREST evaluation effort sponsored by the Secretary of State of Ohio. As part of this study we evaluated the security of the ES&S voting system.
The ReportsIn the TTBR effort, our team focused on the security analysis of the Sequoia voting system. A local copy of our public report can be found here). We found a number of major flaws that can be exploited to compromise the integrity, confidentiality, and availability of the voting process. In particular, we developed a virus-like software that can spread across the voting system, modifying the firmware of the voting machines. The modified firmware is able to steal votes even in the presence of a Voter-Verified Paper Audit Trail (VVPAT). We obtain similar results in our study of the ES&S system: we found a series of serious vulnerabilities that could compromise the confidentiality, integrity, and availability of the voting process. The final report can be found here.
The VideoWe also prepared a movie that shows, in the case of the Sequoia voting system, how the virus-like attack would be carried out, and exemplifies the different scenarios that our malicious firmware would exploit. The video shows how one can use a simple USB key to infect the laptop used to prepare the cards that initialize the various voting devices. As a result, the cards are loaded with a malicious software component. When a card is inserted in a voting terminal, the malicious software exploits a vulnerability in the terminal loading procedure and installs a modified firmware, effectively "brainwashing" the terminal. Later, when the terminal is used by the voters to cast their votes, the firmware uses a number of different techniques to modify the contents of the ballots being cast. The movie also shows that the physical security measures being used to limit access to essential parts of the voting systems are ineffective. The movie cannot be downloaded from this page anymore, because after we were featured on Slashdot the Department web server maxed out. However somebody uploaded the video on YouTube.
Formal Specification EffortElectronic voting systems are a perfect example of security-critical computing. One of the critical and complex parts of such systems is the voting process, which is responsible for correctly and securely storing intentions and actions of the voters. Unfortunately, a recent study revealed that various e-voting systems show serious specification, design, and implementation flaws. Formal specification and verification can greatly help to better understand the system requirements of e-voting systems by thoroughly specifying and analyzing the underlying assumptions against security specific properties. We have written a report on our effort to formal specify the ES&S Voting System. "Specification and Analysis of the Electronic Voting Process for the ES&S Voting System" K. Weldemariam, R. Kemmerer, and A. Villafiorita, UCSB Computer Science Report. [PDF]
2008 (1 publication)
Are Your Votes Really Counted? Testing the Security of Real-world Electronic Voting Systems Proceedings of the International Symposium on Software Testing and Analysis (ISSTA 2008) BibTeX PDF (220.9 KB)