You Go to Elections with the Voting System You Have: Stop-Gap Mitigations for Deployed Voting Systems

J. Alex Halderman Eric Rescorla Princeton University RTFM, Inc.

Hovav Shacham David Wagner University of California, San Diego University of California, Berkeley

EVT 2008 You go to elections with the voting system you have 1 Motivation

• All electronic voting systems studied have serious vulnerabilities • Election officials have been deploying mitigations – Designed under tight time pressure – Limited input from security experts – Not clear how well these work • Can we do better?

“With new but realistic procedures; with no changes to existing hardware; and with few and modest changes to existing software, how can we best secure elections?”

EVT 2008 You go to elections with the voting system you have 2 Basic Assumptions

• Threats – Software will remain vulnerable – Hardware will remain only modestly resistant to physical attack – Polling places have little physical security – Compromise is undetectable and irreversible • Unfortunate limitations – County headquarters is kept physically secure

EVT 2008 You go to elections with the voting system you have 3 Main concern is viruses

Ballot Definition Ballot Definition Polling Memory EMS Place Card Device Results Results

• All studied systems can be subverted with minimal unsupervised access • Polling place devices are poorly protected – Voters; poll workers; sleepovers • Subverting a single machine isn’t very useful – Too expensive to individually subvert every machine • But viruses allow a single attacker to compromise the entire county

EVT 2008 You go to elections with the voting system you have 4 Managing Viral Spread

• We can’t harden the polling place devices – Must assume that they will get infected – Objective is to prevent spread • Vectors – EMS, Memory cards, Polling-place networks • General principle: break dataflow cycles – All external machines assumed dirty – Avoid connecting dirty machines to clean machines – Once a machine is dirty, it’s always dirty – Build safe(r) replacements for potential vectors • Need to handle both in and out directions

EVT 2008 You go to elections with the voting system you have 5 Election Phases

• Device initialization • Voting • Early reporting • Tabulation • Auditing

EVT 2008 You go to elections with the voting system you have 6 Device Initialization

• Devices need to be programmed before each election – Load ballot definitions – Zero vote counters • Generally done with a memory card – Program cards with EMS – Disseminate cards to field • Cards get recycled through EMS • This is an obvious infection vector

EVT 2008 You go to elections with the voting system you have 7 Initialization With Single-Use Memory Cards

• Use a new card for each election – Buy fresh cards – Initialize with trusted EMS – Deploy to field – When finished, discard or archive • Logistical issues – Cost: $20-$100/card (˜$10 for CF + adaptor) = $0.10/vote – Brittle if cards if are not handled carefully – Many systems use custom/legacy cards

EVT 2008 You go to elections with the voting system you have 8 Living With Reusable Cards: Initialization Gadgets

• Instead of an eraser, use a special purpose initialization gadget – EMS produces card images on CD – Initialization gadget copies CD to card – Gadget requires a hardware reset between cards • Gadgets is not a vector for viral spread (unlike EMS) – Even if it has vulnerabilities, the reset clears infection • No guarantee that malicious cards get cleared – Cards must be mated to their devices – ... otherwise we get increased infection each cycle • This is logistically extremely tricky

EVT 2008 You go to elections with the voting system you have 9 Why not just erase the cards?

Eraser EMS

From field To field

• Recommended by [Cal07a, Cal07b, CFH+07] • Not possible to guarantee erasure – “Memory cards” are flash memory + a microcontroller ∗ Some have replaceable firmware ∗ Fake card? – What about bugs in the eraser? • This does not guarantee safety of the EMS

EVT 2008 You go to elections with the voting system you have 10 How to build stateless gadgets

• Best case: new hardware – Firmware lives in ROM – Simple interface with hardware reset • More likely: single-purpose computers – Boot from read-only media – We still have to worry about BIOS infection – Need to guarantee hard power switch • What about VMs? – Now we’re depending on security of the VM [VMw08]

EVT 2008 You go to elections with the voting system you have 11 Early Reporting

• Many jurisdictions want election-night results – One of the major value propositions of e-voting 6. Procedural Safeguards and their Limitations

Polling Place Election HQ

Memory Download GEMS 1 Card AV -TSX CD-R AV -TSX Air Gap

Memory Upload GEMS 2 Card AV -TSX

From [CFH+07] Figure 6.1: Adopting a segregated dual-GEMS architecture would help protect against certain kinds of viruses. Officials use one GEMS server and set of central-office voting machines to create memory cards before the election. They use+ a second, physically separate GEMS server and set of • Use a sacrificialvoting machines afterEMS the election [CFH to tabulate07] results. The and GEMS wipe database is after transferred fromelection the first GEMS server to the second GEMS server using a write-once medium, such as a CD-R.

