UC Source Code Team ReportsThe conclusions from reports written by computer scientists who had a chance to look at the source code as part of of Secretary Bowen's top to bottom voting systems review. Diebold, pg 65 Our study of the Diebold source code found that the system does not meet the requirements for a security-critical system. It is built upon an inherently fragile design and suffers from implementation flaws that can expose the entire voting system to attacks. These vulnerabilities, if exploited, could jeopardize voter privacy and the integrity of elections. An attack could plausibly be accomplished by a single skilled individual with temporary access to a single voting machine. The damage could be extensive -- malicious code could spread to every voting machine in polling places and to county election servers. Even with a paper trail, malicious code might be able to subtly influence close elections, and it could disrupt elections by causing widespread equipment failure on election day. We conclude that these problems arose because of a failure to design and build the system with security as a central focus, which led to the inconsistent application of accepted security engineering practices. For this reason, the safest way to repair the Diebold system is to re-engineer it so that it is secure by design. We discussed a number of limited solutions and procedural changes that may improve the security of the system, but we warn that implementing any particular set of technical or procedural safeguards may still be insufficient. Similarly, fixing individual flaws in the system - even all of the issues identified in this report - may not yield a secure voting system because of the possibility that unidentified problems will be exploited. We are also concerned that future updates to the system may introduce new, unknown vulnerabilities or fail to adequately correct known ones. We urge the state to conduct further studies to determine whether any new or updated voting systems are secure. Sequoia, pg 82 We found pervasive security weaknesses throughout the Sequoia software. Virtually every important software security mechanism is vulnerable to circumvention. The integrity of elections conducted with the system depends almost entirely on the physical security of the equipment and the procedural controls under which election operations are conducted. Whether the software vulnerabilities we describe can be compensated for with procedural and physical security mitigations depends on a range of factors, most of which were beyond the scope of this study. However, we caution that mitigation will place considerable additional pressure on physical security features (such as locks and seals) and human procedures (such as two-person control by poll workers). Many of the physical security features and procedures typically used with the Sequoia system appear to have been engineered under the assumption that the underlying software is considerably more secure than it actually is, and thus may not provide sufficient protection in light of the vulnerabilities discussed here. Designing robust, practical, and effective procedures that substantially reduce the risks identified in this report would itself be a very complex task, requiring a broad range of computer security, physical security, legal, and operational elections expertise. As a starting point, we attempted to identify mitigation strategies for the vulnerabilities we discovered. Unfortunately, we were unable to find practical strategies that reliably prevent exploitation of some of the system’s weaknesses. Fixing some of the problems will require substantial changes to the software and the architecture. In fact, we are not optimistic that acceptable practical and secure mitigation procedures are even possible for some of the Sequoia system’s components and features, at least in the absence of a comprehensive re-engineering of the system itself. The problem is compounded by the inter-related nature of many of the vulnerabilities and the relative ease with which certain attacks can be carried out. As the table in Figure 5.2 summarized, even brief exposure of many system components to an attacker can have ramifications beyond the components themselves. Of particular concern is that virtually every software mechanism related to counting votes is exposed, directly or indirectly, to compromise through tampering with equipment that is deployed in the field. In many cases, tampering sufficient to cause compromise requires only brief physical access and may leave behind little or no evidence. We are regrettably unable to suggest with confidence any comprehensive strategy for mitigating the vulnerabilities in the Sequoia system that simultaneously provides a high assurance of security, maintains accessible DRE voting, and substantially incorporates existing hardware and software. Hart, pgs 87-8 Although we had only limited time to review the source code of the system, our review nevertheless uncovered what we believe to be a number of significant security issues. In many cases the Hart system does not incorporate defense-in-depth principles, which may allow individual attacks to be escalated up to much broader attacks. The Hart software and devices appear to be susceptible to a variety of attacks which would allow an attacker to gain control of some or all of the systems in a county: ... By combining the above attacks, a malicious pollworker could subvert an eScan, through that SERVO, and through SERVO all the machines in the county for the next election. We have tested what we believe to be the essential elements of this attack but not performed an end-to-end test. Furthermore, a malicious voter could subvert a single eSlate, through that SERVO, and through SERVO all the machines in a county for the next election. We have tested some but not all of the elements of this attack. ... Some of these issues can be mitigated with stricter polling place procedures. Others may be repaired with minor modifications to Hart’s systems, while yet others may require significant redesign. Providing a complete assessment of mitigation strategies was out of scope of this review, but we encourage the Hart and the Secretary of State to study these issues. ... Nobody, and no machine, should be counting American votes in secret.For further information, email Jim Soper at :
Jim.Soper@GMail.com
|