On voting machine design for verification and testability

We present an approach for the design and analysis of an electronic voting machine based on a novel combination of formal verification and systematic testing. The system was designed specifically to enable verification and testing. In our architecture, the voting machine is a finite-state transducer that implements the bare essentials required for an election. We formally specify how each component of the machine is intended to work and formally verify that a Verilog implementation of our design meets this specification. However, it is more challenging to verify that the composition of these components will behave as a voter would expect, because formalizing human expectations is difficult. We show how systematic testing can be used to address this issue, and in particular to verify that the machine will behave correctly on election day.

[1]  Amir Pnueli,et al.  The temporal logic of programs , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[2]  Stephan Merz,et al.  Model Checking , 2000 .

[3]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[4]  Ronald L. Rivest,et al.  A Modular Voting Architecture ("Frogs") , 2001 .

[5]  Rebecca T. Mercuri,et al.  Electronic vote tabulation checks and balances , 2001 .

[6]  Rebecca T. Mercuri A better ballot box , 2002 .

[7]  Sharad Malik,et al.  The Quest for Efficient Boolean Satisfiability Solvers , 2002, CAV.

[8]  Douglas W. Jones Auditing elections , 2004, CACM.

[9]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[10]  Naveen Sastry Designing Voting Machines for Verification , 2006, USENIX Security Symposium.

[11]  Peter Y. A. Ryan,et al.  Prêt à Voter with Re-encryption Mixes , 2006, ESORICS.

[12]  David A. Wagner,et al.  Prerendered User Interfaces for Higher-Assurance Electronic Voting , 2006, EVT.

[13]  Giovanni Vigna,et al.  EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing , 2007 .

[14]  Ka-Ping Yee Extending Prerendered-Interface Voting Software to Support Accessibility and Other Ballot Features , 2007, EVT.

[15]  A. Appel Eective audit policy for voter-verified paper ballots , 2007 .

[16]  Sarah P. Everett The usability of electronic voting machines and how votes can be changed without detection , 2007 .

[17]  Marti A. Hearst,et al.  Building reliable voting machine software , 2007 .

[18]  Dan S. Wallach,et al.  VoteBox: A Tamper-evident, Verifiable Electronic Voting System , 2008, USENIX Security Symposium.

[19]  Jeremy Clark,et al.  Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes , 2008, EVT.

[20]  David A. Wagner,et al.  Verifiable functional purity in java , 2008, CCS.

[21]  Michael R. Clarkson,et al.  Civitas: Toward a Secure Voting System , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[22]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[23]  Sanjit A. Seshia,et al.  Beaver: Engineering an Efficient SMT Solver for Bit-Vector Arithmetic , 2009, CAV.

[24]  Dan S. Wallach,et al.  VoteBox Nano: A Smaller, Stronger FPGA-based Voting Machine , 2009, EVT/WOTE.