Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting

Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Pub Date : 2007-12-10 DOI:10.1109/ACSAC.2007.16

A. Kiayias, L. Michel, A. Russell, N. Shashidhar, Andrew See, Alexander A. Shvartsman, S. Davtyan

{"title":"Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting","authors":"A. Kiayias, L. Michel, A. Russell, N. Shashidhar, Andrew See, Alexander A. Shvartsman, S. Davtyan","doi":"10.1109/ACSAC.2007.16","DOIUrl":null,"url":null,"abstract":"Special purpose trusted computing devices are currently being deployed to offer many services for which the general purpose computing paradigm is unsuitable. The nature of the services offered by many of these devices demand high security and reliability, as well as low cost and low power consumption. Electronic Voting machines is a canonical example of this phenomenon. With electronic voting machines currently being used in much of the United States and several other countries, there is a strong need for thorough security evaluation of these devices and the procedures in place for their use. In this work, we first put forth a general framework for special purpose trusted computing devices. We then focus on Optical Scan (OS) electronic voting technology as a specific instance of this framework. OS terminals are a popular e-voting technology with the decided advantage of a user-verified paper trail: the ballot sheets themselves. Still election results are based on machine- generated totals as well as machine-generated audit reports to validate the voting process. In this paper we present a security assessment of the Diebold AccuVote Optical Scan voting terminal (AV-OS), a popular OS terminal currently in wide deployment anticipating the 2008 Presidential elections. The assessment is developed using exclusively reverse-engineering, without any technical specifications provided by the machine suppliers. We demonstrate a number of security issues that relate to the machine's proprietary language, called AccuBasic, that is used for reporting election results. While this language is thought to be benign, especially given that it is essentially sandboxed by the firmware to have only read access, we demonstrate that it is powerful enough to (i) strengthen known attacks against the AV-OS so that they become undetectable prior to elections (and thus significantly increasing their magnitude) or, (ii) to conditionally bias the election results to reach a desired outcome. Given the discovered vulnerabilities and attacks we proceed to discuss how random audits can be used to validate with high confidence that a procedure carried out by special purpose devices such as the AV-OS has not been manipulated. We end with a set of recommendations for the design and safe-use of OS voting systems.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"31 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-12-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"15","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ACSAC.2007.16","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 15

Abstract

Special purpose trusted computing devices are currently being deployed to offer many services for which the general purpose computing paradigm is unsuitable. The nature of the services offered by many of these devices demand high security and reliability, as well as low cost and low power consumption. Electronic Voting machines is a canonical example of this phenomenon. With electronic voting machines currently being used in much of the United States and several other countries, there is a strong need for thorough security evaluation of these devices and the procedures in place for their use. In this work, we first put forth a general framework for special purpose trusted computing devices. We then focus on Optical Scan (OS) electronic voting technology as a specific instance of this framework. OS terminals are a popular e-voting technology with the decided advantage of a user-verified paper trail: the ballot sheets themselves. Still election results are based on machine- generated totals as well as machine-generated audit reports to validate the voting process. In this paper we present a security assessment of the Diebold AccuVote Optical Scan voting terminal (AV-OS), a popular OS terminal currently in wide deployment anticipating the 2008 Presidential elections. The assessment is developed using exclusively reverse-engineering, without any technical specifications provided by the machine suppliers. We demonstrate a number of security issues that relate to the machine's proprietary language, called AccuBasic, that is used for reporting election results. While this language is thought to be benign, especially given that it is essentially sandboxed by the firmware to have only read access, we demonstrate that it is powerful enough to (i) strengthen known attacks against the AV-OS so that they become undetectable prior to elections (and thus significantly increasing their magnitude) or, (ii) to conditionally bias the election results to reach a desired outcome. Given the discovered vulnerabilities and attacks we proceed to discuss how random audits can be used to validate with high confidence that a procedure carried out by special purpose devices such as the AV-OS has not been manipulated. We end with a set of recommendations for the design and safe-use of OS voting systems.

查看原文本刊更多论文

特殊用途可信计算设备的篡改:以光学扫描电子投票为例

目前正在部署特殊用途的可信计算设备，以提供许多通用计算范式不适合的服务。许多这些设备提供的服务的性质要求高安全性和可靠性，以及低成本和低功耗。电子投票机就是这种现象的典型例子。由于电子投票机目前在美国大部分地区和其他几个国家使用，因此迫切需要对这些设备及其使用程序进行彻底的安全评估。在这项工作中，我们首先提出了一个特殊用途可信计算设备的通用框架。然后，我们将重点放在光学扫描(OS)电子投票技术上，作为该框架的具体实例。操作系统终端是一种流行的电子投票技术，具有用户验证的纸质记录的决定性优势:选票本身。仍然，选举结果是基于机器生成的总数以及机器生成的审计报告来验证投票过程。在本文中，我们提出了Diebold AccuVote光学扫描投票终端(AV-OS)的安全评估，这是一种流行的操作系统终端，目前正在广泛部署，预计2008年总统选举。评估是完全使用逆向工程开发的，没有任何机器供应商提供的技术规范。我们展示了一些与机器专有语言有关的安全问题，该语言被称为AccuBasic，用于报告选举结果。虽然这种语言被认为是良性的，特别是考虑到它基本上是由固件沙盒只有读取访问，我们证明它足够强大，可以(i)加强对AV-OS的已知攻击，以便在选举之前无法检测到(从而显着增加其大小)，或者(ii)有条件地偏向选举结果以达到预期的结果。鉴于已发现的漏洞和攻击，我们继续讨论如何使用随机审计来高可信度地验证由AV-OS等特殊用途设备执行的程序未被操纵。最后，我们对操作系统投票系统的设计和安全使用提出了一些建议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)

自引率

0.00%

发文量