1 / 56

Electronic Voting: Danger and Opportunity

Electronic Voting: Danger and Opportunity. J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University. Joint work with …. Joe Calandrino. Ari Feldman. Ed Felten. 2000 Recount Debacle Legislative response: Help America Vote Act

kishi
Télécharger la présentation

Electronic Voting: Danger and Opportunity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Electronic Voting:Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University

  2. Joint work with … Joe Calandrino Ari Feldman Ed Felten

  3. 2000 Recount Debacle Legislative response: Help America Vote Act Provided $3.9 billion to statesto upgrade voting machines by November 2006

  4. DREs to the Rescue? Direct Recording Electronic – Store votes in internal memory

  5. DREs are Computers Rootkits Viruses Bugs Attacks =

  6. Diebold’s History of Secrecy • Prevented states from allowing independent security audits – hid behind NDAs, trade secret law • Source code leaked in 2003, researchers at Johns Hopkins found major flaws Diebold responded with vague legal threats,personal attacks, disinformation campaign • Internal emails leaked in 2003 reveal poor security practices by developers Diebold tried to suppress sites with legal threats

  7. Obtained legally from an anonymous private party Software is 2002 version, but certified and used in actual elections First complete, public, independent security audit of a DRE We Get a Machine(2006)

  8. Research Goals • Conduct independent security audit • Confirm findings of previous researchers(Hursti, Kohno et al.) • Verify threats by building demonstration attacks • Figure out how to do better Who wants to know? Voters, candidates, election officials, policy makers, researchers

  9. SH3CPU 32 MBRAM 128 KB EPROM 16 MB Flash Boot Jumper Table 2 PCMCIA Slots

  10. Software Problems One Example: DES-CBCK(BallotID:VoteBitmap), CRC-16(…)

  11. Our Findings • Malicious software running on the machine can steal votes undetectably, altering all backups and logs [Feldman, Halderman & Felten 2007]

  12. Correct result: George 5, Benedict 0

  13. Our Findings • Malicious software running on the machine can steal votes undetectably, altering all backups and logs • Anyone with physical access to the machine or memory card can install malicious code in as little as one minute [Feldman, Halderman & Felten 2007]

  14. The Key

  15. Our Findings • Malicious software running on the machine can steal votes undetectably, altering all backups and logs • Anyone with physical access to the machine or memory card can install malicious code in as little as one minute • Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus [Feldman, Halderman & Felten 2007]

  16. Voting Machine Virus

  17. Viral Spread

  18. California “Top-to-Bottom” Study Bill Zeller Alex Halderman Harlan Yu Joe Calandrino Debra Bowen Ari Feldman

  19. California “Top-to-Bottom” Results Hart Sequoia Diebold

  20. WHAT TO DO?

  21. E-Voting Advantages • Voters prefer it • Faster reporting • Fewer undervotes • Improved accessibility • Potentially increased security*

  22. WE CAN DO BETTER!

  23. Electronic + Paper Records Touch-screen (DRE) machine,plus voter-verifiable paper trail Hand-marked paper ballot,machine-scanned immediately

  24. Paper Ballots Physical tampering “Retail” fraud After the election Failure Modes Electronic Records Cyber-tampering “Wholesale” fraud Before the election Redundancy + Different failure modes = Greater security But…Redundancy only helps if we use both records!

  25. How to Use Paper Records? Use a machine to count the paper records Too risky Count all the paper records by hand Too expensive Check a random subset of paper records by hand …but which subset?

  26. Standard Approach Pick some precincts randomly. Hand-count paper records. Should match electronic records.

  27. Statistical Auditing’s Goal Establish, with high statistical confidence, that hand-counting all of the paper records would yield the same winner as the electronic tally.

  28. Audit Example Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper Alice: 55% Bob: 45% For 95% confidence, hand-audit 60 precincts Cost: about $100,000

  29. An Alternative Approach Precinct-based auditing Ballot-based auditing

  30. 100 marbles, 10% blue 6300 beads, 10% blue How large a sample do we need?

  31. Audit Example Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper ballots Alice: 55% Bob: 45% For 95% confidence, hand-audit 60 precincts Cost: about $100,000 $1,000

  32. Why Not Ballot-based? ● Alice ○ Bob Voting Machine ○ Alice ● Bob Need to match up electronic with paper ballots. Alice Bob Alice ● Alice ○ Bob Compromises the secret ballot!

  33. Secret Ballot Prevents coercion and vote-buying Requirements: Nobody can tell how you voted. You can’t prove to anyone how you voted. You can be confident in these properties.

  34. Serial Numbers 1 ●Alice ○Bob Voting Machine 2 ○ Alice ● Bob 1 Alice 2 Bob 3 Alice 3 ●Alice ○Bob

  35. “Random” Identifiers 325631 ●Alice ○Bob Voting Machine 218594 ○ Alice ● Bob 325631 Alice 218594 Bob 810581 Alice 810581 ●Alice ○Bob

  36. ○ Alice ● Bob ○ Alice ● Bob 1 Machine-Assisted Auditing 1 Bob 2 Alice ... 929 Bob Alice: 510 Bob: 419 Step 1. Check electronic records against paper recordsusing a recount machine. = [Calandrino, Halderman & Felten 2007]

  37. ○ Alice ● Bob ○ Alice ● Bob 1 Machine-Assisted Auditing 1 Bob Alice ... 929 Bob Alice: 510 Bob: 419 = [Calandrino, Halderman & Felten 2007]

  38. ○ Alice ● Bob 1 ○ Alice ● Bob 1 Machine-Assisted Auditing ○ Alice ● Bob 321 ● Alice ○ Bob 716 = 1 Bob Alice ... 929 Bob 321 Bob 716 Alice Step 2. Audit the recount machine by selecting random ballots for human inspection. = [Calandrino, Halderman & Felten 2007]

  39. Machine-Assisted Auditing As efficient as ballot-based auditing,while protecting the secret ballot. Machine Recount Manual Audit We can use a machinewithout having to trust it!

More Related