Verifying security properties in electronic voting machines

Voting is the bridge between the governed and government. The last few years have brought a renewed focus onto the technology used in the voting process and a hunt for voting machines that engender confidence. Computerized voting systems bring improved usability and cost benefits but also the baggage of buggy and vulnerable software. When scrutinized, current voting systems are riddled with security holes, and it difficult to prove even simple security properties about them. A voting system that can be proven correct would alleviate many concerns. This dissertation argues that a property based approach is the best start towards a fully verified voting system. First, we look at specific techniques to reduce privacy vulnerabilities in a range of voting technologies. We implement our techniques in a prototype voting system. The componentised design of the voting system makes it amenable to easily validating security properties. Finally, we describe software analysis techniques that guarantee that ballots will only be stored if they can later be accurately reconstructed for counting. The analysis uses static analysis to enable dynamic checks in a fail-stop model. These successes provide strong evidence that it is possible to design voting systems with verifiable security properties, and the belief that in the future, voting technologies will be free of security problems.

[1]  Brent Waters,et al.  Cryptographic Methods for Storing Ballots on a Voting Machine , 2007, NDSS.

[2]  D. Jefferson,et al.  Security analysis of SERVE 1 A Security Analysis of the Secure Electronic Registration and Voting Experiment ( SERVE ) , 2004 .

[3]  Moni Naor,et al.  Receipt-Free Universally-Verifiable Voting with Everlasting Privacy , 2006, CRYPTO.

[4]  Markus Jakobsson,et al.  Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking , 2002, USENIX Security Symposium.

[5]  Peter Y. A. Ryan,et al.  A Dependability Analysis of the Chaum Digital Voting Scheme , 2003 .

[6]  David A. Wagner,et al.  Cryptographic Voting Protocols: A Systems Perspective , 2005, USENIX Security Symposium.

[7]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[8]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[9]  F. Schneider Trust in Cyberspace , 1998 .

[10]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[11]  David L. Black,et al.  Machine-independent virtual memory management for paged uniprocessor and multiprocessor architectures , 1987, ASPLOS 1987.

[12]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[13]  Noah Treuhaft,et al.  Recovery Oriented Computing (ROC): Motivation, Definition, Techniques, and Case Studies , 2002 .

[14]  Michael R. Lowry,et al.  Key Applications for High-Assurance Systems , 1998, Computer.

[15]  George Candea,et al.  Microreboot - A Technique for Cheap Recovery , 2004, OSDI.

[16]  Rebecca T. Mercuri A better ballot box , 2002 .

[17]  Ted Selker,et al.  The SAVE System — Secure Architecture for Voting Electronically , 2004 .

[18]  H. Singer An Historical Perspective , 1995 .

[19]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[20]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[21]  David R. Karger,et al.  Wide-area cooperative storage with CFS , 2001, SOSP.

[22]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[23]  David A. Wagner,et al.  Tamper-evident, history-independent, subliminal-free data structures on PROM storage -or- how to store ballots on a voting machine , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[24]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[25]  Gernot Heiser Secure Embedded Systems Need Microkernels , 2005, login Usenix Mag..

[26]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[27]  Birgit Pfitzmann,et al.  How to Break the Direct RSA-Implementation of Mixes , 1990, EUROCRYPT.

[28]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[29]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[30]  Clark Weissman MLS-PCA: a high assurance security architecture for future avionics , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[31]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, International Journal on Software Tools for Technology Transfer.

[32]  Ronald L. Rivest,et al.  A Modular Voting Architecture ("Frogs") , 2001 .

[33]  Scott Devine,et al.  Disco: running commodity operating systems on scalable multiprocessors , 1997, TOCS.

[34]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[35]  David A. Wagner,et al.  Prerendered User Interfaces for Higher-Assurance Electronic Voting , 2006, EVT.

[36]  Jonathan M. Silverman,et al.  Reflections on the verification of the security of an operating system kernel , 1983, SOSP '83.

[37]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[38]  Abhi Shelat,et al.  Fair-Zero Knowledge , 2005, TCC.

