Voting Machine Attacks Proven To Be Practical 225
An anonymous reader writes "Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren't realistic, that attackers won't have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week's USENIX EVT."
Old News (Score:5, Informative)
.PDF text (Score:3, Informative)
Copy/paste, some formatting, no tables. Extra carriage returns (sorry)... "Implementing the gadgets" section stripped off...
Abstract
A secure voting machine design must withstand new attacks
devised throughout its multi-decade service lifetime.
In this paper, we give a case study of the longterm
security of a voting machine, the Sequoia AVC
Advantage, whose design dates back to the early 80s.
The AVC Advantage was designed with promising security
features: its software is stored entirely in read-only
memory and the hardware refuses to execute instructions
fetched from RAM. Nevertheless, we demonstrate that an
attacker can induce the AVC Advantage to misbehave
in arbitrary ways--including changing the outcome of
an election--by means of a memory cartridge containing
a specially-formatted payload. Our attack makes essential
use of a recently-invented exploitation technique
called return-oriented programming, adapted here to the
Z80 processor. In return-oriented programming, short
snippets of benign code already present in the system
are combined to yield malicious behavior. Our results
demonstrate the relevance of recent ideas from systems
security to voting machine research, and vice versa. We
had no access either to source code or documentation beyond
that available on Sequoia's web site. We have created
a complete vote-stealing demonstration exploit and
verified that it works correctly on the actual hardware.
1 Introduction
A secure voting machine design must withstand not only
the attacks known when it is created but also those invented
through the design's service lifetime. Because
the development, certification, and procurement cycle for
voting machines is unusually slow, the service lifetime
can be twenty or thirty years. It is unrealistic to hope
that any design, however good, will remain secure for so
long.1
In this paper, we give a case study of the long-term
security of a voting machine, the Sequoia AVC Advantage.
The hardware design of the AVC Advantage dates
back to the early 80s; recent variants, whose hardware
differs mainly in featuring a daughterboard enabling audio
voting for the blind [3], are still used in New Jersey,
Louisiana, and elsewhere. We study the 5.00D version
The AVC Advantage voting machine we studied.
(which does not include the daughterboard) in machines
decommissioned by Buncombe County, North Carolina,
and purchased by Andrew Appel through a government
auction site [2].
The AVC Advantage appears, in some respects, to offer
better security features than many of the other directrecording
electronic (DRE) voting machines that have
been studied in recent years. The hardware and software
were custom-designed and are specialized for use in a
DRE. The entire machine firmware (for version 5.00D)
fits on three 64kB EPROMs. The interface to voters
lacks the touchscreen and memory card reader common
in more recent designs. The software appears to contain
fewer memory errors, such as buffer overflows, than
some competing systems. Most interestingly, the AVC
Advantage motherboard contains circuitry disallowing
instruction fetches from RAM, making the AVC Advantage
a true Harvard-architecture machine.2
Nevertheless, we demonstrate that the AVC Advantage
can be induced to undertake arbitrary, attackerchosen
behavior by means of a memory cartridge containing
a specially-formatted payload. An attacker who
has access to the machine the night before an election can
use our techniques to affect the outcome of an election by
replacing the election program with another whose visible
behavior is nearly indistinguishable from the legitimate
program but that adds, removes, or changes votes
as the attacker wishes. Unlike those attacks described
1
in the (contemporaneous, independent) study by Appel
et al. [3, 4] that allow arbitrary computation to be induced,
our attack
Re:Not a Bug (Score:3, Informative)
The only problem with this is that you aren't going to get a few "private minutes" with the machine and that any competent election authority is going to seal the machine with tamper-evident seals.
I've worked as an elections inspector (poll worker) in the state of New York for the last five years. Every aspect of the machine (both the old style lever machines and the new optical scanning machines) that could be tampered with is sealed with numbered tamper evident devices. If the numbers on the seals don't match up with the records retained by the Board of Elections then you know the machine has been tampered with. This isn't rocket science people.