• No guaranteetwo systems of would correct be carefully segregated results and air-gapped1 to ensure that there are no cross- connections. The sacrificial GEMS installation would be treated as presumed-to-be-infected, so any machine or equipment that is ever connected to the sacrificial GEMS system must never again – A singlebe connected infected to the permanent card GEMS can installation. compromise Strict procedural controls the must be EMS applied to and all results ensure that any media that has been connected to the sacrificial GEMS installation is securely erased or reformatted before being used with the permanent GEMS installation. Before the election, system administrators would reformat and reinstall all the machines and • Only safesoftware with on the single-use sacrificial GEMS installation, cards to bring up a clean sacrificial installation. County staff would use the permanent GEMS installation to lay out the ballot, define the election, and program all of the AV-OS and AV-TSX memory cards. Then county staff would write a backup – Requiresof the GEMS extraordinarily database from the permanent careful GEMS installation procedures onto write-once media (e. g., CD-R or DVD-R), carry the media by hand to the sacrificial GEMS installation, and install that GEMS database onto the sacrificial GEMS. After this point, the permanent GEMS installation would not be used for the remainder of the election. On election night, as memory cards or other equipment are returned from the field, they would EVT 2008be taken to the sacrificial You go GEMS to elections installation with (not the the permanent voting system GEMS installation). you have Memory cards 12 would be read using the central-office AV-TSX and AV-OS units that are part of the sacrificial installation. The sacrificial GEMS would be used to accumulate and tabulate election results, produce reports, and calculate the official election results. Finally, after the election is over, all memory cards would be erased and reformatted using a separate laptop (not connected to either GEMS installation) that is used only for this purpose. This ensures that if the memory cards were carrying data infected with a virus, they have been returned to a clean uninfected state. Some mechanism would have to be devised to securely reformat the AV-OS memory cards. System administrators could optionally reformat all devices that are part of the sacrificial GEMS installation, including the GEMS PC. System administrators could then reinstall all of the software on the sacrificial GEMS installation, in preparation for the next election. This ensures a clean copy of the GEMS software. Unfortunately, there seems to be no reliable way to clean the sacrificial AV-TSX machines, so reformatting the sacrificial GEMS PC may not be worth the effort.

1This is a term applied when two networks are kept physically separate to ensure that data cannot flow from one network to the other. In particular, one ensures that no device attached to the first network is connected (directly or indirectly) to the second network.

6.10 A Segregated Dual-GEMS Architecture 63 Tabulation With Sanitization

Central Results Trusted Count EMS OPSCAN

Safe Results

Paper Sanitization Ballots

Device Results

• Sanitize the results prior to reading into EMS – Narrow input envelope • Tabulate/aggregate the results as normal

EVT 2008 You go to elections with the voting system you have 13 Sanitization Options

• Transcribe results tapes – Estimated cost: $1-$10/tape → $0.10/vote – What about latency? ∗ Can this be contracted out? – Information density too low to carry shellcode • OCR? – Current tapes cannot be reliably scanned [Fel08a] – Maybe add error correction/2-d bar code • What about vulnerabilities in image processing/OCR code?

EVT 2008 You go to elections with the voting system you have 14 Auditing (1) • Objectives – High confidence in accuracy – Transparency – Preserve vote privacy • We don’t have improvements here – Current precinct-based audits are less statistically powerful than we would like ∗ e.g., A 500 precinct election requires 28% auditing to get a 99% confidence level with a 1% margin of victory • Ballot-based auditing [CHF07] might help for opscan – But it’s incompatible with current equipment – And there are privacy issues • This is an open problem

EVT 2008 You go to elections with the voting system you have 15 Auditing (2)

• DRE with VVPAT – Auditing VVPATs is very inconvenient [GB07] – Lots of attacks even when a VVPAT is used [Eve07] – Some hope for spoiled ballot auditing ∗ Not completely worked out yet ∗ Also some attacks [Cra06] • DRE without VVPAT – No practical audit mechanisms – Easy for attackers to harmonize electronic records – And not clear what to do when they don’t match [Fel08b]

EVT 2008 You go to elections with the voting system you have 16 Deployment Scenarios (descending order of security)

• Opscan + Electronic ballot markers – Scan twice: precinct + central count with harmonization – Precinct count plus viral containment – Pure central count • Opscan + DRE for accessibility – Do 100% manual recount of VVPAT (DRE as EBM) • Pure DRE – 100% manual recount is impractical – Viral containment becomes imperative – If no VVPAT recovery seems unlikely

EVT 2008 You go to elections with the voting system you have 17 Summary

• Objective is to do the best we can with what we have • So, how well did we do? – Containment of viral spread from polling place devices ∗ But not the other way around! – Correct tabulation—even if some devices are compromised – Some detection of individual compromised devices • Residual risks – Insider attack still possible – Limited ability to recover from DRE compromise – Auditing is still more expensive than we would like • Still plenty more work to do

EVT 2008 You go to elections with the voting system you have 18 Questions?

