CS294S: Build a Voting System - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

CS294S: Build a Voting System

Description:

Show that it can cheat, undetectably. Desired Results ... Results are entered into server at central office. Totals from individual precincts ... – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 24
Provided by: david893
Category:

less

Transcript and Presenter's Notes

Title: CS294S: Build a Voting System


1
CS294S Build a Voting System
  • Dan Boneh, David L. Dill,
  • Andrew Bortz

2
Course
  • Goal Investigate security engineering issues in
    e-voting.
  • Specify, design, implement a demonstration
    e-voting system.
  • Make it highly secure.
  • Show that it can cheat, undetectably.

3
Desired Results
  • Learn about technology and policy of voting
    technology.
  • Learn about secure system design
  • Security goals
  • Threats
  • Coding practices
  • Appropriate use of cryptography
  • Standards compliance
  • Other issues
  • Reliability
  • User interfaces
  • Accessibility

4
Project
  • Students will work in groups
  • Major modules of voting system will be
    implemented.
  • We will simplify as necessary.
  • Implementation will be as conformant with VVSG as
    feasible.
  • Modules should be testable, demonstrable in
    isolation
  • Java-based

5
Election lifecycle
  • Before election
  • Format ballots
  • Set up precincts/ballot styles
  • Load election info (ballot styles) into machines.
  • Install updated firmware
  • Test machines (sometimes called logic and
    accuracy testing -- LA testing).
  • Usually this involves running scripts and
    checking the results.
  • Some votes may be cast on touch-screens.
  • Machines transported to polling places (or
    whatever).

6
Polling Place Operations
  • Physical setup of machines
  • Election open
  • Print Zero tape
  • Go into election mode
  • Voting (more detail later)
  • Election close
  • Accumulate votes for all machines in polling
    place
  • Print results tape (candidate totals)
  • (Optional) Modem results into election office
  • Collect all materials, seal them in containers,
    transport to election office.

7
After Election
  • Results are entered into server at central office
  • Totals from individual precincts
  • Electronic ballots (cast vote records)
  • Event logs from machines
  • Reality Absentee, early, provisional votes must
    also be tallied
  • Reports of various kinds are generated (e.g.
    PDFs), posted on Internet, etc.
  • There may need to be recounts
  • Electronic recount -- add up votes in computer
    a second time.
  • Manual recount -- print copies of cast vote
    records, count them by hand.

8
Election system components
Ballot info (offices, candidates)
Election Management System
Reports
Precinct Info
Ballot Styles, Precincts
Totals Cast Vote Records Event logs
Voter Authentication
Voting terminall
Smart card
9
Election Management System
  • Database of precincts and ballot styles
  • Necessary for voting terminal setup
  • Necessary for interpreting and reporting results.
  • Prepares ballot logic and ballot layout
  • vote for any three
  • Database of election results
  • Precinct results
  • Cast vote records (electronic ballots)
  • Event logs
  • Report generation
  • County-wide summary
  • Precinct-by precinct summary
  • Turnout, blank ballots, undervotes
  • Ballot image reports
  • Event log reports

10
Voting Terminal Components
  • File system
  • Highly reliable
  • Tamper evident
  • GUI
  • Needs to minimize voter errors
  • Should inspire voter confidence
  • Election logic and data
  • Protocols for election open, close, etc.
  • Cast vote records
  • Event log

11
Requirement Accuracy
  • Candidate totals should reflect voter intent.
  • Sources of inaccuracy
  • Voter confusion, carelessness
  • User interface weirdness (e.g, jumping votes)
  • Software bugs, hardware failures
  • Administrative error
  • Tallying problems (e.g., Access capacity issues)
  • Fraud

12
Requirement Availability
  • Voters need to be able to vote
  • Causes of failure
  • Software unreliability (crashes, freezes)
  • Hardware problems
  • Failed components
  • Dead batteries
  • Administrative error (e.g., failure to plug
    machine in)
  • Insufficient capacity/provisioning
  • Denial of service.

13
Requirement Transparency
  • Elections must provide proof of accuracy
  • Processes must be observable
  • Paperless e-voting doesnt do very well on this
  • Results must be auditable (it must be possible to
    check results independently).
  • There are many aspects of election auditing.

14
Requirement Privacy
  • Voters votes should be secret
  • This is to prevent intimidation
  • Creates major problems for fraud detection and
    prevention.
  • Can be violated in subtle ways.
  • Sophisticated methods hard to stop
  • Electronic emissions
  • Spy cameras in polling places

15
Requirement Non-coercibility
  • Voter should not be able to prove how he/she
    voted to a third party to prevent
    vote-selling/coercion.
  • Vote selling has been a major problem in the U.S.
    (and elsewhere).
  • Hard to stop
  • Absentee voting
  • Cell phone cameras
  • This is a case where we want to enable fraud!

16
Requirement Accessibility
  • Federal and state law require that people with
    disabilities be able to vote privately and
    independently
  • The variety of disabilities makes this
    challenging.
  • Multiple disabilities especially so.
  • Most machines provide audio interfaces/tactile
    buttons for blind voters.
  • Touch screens easier for people with limited
    dexterity.

17
Requirement Minority Languages
  • According to the Voting Rights Act, election
    materials must be provided in certain minority
    languages, if there are enough speakers of that
    language with limited English proficiency in that
    jurisdiction (detailed rules are complicated)
  • Los Angeles has 7 languages.
  • Audio ballots must be provided in multiple
    languages, too.

18
Security Considerations
  • Threats are severe
  • Adversaries are formidable
  • Candidates, zealots
  • Foreign governments
  • Businesses
  • Organized crime
  • Substantial resources available
  • Hundreds of millions of spent on Presidential
    campaigns.
  • Governmental decisions involve large sums of
    money.

19
Attackers
  • Programmers at vendor, COTS operating system
    programmer, sysadmin, hardware designers.
  • Difficult or impossible to stop or detect.
  • Election officials (including IT), shippers,
    warehouse guards.
  • Poll workers
  • Voters
  • We will try to defend against all but the first.

20
Standards
  • Standards
  • FEC 1990, 2002 VSS
  • EAC VVSG goes into effect 2008
  • Equipment purchased with HAVA money must meet
    these in the future.
  • Many states require that equipment meet the
    standards
  • Security requirements almost non-existent.

21
Certification
  • Done by private laboratories called ITAs. They
    are paid by the vendors.
  • ITAs interpret standards and compare with
    designs.
  • shake and bake tests
  • Source code inspection (but not COTS).
  • Testing
  • Many states require federal certification, and
    have additional inspections testing.

22
Interesting security issues
  • Novel insider attacks
  • Who can come up with the best one?
  • Software authentication
  • Uncertified software has been a problem.
  • Can TCG help?
  • Encryption-based write-once memory
  • Cheating user interfaces

23
Initial assignment
  • Read papers on security analysis of voting
    systems.
  • Find good attacks in NIST workshop attack catalog
  • Browse VVSG
  • Vendor websites Diebold, Sequoia, ESS, Hart
    Intercivic. Look for demos on web sites
    (including election office web sites).
  • Verify.stanford.edu photoessay
  • Verifiedvoting.org, blackboxvoting.org
  • Next Monday Form teams.
Write a Comment
User Comments (0)
About PowerShow.com