Our new machines go even further than that. They both retain the actual ballots themselves in a locked ballot box and retain a scanned image of those ballots on a memory card. The memory card is removed from the machine at the end of the election and hand delivered to the Board of Elections. It is designed to serve as a backup in the event that the machine is destroyed (i.e: building burns down) and the ballots are lost. The ballots themselves are only scanned by the machine and not marked in any way. In the event of an issue with the machine there is nothing stopping you from counting each ballot by hand with the Mark I human eyeball.
If you can find a way to rig an election in the State of New York then I'd be real interested in knowing about it. I've worked behind the scenes here for a long time and I haven't seen any vulnerabilities in the system. The only voting technology that I'd be concerned about is DRE (direct electronic record) -- but thankfully my state wasn't stupid enough to go that route.
Re:.PDF text (Score:4, Informative)
Here it is without the IDIOTIC carriage returns. Yes, you are an IDIOT, guido-cock.
Abstract
A secure voting machine design must withstand new attacks devised throughout its multi-decade service lifetime. In this paper, we give a case study of the longterm security of a voting machine, the Sequoia AVC Advantage, whose design dates back to the early 80s. The AVC Advantage was designed with promising security features: its software is stored entirely in read-only memory and the hardware refuses to execute instructions fetched from RAM. Nevertheless, we demonstrate that an attacker can induce the AVC Advantage to misbehave in arbitrary ways--including changing the outcome of an election--by means of a memory cartridge containing a specially-formatted payload. Our attack makes essential use of a recently-invented exploitation technique called return-oriented programming, adapted here to the Z80 processor. In return-oriented programming, short snippets of benign code already present in the system are combined to yield malicious behavior. Our results demonstrate the relevance of recent ideas from systems security to voting machine research, and vice versa. We had no access either to source code or documentation beyond that available on Sequoia's web site. We have created a complete vote-stealing demonstration exploit and verified that it works correctly on the actual hardware.
1 Introduction
A secure voting machine design must withstand not only the attacks known when it is created but also those invented through the design's service lifetime. Because the development, certification, and procurement cycle for voting machines is unusually slow, the service lifetime can be twenty or thirty years. It is unrealistic to hope that any design, however good, will remain secure for so long.1 In this paper, we give a case study of the long-term security of a voting machine, the Sequoia AVC Advantage. The hardware design of the AVC Advantage dates back to the early 80s; recent variants, whose hardware differs mainly in featuring a daughterboard enabling audio voting for the blind [3], are still used in New Jersey, Louisiana, and elsewhere. We study the 5.00D version The AVC Advantage voting machine we studied. (which does not include the daughterboard) in machines decommissioned by Buncombe County, North Carolina, and purchased by Andrew Appel through a government auction site [2]. The AVC Advantage appears, in some respects, to offer better security features than many of the other directrecording electronic (DRE) voting machines that have been studied in recent years. The hardware and software were custom-designed and are specialized for use in a DRE. The entire machine firmware (for version 5.00D) fits on three 64kB EPROMs. The interface to voters lacks the touchscreen and memory card reader common in more recent designs. The software appears to contain fewer memory errors, such as buffer overflows, than some competing systems. Most interestingly, the AVC Advantage motherboard contains circuitry disallowing instruction fetches from RAM, making the AVC Advantage a true Harvard-architecture machine.2 Nevertheless, we demonstrate that the AVC Advantage can be induced to undertake arbitrary, attackerchosen behavior by means of a memory cartridge containing a specially-formatted payload. An attacker who has access to the machine the night before an election can use our techniques to affect the outcome of an election by replacing the election program with another whose visible behavior is nearly indistinguishable from the legitimate program but that adds, removes, or changes votes as the attacker wishes. Unlike those attacks described 1 in the (contemporaneous, independent) study by Appel et al. [3, 4] that allow arbitrary computation to be induced, our attack does not require replacing the system ROMs or processor and does not rely on the presence of the daughterboard added in later revisions. Our attack makes essential use of return-oriented programming
Re:Not a Bug (Score:5, Informative)
From TFA:
"The attacker does not need to remove any tamper-evident seals; in particular, he does not need to remove the circuit-board cover."
