Building Reliable Voting Machine Software
Total Page:16
File Type:pdf, Size:1020Kb
Building Reliable Voting Machine Software Ka-Ping Yee Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2007-167 http://www.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-167.html December 19, 2007 Copyright © 2007, by the author(s). All rights reserved. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission. Acknowledgement I am grateful to many people who helped make this dissertation possible. My advisors: David Wagner, Marti Hearst. My committee members: Henry Brady, Joe Hellerstein. Advice: Steve Bellovin, Candy Lopez, Scott Luebking, Noel Runyan, Joseph Hall. Security review: Matt Bishop, Ian Goldberg, Tadayoshi Kohno, Mark Miller, Dan Sandler, Dan Wallach. Funding: National Science Foundation, through ACCURATE. Thanks also to Scott Kim, La Shana Porlaris, Lisa Friedman, and my parents. Building Reliable Voting Machine Software Ka-Ping Yee B. A. Sc. (University of Waterloo) 1998 A dissertation submitted to the Graduate Division of the University of California, Berkeley in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science Committee in charge: Professor David Wagner, Co-chair Professor Marti Hearst, Co-chair Professor Henry Brady Professor Joseph Hellerstein Fall 2007 The dissertation of Ka-Ping Yee is approved. Professor David Wagner (Co-chair) Date Professor Marti Hearst (Co-chair) Date Professor Henry Brady Date Professor Joseph Hellerstein Date University of California, Berkeley Fall 2007 Building Reliable Voting Machine Software Copyright © 2007 Ka-Ping Yee Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, version 1.2 or any later version published by the Free Software Foundation, with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the appendix entitled GNU Free Documentation License. Abstract Building Reliable Voting Machine Software Ka-Ping Yee Doctor of Philosophy in Computer Science University of California, Berkeley Professor David Wagner, Co-chair Professor Marti Hearst, Co-chair I examine the question of how to design election-related software, with particular attention to the threat of insider attacks, and propose the goal of simplifying the software in electronic voting machines. I apply a technique called prerendering to reduce the security-critical, voting-specific software by a factor of 10 to 100 while supporting similar or better usability and accessibility, compared to today’s voting machines. Smaller and simpler software generally contributes to easier verification and higher confidence. I demonstrate and validate the prerendering approach by presenting Pvote, a vote-entry program that allows a high degree of freedom in the design of the user interface and supports synchronized audio and video, touchscreen input, and input devices for people with disabilities. Despite all its capabilities, Pvote is just 460 lines of Python code; thus, it directly addresses the conflict between flexibility and reliability that underlies much of the current controversy over electronic voting. A security review of Pvote found no bugs in the Pvote code and yielded lessons on the practice of adversarial code review. The analysis and design methods I used, including the prerendering technique, are also applicable to other high-assurance software. Professor David Wagner Professor Marti Hearst 1 This dissertation is dedicated to those who work to run elections everywhere in the world: registrars, officers, pollworkers, clerks, judges, scrutineers, observers, and everyone else involved in the process. You carry out the mechanisms that make democracy work; this research is devoted to helping you make democracy work better. i Preface The democracy upon which our modern society is built ultimately depends on a system that collects and counts votes. For many voters in the United States and other countries, nearly every part of that system relies on computer software in some way. If you had to design that software, how would you do it? This dissertation offers an exploration of that question and a proposed answer: create the simplest possible voting machine software. I use a technique called prerendering to reduce the critical voting-specific software by a factor of 10 to 100 while supporting similar or better accessibility and usability, compared to today’s machines. Central to this dissertation is the story of Pvote, the program I developed to realize this goal. The first reason to simplify software is the threat of an insider attack. The challenge is to prevent not just inadvertent flaws, but flaws intentionally crafted by programmers who stand to gain from subverting their own software. The only way to meet this challenge is to require simpler software. The second reason is that much of the controversy over electronic voting stems from a conflict between flexibility and reliability. Computers offer the promise of broader and more effective access to voting, but computer programs are more complicated and fragile than hand-counted paper ballots. Simplifying the voting machine software mitigates this dilemma. The problem of electronic voting is illustrative of the challenges of building reliable software in general. In particular, I report on insights from the Pvote work about managing the complexity of high-assurance software and about reviewing software for correctness without assuming trust in its author. Both are relevant to the prevention of insider attacks, which are a thorny and long-standing problem in software security. ii This dissertation is intended for several audiences: • Election staff, policymakers, and activists: If you run elections or influence how elections are conducted, I hope to make you aware of the perils of complexity in software (Chapters 1 and 9), and to calibrate your tolerance for complexity in election software by demonstrating how much it can be simplified. I also hope to contribute to your understanding of the tradeoffs among various choices of voting equipment and verification methods (Chapter 3). • Engineers: If you build software, you may be able to achieve greater confidence in it using the analysis, design, and review strategies presented here (Chapters 2, 3, and 8). If you develop voting machines, you can apply the prerendering strategy to create more reliable software (Chapter 4), use ideas from Pvote’s design and implementation (Chapters 5, 6, and 7), or use the Pvote code as a basis for your own software (Appendices A and B). • Researchers: If you investigate software reliability or security, you may be interested in assurance trees (Chapter 2), a way of structuring assurance claims during software design, prerendering (Chapter 4) as a strategy for reducing the trusted code base of a system, or derivation maps (Chapter 9) for understanding sources of vulnerability to insiders and the effects of shifting complexity among components. The Pvote review experience (Chapter 8 and Appendix E) motivates research challenges in the design of programming languages, development environments, and reviewing tools to support adversarial code review. • Designers: If you practice visual design or interaction design, you may be interested to learn how prerendering (Chapter 4), the main software approach presented here, can offer you unprecedented freedom in designing electronic ballots and new opportunities for advancing democracy through the power of design. Preface iii Contributions This is a quick guide to the main contributions of this work and where to find them. 1. A set of correctness properties for voting software derived as an assurance tree (page 24). 2. An assurance chart comparing types of voting systems according to the verification mechanisms available to voters at each step of the voting process (page 56). 3. User interface prerendering, a technique for reducing the complexity of critical software components (page 57). 4. Pvote’s ballot definition file format, a platform-independent format for describing the ballot and the voting user interface in a prerendered user interface voting system (page 121). 5. The software design of Pvote, a vote-entry program with support for a wide range of ballot designs and voters with disabilities (page 127). 6. A set of desirable properties of programming languages to support adversarial code review (page 149). 7. Lessons learned from the Pvote security review, the first open adversarial code review of voting software designed for minimal complexity and high assurance (page 153). 8. Derivation mapping, a method of diagramming the provenance of a security-critical artifact to identify sources of vulnerability to insider attacks (page 161). 9. A security argument for the use of high-level programming languages in high-assurance software (page 173). 10. Proof by construction (the implementation of Pvote) that a fully featured user interface for voting can be implemented in 460 lines of Python (page 217). 11. A security analysis and a set of assurance arguments for Pvote, which are given in a separate document [92]. iv Acknowledgements I have been extremely lucky to have David Wagner and Marti Hearst as my advisors. They supervised and supported this work, and provided me with guidance and insight during my career as a graduate student. They removed obstacles and sought out opportunities for me. Their responsiveness and detailed feedback have been fantastic. I also thank Henry Brady and Joe Hellerstein, who served on my committee and went out of their way to review this dissertation on a short time frame. Steve Bellovin suggested the idea of prerendering, which sparked this work. Candy Lopez of the Contra Costa County Elections Department patiently showed me how real elections are run. Scott Luebking and Noel Runyan helped me understand the accessibility issues surrounding voting.