Analysis of an electronic voting system

IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004 Pub Date : 2004-05-09 DOI:10.1109/SECPRI.2004.1301313

Tadayoshi Kohno, A. Stubblefield, A. Rubin, D. Wallach

{"title":"Analysis of an electronic voting system","authors":"Tadayoshi Kohno, A. Stubblefield, A. Rubin, D. Wallach","doi":"10.1109/SECPRI.2004.1301313","DOIUrl":null,"url":null,"abstract":"With significant U.S. federal funds now available to replace outdated punch-card and mechanical voting systems, municipalities and states throughout the U.S. are adopting paperless electronic voting systems from a number of different vendors. We present a security analysis of the source code to one such machine used in a significant share of the market. Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software. Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable, showing that not only can an insider, such as a poll worker, modify the votes, but that insiders can also violate voter privacy and match votes with the voters who cast them. We conclude that this voting system is unsuitable for use in a general election. Any paperless electronic voting system might suffer similar flaws, despite any certification it could have otherwise received. We suggest that the best solutions are voting systems having a voter-verifiable audit trail, where a computerized voting system might print a paper ballot that can be read and verified by the voter.","PeriodicalId":447471,"journal":{"name":"IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004","volume":"48 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-05-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"611","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SECPRI.2004.1301313","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 611

Abstract

With significant U.S. federal funds now available to replace outdated punch-card and mechanical voting systems, municipalities and states throughout the U.S. are adopting paperless electronic voting systems from a number of different vendors. We present a security analysis of the source code to one such machine used in a significant share of the market. Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software. Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable, showing that not only can an insider, such as a poll worker, modify the votes, but that insiders can also violate voter privacy and match votes with the voters who cast them. We conclude that this voting system is unsuitable for use in a general election. Any paperless electronic voting system might suffer similar flaws, despite any certification it could have otherwise received. We suggest that the best solutions are voting systems having a voter-verifiable audit trail, where a computerized voting system might print a paper ballot that can be read and verified by the voter.

查看原文本刊更多论文

电子投票系统的分析

随着大量的美国联邦资金可用来取代过时的打孔卡和机械投票系统，美国各地的城市和州正在采用来自许多不同供应商的无纸化电子投票系统。我们提出了一个源代码的安全性分析，其中一个这样的机器在市场上使用的重要份额。我们的分析表明，这种投票系统甚至远远低于适用于其他环境的最低安全标准。我们确定了几个问题，包括未经授权的特权升级、不正确的加密使用、网络威胁漏洞和糟糕的软件开发过程。我们表明，没有任何内部特权的选民可以无限制地投票，而不会被投票终端软件内的任何机制检测到。此外，我们表明，即使是最严重的外部攻击也可以在没有访问源代码的情况下被发现和执行。面对此类攻击，通常对内部威胁的担忧并不是唯一的担忧;外人可能造成破坏。也就是说，我们证明了内部威胁也是相当可观的，表明内部人员，如投票工作人员，不仅可以修改选票，而且内部人员也可以侵犯选民的隐私，并将选票与投票的选民相匹配。我们的结论是这种投票制度不适合在大选中使用。任何无纸化电子投票系统都可能存在类似的缺陷，尽管它本可以获得任何认证。我们建议，最好的解决方案是拥有选民可验证的审计跟踪的投票系统，其中计算机化的投票系统可以打印出选民可以阅读和验证的纸质选票。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004

自引率

0.00%

发文量