The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.04 - July/August (2010 vol.36)
pp: 453-473
Davide Balzarotti , Eurecom Institute, Sophia Antipolis, France
Greg Banks , University of California, Santa Barbara, Santa Barbara
Marco Cova , University of California, Santa Barbara, Santa Barbara
Viktoria Felmetsger , University of California, Santa Barbara, Santa Barbara
Richard A. Kemmerer , University of California, Santa Barbara, Santa Barbara
William Robertson , University of California, Santa Barbara, Santa Barbara
Fredrik Valeur , University of California, Santa Barbara, Santa Barbara
Giovanni Vigna , University of California, Santa Barbara, Santa Barbara
ABSTRACT
Voting is the process through which a democratic society determines its government. Therefore, voting systems are as important as other well-known critical systems, such as air traffic control systems or nuclear plant monitors. Unfortunately, voting systems have a history of failures that seems to indicate that their quality is not up to the task. Because of the alarming frequency and impact of the malfunctions of voting systems, in recent years a number of vulnerability analysis exercises have been carried out against voting systems to determine if they can be compromised in order to control the results of an election. We have participated in two such large-scale projects, sponsored by the Secretaries of State of California and Ohio, whose goals were to perform the security testing of the electronic voting systems used in their respective states. As the result of the testing process, we identified major vulnerabilities in all of the systems analyzed. We then took advantage of a combination of these vulnerabilities to generate a series of attacks that would spread across the voting systems and would “steal” votes by combining voting record tampering with social engineering approaches. As a response to the two large-scale security evaluations, the Secretaries of State of California and Ohio recommended changes to improve the security of the voting process. In this paper, we describe the methodology that we used in testing the two real-world electronic voting systems we evaluated, the findings of our analysis, our attacks, and the lessons we learned.
INDEX TERMS
Voting systems, security testing, vulnerability analysis.
CITATION
Davide Balzarotti, Greg Banks, Marco Cova, Viktoria Felmetsger, Richard A. Kemmerer, William Robertson, Fredrik Valeur, Giovanni Vigna, "An Experience in Testing the Security of Real-World Electronic Voting Systems", IEEE Transactions on Software Engineering, vol.36, no. 4, pp. 453-473, July/August 2010, doi:10.1109/TSE.2009.53
REFERENCES
[1] S. Pynchon and K. Garber, "Sarasota's Vanished Votes: An Investigation into the Cause of Uncounted Votes in the 2006 Congressional District 13 Race in Sarasota County, Florida," Florida Fair Elections Center Report, Jan. 2008.
[2] T. Kohno, A. Stubblefield, A. Rubin, and D. Wallach, "Analysis of an Electronic Voting System," Proc. IEEE Symp. Security and Privacy, pp. 27-40, 2004.
[3] E. Proebstel, S. Riddle, F. Hsu, J. Cummins, F. Oakley, T. Stanionis, and M. Bishop, "An Analysis of the Hart Intercivic DAU eSlate," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2007.
[4] A. Yasinsac, D. Wagner, M. Bishop, T. Baker, B. de Medeiros, G. Tyson, M. Shamos, and M. Burmester, "Software Review and Security Analysis of the ES&S iVotronic 8.0.1.2 Voting Machine Firmware," technical report, Security and Assurance in Information Technology Laboratory, Florida State Univ., 2007.
[5] G. Vigna, R. Kemmerer, D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, W. Robertson, and F. Valeur, "Security Evaluation of the Sequoia Voting System," Top-To-Bottom Review of the California Voting Machines, July 2007.
[6] P. McDaniel, M. Blaze, and G. Vigna, "EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing," Ohio Secretary of State's EVEREST Project Report, Dec. 2007.
[7] "Sequoia Voting Systems," www.sequoiavote.com/, May 2009.
[8] "Election Systems & Software," www.essvote.com/, May 2009.
[9] D. Jones, "A Brief Illustrated History of Voting," http://www.cs.uiowa.edu/jones/votingpictures /, 2003.
[10] A. Gumbel, Steal This Vote: Dirty Elections and the Rotten History of Democracy in America. Nation Books, 2005.
[11] 107th Congress, "Help America Vote Act," Public Law 107-252, 2002.
[12] R. Hite, "All Levels of Government are Needed to Address Electronic Voting System Challenges," technical report, GAO, 2007.