EVT 2008 You go to elections with the voting system you have 19 References [Cal07a] California Secretary of State. Withdrawal of Approval of Diebold Election Systems, Inc., GEMS 1.18.24/AccuVote-TSX/AccuVote-OS DRE & Optical Scan Voting System and Con- ditional Reapproval of Withdrawal of Approval of Diebold Election Systems, Inc., GEMS 1.18.24/AccuVote-TSX/AccuVote-OS DRE & Optical Scan Voting System. Part of [Cal07c], October 2007.

[Cal07b] California Secretary of State. Withdrawal of Approval of Sequoia Voting Systems, Inc., WinEDS v 3.1.012/AVC Edge/Indsight/OPTECH 400-C DRE & Optical Scan Voting System and Conditional Reapproval of Use of Sequoia Voting Systems, Inc., WinEDS v 3.1.012/AVC Edge/Indsight/OPTECH 400-C DRE & Optical Scan Voting System. Part of [Cal07c], October 2007.

[Cal07c] California Secretary of State D. Bowen. “Top-To-Bottom” Review of voting machines certi- fied for use in California, 2007. Online: http://sos.ca.gov/elections/elections_vsr. htm.

[CFH+07] Joseph A. Calandrino, Ariel J. Feldman, J. Alex Halderman, David Wagner, Harlan Yu, and William P. Zeller. Source code review of the Diebold voting system. Part of [Cal07c], August 2007.

[CHF07] Joseph A. Calandrino, J. Alex Halderman, and Edward W. Felten. Machine-assisted election auditing. In Proc. 2007 USENIX/ACCURATE Electronic Voting Technology Workshop (EVT 07), August 2007.

EVT 2008 You go to elections with the voting system you have 19 [Cra06] Ronald E. Crane. Paper Trail Manipulation III. NIST Workshop on Developing an Anal- ysis of Threats to Voting Systems, November 2006. http://vote.nist.gov/threats/ PaperTrailManipulationIII1.pdf.

[Eve07] Sarah Peterson Everett. The Usability of Electronic Voting Machines and How Votes Can Be Changed Without Detection. PhD thesis, Rice University, 2007.

[Fel08a] Ed Felten. Evidence of New Jersey Election Discrepancies. http://www. freedom-to-tinker.com/?p=1266, March 2008.

[Fel08b] Ed Felten. NJ Election Discrepancies Worse Than Previously Thought, Contradict Sequoia’s Explanation. http://www.freedom-to-tinker.com/?p=1274, April 2008.

[GB07] Stephen N. Goggin and Michael D. Byrne. An Examination of the Auditability of Voter Verified Paper Audit Trail (VVPAT) Ballots. In Proc. 2007 USENIX/ACCURATE Electronic Voting Technology Workshop (EVT 07), August 2007.

[VMw08] VMware. VMware Security Advisory VMSA-2008-0005.1. http://www.vmware.com/ security/advisories/VMSA-2008-0005.html, March 2008.

EVT 2008 You go to elections with the voting system you have 19 Bonus Slides

EVT 2008 You go to elections with the voting system you have 20 Example: Diebold Virus [CFH+07]

• Voter inserts infected memory card into AV-TSX • AV-TSX automatically installs new software (Issue 5.2.1) • Infected AV-TSX writes infected memory card for results • Infected memory card placed in central office AV-TSX, infecting it • Infected AV-TSX attacks attached GEMS (running Windows) via network • Infected GEMS writes infected memory cards for next election • Infected memory cards inserted into precinct AV-TSXs, infecting them

EVT 2008 You go to elections with the voting system you have 21 Network Initialization

• Hart’s machines are also initialized via the network – Election definitions are on cards – Counter resets and cryptographic keys set via network • Need a stateless network initialization gadget • eSlate initialization is through the JBC – Need to marry eSlates and JBCs to prevent spread through this network

EVT 2008 You go to elections with the voting system you have 22 Firmware Updates

• We assume that election officials can verify correctness of firmware distribution • Conventional procedure is to use a single memory card to update all devices – Can’t guarantee card contents after first device processed • Read only cards – Needs hardware enforcement – Can’t trust card firmware • Use same card management procedures as with initialization – Best to bring gadget to the machine • No guarantees that this fixes compromised machines – They can refuse the update

EVT 2008 You go to elections with the voting system you have 23 Double-Checking Tabulation

• Tabulate on a sacrificial EMS • Emit summary results in machine readable format • Compare results tapes to summary entries – This can be done with random sampling

EVT 2008 You go to elections with the voting system you have 24