(CAPTCHA: counted)
Re:Still not fair. (Score:4, Informative)
The absence of perfect fraud does not indicate the absence of fraud.
Re:Not a Bug (Score:3, Informative)
Surely that depends on the standards of voting privacy in your district, like whether you get a three-sided screen block or a complete booth with ceiling-to-floor curtains.
The voting booth is separate from the machine. The "voting booth" itself is nothing more than a plastic stand with a privacy screen and a supply of felt-tipped markers. The machine itself is in plain view of the election inspectors and everybody else who happens to be in the polling place. Trust me, you aren't going to be able to tamper with it without being caught during the election. After the election is another matter but that's why they have the backup memory card and myriad of seals on the machine.
And an election can be thwarted by leaving evidence of tampering in a district you want to disenfranchise.
If tampering is evident than the voting machine is going to receive closer scrutiny. The votes aren't automatically going to be discarded. If the "tampering" consists of removing the seals around the memory interface but not the ballot box and the number of ballots therein equals the number of signatures in the pool book then they are simply going to hand count the ballots (or scan them in a different machine). If the tampering consists of removing the seals around the ballot box then they will fall back on the aforementioned memory card that was removed after the election and returned to the Elections Board.
It's really not as easy to rig an election as people around here seem to think it is. I would encourage everybody who cares about this issue to volunteer to be a poll worker. The Election Boards are always looking for help and you'll get a chance to see the system from the inside. All it's going to cost you is a vacation day or two and some time. In some states you even get paid for doing it.
Return-oriented device Pwning? (Score:3, Informative)
Looks like return-oriented programming is a nice way to own various pieces of locked down hardware, eg. region-coded DVD drives, carrier-locked phones etc.
Re:Not a Bug (Score:3, Informative)
Or, in a lot of cases (including my own state, incidentally), an enclosed booth where you are alone with a touch-screen terminal directly connected to the voting machine. Because felt-tipped markers are, y'know, *old-fashioned*.
Here's an electronic system I can trust (Score:2, Informative)
Here's a system I can trust:
User uses a machine to prepare a printed ballot. In addition to printing the ballot the machine records a running tally. Of course, both are subject to fraud.
The user inspects the printed ballot. If the printed ballot is bogus it is invalidated and the user votes again. If the user is blind he has a trusted friend or a machine read the ballot back to him. If he uses a machine, it will be a machine developed independently from the ballot-printing machine. There is an opportunity for fraud by the friend or the ballot-readback machine but the odds of a successful collusion with the ballot-preparing machine are greatly reduced.
The user deposits the printed ballot in a ballot box just as he would a hand-filled-in ballot. In fact, some voters may choose to use a hand-filled-in ballot, although those voting in languages other than English or heavy-minority languages may be forced to use the ballot-marking machine, as might those who cannot see and who do not have someone with them.
The numbers collected by the ballot-preparation machine are unofficial and incomplete. They may have utility for spotting statistical anomalies in the official result, which of course would generate a recount.
The printed ballots are then counted, either locally or at a central location, by two machines, each developed independently and used by different teams of counters. If the results vary by enough to sway any race, a third count, probably by hand, will be done.
There, that's a system that
* I can trust, provided I can trust the people conducting the election**
* A system that has machine voting, or should I say, machine-assisted voting
**yeah yeah I know, "trust the people conducting the election" is probably impossible, but I can dream, can't I?
--
Advantages of such a system over manual-fill-in bubble-sheets:
* Arbitrary numbers of languages can be supported easily without wasting paper
* Arbitrary number of different elections can be held at the same location without wasting paper
Disadvantages:
* Cost
* Complexity
* Requires more poll watchers