[13] Election Assistance Commission (EAC), "State Governments' Use of Help America Vote Act Funds," technical report, EAC, 2007.
[14] T. Tibbetts and S. Mullis, "Challenged Ballots: You be the Judge," http://minnesota.publicradio.org/features/ 2008/1119_ challenged_ballots, 2008.
[15] Common Cause and VotersUnite!, "A Master List of 70+ Voting Machine Failures and Miscounts by State," Jan. 2008.
[16] Verified Voting Foundation, "Electronic Miscounts and Malfunctions in Recent Elections," http://verifiedvotingfoundation.org/downloads/ resources/documentsElectronicsInRecentElections. pdf , 2009.
[17] VotersUnite!, "ES&S in the News—A Partial List of Documented Failures," http://www.votersunite.org/infoES&Sinthenews. pdf , 2010.
[18] M. Gondree, P. Wheeler, and D. DeFigueiredo, "A Critique of the 2002 FEC VSPT E-Voting Standards," technical report, Univ. of California, 2005.
[19] R. Mercuri, "Voting System Guidelines Comments," http://www.wheresthepaper.orgVVSGComment.pdf , 2005.
[20] P. Neumann, "Security Criteria for Electronic Voting," Proc. Nat'l Computer Security Conf., 1993.
[21] R. Saltman, "Accuracy, Integrity, and Security in Computerized Vote-Tallying," technical report, Inst. for Computer Sciences and Technology, Nat'l Bureau of Standards, 1988.
[22] B. Harris, Black Box Voting: Ballot Tampering in the 21st Century. Elon House/Plan Nine, 2003.
[23] B. Harris, "Inside a U.S. Vote Counting Program," http://www.scoop.co.nz/stories/HL0307S00065.htm , July 2003.
[24] A. Rubin, Brave New Ballot. Broadway, 2006.
[25] Science Applications Int'l Corporation (SAIC), "Risk Assessment Report: Diebold AccuVote-TS Voting System and Processes," technical report, Science Applications Int'l Corporation, 2003.
[26] M. Wertheimer, "Trusted Agent Report: Diebold AccuVote-TS Voting System," technical report, RABA Technologies, LLC, 2004.
[27] A. Feldman, J. Halderman, and E. Felten, "Security Analysis of the Diebold AccuVote-TS Voting Machine," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2007.
[28] E. Felten, "'Hotel Minibar' Keys Open Diebold Voting Machines," http://www.freedom-to-tinker.com?p=1064, 2010.
[29] A. Appel, "How I Bought Used Voting Machines on the Internet," http://www.cs.princeton.edu/appelavc/, Feb. 2007.
[30] R. Gonggrijp and W. Hengeveld, "Studying the Nedap/Groenendaal ES3B Voting Computer: A Computer Security Perspective," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2007.
[31] T. Ryan and C. Hoke, "GEMS Tabulation Database Design Issues in Relation to Voting Systems Certification Standards," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2007.
[32] A. Aviv, P. Cerný, S. Clark, E. Cronin, G. Shah, M. Sherr, and M. Blaze, "Security Evaluation of ES & S Voting Machines and Election Management System," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2008.
[33] K. Butler, W. Enck, H. Hursti, S. McLaughlin, P. Traynor, and P. McDaniel, "Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections on Project EVEREST," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2008.
[34] H. Hursti, "Critical Security Issues with Diebold Optical Scan Design," technical report, Black Box Voting Project, July 2005.
[35] A. Kiayias, L. Michel, A. Russell, N. Shashidhar, and A. See, "Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting," Proc. Ann. Computer Security Applications Conf., 2007.
[36] A. Kiayias, L. Michel, A. Russell, N. Shashidhar, A. See, and A. Shvartsman, "An Authentication and Ballot Layout Attack against an Optical Scan Voting Terminal," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2007.
[37] A. Rubin, "Security Considerations for Remote Electronic Voting," Comm. ACM, vol. 45, no. 12, pp. 39-44, 2002.
[38] D. Jefferson, A. Rubin, B. Simons, and D. Wagner, "A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)," technical report, US Dept. of Defense, 2004.
[39] D. Jefferson, A. Rubin, B. Simons, and D. Wagner, "Analyzing Internet Voting Security," Comm. ACM, vol. 47, no. 10, pp. 59-64, 2004.
