The Community for Technology Leaders
Green Image
Issue No. 04 - July/August (2010 vol. 36)
ISSN: 0098-5589
pp: 453-473
Viktoria Felmetsger , University of California, Santa Barbara, Santa Barbara
Greg Banks , University of California, Santa Barbara, Santa Barbara
Giovanni Vigna , University of California, Santa Barbara, Santa Barbara
Richard A. Kemmerer , University of California, Santa Barbara, Santa Barbara
William Robertson , University of California, Santa Barbara, Santa Barbara
Fredrik Valeur , University of California, Santa Barbara, Santa Barbara
Marco Cova , University of California, Santa Barbara, Santa Barbara
Davide Balzarotti , Eurecom Institute, Sophia Antipolis, France
ABSTRACT
Voting is the process through which a democratic society determines its government. Therefore, voting systems are as important as other well-known critical systems, such as air traffic control systems or nuclear plant monitors. Unfortunately, voting systems have a history of failures that seems to indicate that their quality is not up to the task. Because of the alarming frequency and impact of the malfunctions of voting systems, in recent years a number of vulnerability analysis exercises have been carried out against voting systems to determine if they can be compromised in order to control the results of an election. We have participated in two such large-scale projects, sponsored by the Secretaries of State of California and Ohio, whose goals were to perform the security testing of the electronic voting systems used in their respective states. As the result of the testing process, we identified major vulnerabilities in all of the systems analyzed. We then took advantage of a combination of these vulnerabilities to generate a series of attacks that would spread across the voting systems and would “steal” votes by combining voting record tampering with social engineering approaches. As a response to the two large-scale security evaluations, the Secretaries of State of California and Ohio recommended changes to improve the security of the voting process. In this paper, we describe the methodology that we used in testing the two real-world electronic voting systems we evaluated, the findings of our analysis, our attacks, and the lessons we learned.
INDEX TERMS
Voting systems, security testing, vulnerability analysis.
CITATION
Viktoria Felmetsger, Greg Banks, Giovanni Vigna, Richard A. Kemmerer, William Robertson, Fredrik Valeur, Marco Cova, Davide Balzarotti, "An Experience in Testing the Security of Real-World Electronic Voting Systems", IEEE Transactions on Software Engineering, vol. 36, no. , pp. 453-473, July/August 2010, doi:10.1109/TSE.2009.53
92 ms
(Ver )