[39]  Heiko Mantel,et al.  On the composition of secure systems , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[40]  Poorvi L. Vora,et al.  David Chaum's Voter Verification using Encrypted Paper Receipts , 2005, IACR Cryptol. ePrint Arch..

[41]  Ira S. Moskowitz,et al.  An architecture for multilevel secure interoperability , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[42]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[43]  Wim van Eck,et al.  Electromagnetic radiation from video display units: An eavesdropping risk? , 1985, Comput. Secur..

[44]  O. Sami Saydjari LOCK : An Historical Perspective , 2002, ACSAC.

[45]  Naveen Sastry Designing Voting Machines for Verification , 2006, USENIX Security Symposium.

[46]  Ariel J. Feldman,et al.  Security Analysis of the Diebold AccuVote-TS Voting Machine , 2007, EVT.

[47]  Scott Devine,et al.  Disco: running commodity operating systems on scalable multiprocessors , 1997, SOSP.

[48]  Marianne Shaw,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[49]  David A. Wagner,et al.  Analyzing internet voting security , 2004, CACM.

[50]  Josh Benaloh,et al.  Simple Verifiable Elections , 2006, EVT.

[51]  Arthur M. Keller,et al.  Privacy issues in an electronic voting machine , 2004, WPES '04.

[52]  Kenneth Kwok-Hei Yiu,et al.  Starlight: Interactive Link , 1996, Proceedings 12th Annual Computer Security Applications Conference.

[53]  O. S. Saydjari Multilevel Security: Reprise , 2004, IEEE Secur. Priv..

[54]  Miguel Castro,et al.  Farsite: federated, available, and reliable storage for an incompletely trusted environment , 2002, OPSR.

[55]  Jochen Liedtke,et al.  Toward real microkernels , 1996, CACM.

[56]  J. Doug Tygar,et al.  A Model for Secure Protocols and Their Compositions , 1996, IEEE Trans. Software Eng..

[57]  Dan S. Wallach,et al.  Hack-a-Vote: Demonstrating Security Issues with Electronic Voting Systems , 2003 .

[58]  Ben Y. Zhao,et al.  Pond: The OceanStore Prototype , 2003, FAST.

[59]  Matti A. Hiltunen,et al.  Automatic Operating System Specialization via Binary Rewriting , 2022 .

[60]  Bruce Schneier,et al.  Insider risks in elections , 2004, CACM.

[61]  Gary T. Leavens,et al.  Design by Contract with JML , 2006 .

[62]  Peter G. Neumann,et al.  PSOS revisited , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[63]  Markus Jakobsson,et al.  A Practical Mix , 1998, EUROCRYPT.

[64]  Abhi Shelat,et al.  Collusion-free protocols , 2005, STOC '05.

[65]  Alan T. Sherman,et al.  An Examination of Vote Verification Technologies: Findings and Experiences from the Maryland Study , 2006, EVT.

[66]  George Candea,et al.  Recursive restartability: turning the reboot sledgehammer into a scalpel , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[67]  David Wagner,et al.  Security Analysis of the Diebold AccuBasic Interpreter , 2006 .

[68]  Markus G. Kuhn,et al.  Optical time-domain eavesdropping risks of CRT displays , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[69]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[70]  Yennun Huang,et al.  Software rejuvenation: analysis, module and applications , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[71]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[72]  Marianne Shaw,et al.  Denali: a scalable isolation kernel , 2002, EW 10.

[73]  Douglas W. Jones,et al.  Secure Data Export and Auditing Using Data Diodes , 2006, EVT.

[74]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[75]  David Chaum,et al.  Secret-ballot receipts: True voter-verifiable elections , 2004, IEEE Security & Privacy Magazine.

[76]  Dan S. Wallach,et al.  Hack-a-vote: Security issues with electronic voting systems , 2004, IEEE Security & Privacy Magazine.

[77]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[78]  MeyerBertrand,et al.  Design by Contract , 1997 .

[79]  Martin C. Rinard,et al.  Purity and Side Effect Analysis for Java Programs , 2005, VMCAI.

[80]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.