[40] A. Appel, "Ceci n'est pas une urne: On the Internet Vote for the Assemblée des Français de l'Etranger," http://www.cs.princeton. edu/appelurne.html , 2009.
[41] J. Halderman, E. Rescorla, H. Shacham, and D. Wagner, "You Go to Elections with the Voting System You Have: Stop-Gap Mitigations for Deployed Voting Systems," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2008.
[42] J. Bethencourt, D. Boneh, and B. Waters, "Cryptographic Methods for Storing Ballots on a Voting Machine," Proc. Network and Distributed System Security Symp., 2007.
[43] D. Molnar, T. Kohno, N. Sastry, and D. Wagner, "Tamper-Evident, History Independent, Subliminal-Free Data Structures on PROM Storage-or-How to Store Ballots on a Voting Machine (Extended Abstract)," Proc. IEEE Symp. Security and Privacy, pp. 365-370, 2006.
[44] S. Garera and A. Rubin, "An Independent Audit Framework for Software Dependent Voting Systems," Proc. ACM Conf. Computer and Comm. Security, pp. 256-265, 2007.
[45] J. Hall, "Improving the Security, Transparency and Efficiency of California's 1 Percent Manual Tally Procedures," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2008.
[46] K. Weldemariam and A. Villafiorita, "Modeling and Analysis of Procedural Security in (e)Voting: The Trentino's Approach and Experiences," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2008.
[47] N. Sastry and D. Wagner, "Designing Voting Machines for Verification," Proc. USENIX Security Symp., pp. 321-336, 2006.
[48] K.-P. Yee, "Building Reliable Voting Machine Software," PhD dissertation, Univ. of California, 2007.
[49] D. Chaum, R. Carback, J. Clark, A. Essex, S. Popoveniuc, R. Rivest, P. Ryan, E. Shen, and A. Sherman, "Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems Using Invisible Ink Confirmation Codes," Proc. USENIX/ACCURATE Electronic Voting Technology Workshop, 2008.
[50] C. Karlof, N. Sastry, and D. Wagner, "Cryptographic Voting Protocols: A Systems Perspective," Proc. USENIX Security Symp., pp. 33-50, 2005.
[51] T. Moran and M. Naor, "Split-Ballot Voting: Everlasting Privacy with Distributed Trust," Proc. ACM Conf. Computer and Comm. Security, pp. 246-255, 2007.
[52] S. Everett, "The Usability of Electronic Voting Machines and How Votes Can Be Changed without Detection," PhD dissertation, Rice Univ., 2007.
[53] T. Selker and S. Cohen, "An Active Approach to Voting Verification," Technical Report 28, Caltech/MIT Voting Technology Project, http://vote.caltech.edu/media/documents/ wpsvtp_wp28.pdf, May 2005.
[54] D. Wagner, "Testimony Before U.S. House of Representatives at Joint Hearing of the Committee on Science and Committee on House Administration," http://www.cs.berkeley.edu/daw/ paperstestimony-house06.pdf , 2006.
[55] E. Barr, M. Bishop, and M. Gondree, "Fixing Federal E-Voting Standards," Comm. ACM, vol. 50, no. 3, pp. 19-24, Mar. 2007.
[56] C. Wysopal, L. Nelson, D.D. Zovi, and E. Dustin, The Art of Software Security Testing: Identifying Software Security Flaw. Symantec Press, Nov. 2006.
[57] G. Hoglund and G. McGraw, Exploiting Software: How to Break Code. Addison-Wesley, Feb. 2004.
[58] Inst. of Electrical and Electronics Engineers, IEEE Std 1149.1-1990 IEEE Standard Test Access Port and Boundary-Scan Architecture, IEEE, 1990.
[59] D. Rath, "Open On-Chip Debugger," http://openocd.berlios.deweb, 2008.
[60] California Secretary of State D. Bowen, "Top-to-Bottom Review," http://www.sos.ca.gov/electionselections_vsr.htm , July 2007.
[61] Ohio Secretary of State J. Brunner, "Ohio EVEREST Voting Study," http://siis.cse.psu.edueverest.html, Dec. 2007.
[62] United States Election Assistance Commission, "Voting System Standards," http://www.eac.gov/voting systems/voluntary- voting-guidelines 2002-voting-system-standards , 2002.
16 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool