[REVS] Analysis of an Electronic Voting System

From: SecuriTeam (support_at_securiteam.com)
Date: 11/02/03

  • Next message: SecuriTeam: "[UNIX] Buffer Overflow in PostgreSQL's repeat()" 
    To: list@securiteam.com
Date: 2 Nov 2003 17:38:21 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Analysis of an Electronic Voting System
    ------------------------------------------------------------------------

    SUMMARY

    Recent election problems have sparked great interest in managing the
    election process with electronic voting systems. While computer
    scientists, for the most part, have been warning of the perils of such
    action, vendors have forged ahead with their products, claiming increased
    security and reliability. Many municipalities have adopted electronic
    systems, and the number of deployed systems is rising. For these new
    computerized voting systems, neither source code nor the results of any
    third-party certification analyses have been available for the general
    population to study, because vendors claim that secrecy is a necessary
    requirement to keep their systems secure.

    Recently, however, the source code purporting to be the software for a
    voting system from a major manufacturer appeared on the Internet. This
    manufacturer's systems were used in Georgia's statewide elections in 2002,
    and the company just announced that the state of Maryland awarded them an
    order valued at up to $55.6 million to deliver touch screen voting
    systems. This unique opportunity for independent scientific analysis of
    voting system source code demonstrates the fallacy of the closed-source
    argument for such a critical system. Our analysis shows that this voting
    system is far below even the most minimal security standards applicable in
    other contexts.

    We highlight several issues including unauthorized privilege escalation,
    incorrect use of cryptography, vulnerabilities to network threats, and
    poor software development processes. For example, common voters, without
    any insider privileges, can cast unlimited votes without being detected by
    any mechanisms within the voting terminal.

    Furthermore, we show that even the most serious of our outsider attacks
    could have been discovered without the source code. In the face of such
    attacks, the usual worries about insider threats are not the only
    concerns; outsiders can do the damage. That said, we demonstrate that the
    insider threat is also quite considerable. We conclude that, as a society,
    we must carefully consider the risks inherent in electronic voting, as it
    places our very democracy at risk.

    DETAILS

    Introduction:
    The essence of democracy is that everyone accepts the results of
    elections, even when they lose them. Elections allow the populace to
    choose their representatives and express their preferences for how they
    will be governed. Naturally, the integrity of the election process is
    fundamental to the integrity of democracy itself. In addition,
    unsurprisingly, history is littered with examples of elections being
    manipulated in order to influence their outcome.

    The design of a "good" voting system, whether electronic or using
    traditional paper ballots or mechanical devices must be robust against a
    wide variety of potentially fraudulent behavior. The anonymity of a
    voter's ballot must be preserved, both to guarantee the voter's safety
    when voting against a malevolent candidate, and to guarantee that voters
    have no evidence that proves which candidates received their votes. The
    existence of such evidence would allow votes to be purchased by a
    candidate. The voting system must also be tamper-resistant to thwart a
    wide range of attacks, including ballot stuffing by voters and incorrect
    tallying by insiders. Another important consideration, as shown by the
    so-called "butterfly ballots" in the Florida 2000 presidential election,
    is the importance of human factors. A voting system must be comprehensible
    to and usable by the entire voting population, regardless of age,
    infirmity, or disability. Providing accessibility to such a diverse
    population is an important engineering problem and one where, if other
    security is done well, electronic voting could be a great improvement over
    current paper systems. Flaws in any of these aspects of a voting system,
    however, can lead to indecisive or incorrect election results.

    ADDITIONAL INFORMATION

    The paper can be downloaded from: <http://avirubin.com/vote.pdf>
    http://avirubin.com/vote.pdf.

    The information has been provided by <mailto:yoshi@cs.jhu.edu> Tadayoshi
    Kohno, <mailto:astubble@cs.jhu.edu> Adam Stubblefield,
    <mailto:dwallach@cs.rice.edu> Dan S. Wallach, and
    <mailto:rubin@cs.jhu.edu> Aviel D. Rubin.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Buffer Overflow in PostgreSQL's repeat()"