Re: Interesting, But What About the Election-Day Virus?

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Fri Dec 10 2004 - 09:28:13 CST

On Dec 9, 2004, at 11:10 AM, Nils Paz wrote:

> The idea is intriguing. That is why it would be important to perform
> OS checksums during an election at various and random times of the
> day. As suggested by Rick Gideon, MD5 could be the vehicle.

Here's how the gambling industry assures that the code in video slots
is legit. They call it the pyramid of trust in the software:

The processor must boot from genuine ROM - not from writable memory like
flash memory or eeprom or something like that. Booting from CD-ROM is
OK, but it must be ROM.

The boot code in ROM may load an application from alterable memory such
as disk or flash eeprom, but after loading, before execution, it
computes
the checksum (a cryptographically secure checksum like MD5, obviously)
of the loaded code and compares it with the expected value, a value that
is burned into the ROM.

This process may continue, so the loaded code may load other code, but
only if it checks the checksum of that code before execution. If the
checksums ever fail to reconcile, the system shuts down and the Gaming
commission must be immediately informed so they can investigate.

At random, people from the gaming commission descend on casinos with
their
portable test rig. At each machine, they pull the boot ROM and insert
it
into their test rig to verify that the boot ROM is correct, then put it
back in the machine and reboot the machine. Pulling the boot ROM and
testing it cannot be done without someone from the casino with the keys
to the machine, someone else from the casino with the key required to
open the electronics cage, and two people from the gaming commission.
Before removal of the boot ROM, the tamper-evident seal over the ROM is
checked. When the boot ROM is reinstalled, a new tamper-evident seal is
signed, dated and applied over the ROM. Everyone takes notes on the
serial number, who signed, the date and the time.

Note that any update of the software requires a new boot ROM, and this
requires that the gaming commission examine the entire code release and
approve it before they'll accept that boot ROM.

Note that this does permit "multiboot" machines. The boot ROM can have
multiple checksums it will approve, so that one machine can be a penny
slot on weekdays and then get rebooted as a dollar slot on weekends,
but the boot ROM must make specific provision for each version in
advance. The writable media in the machine (disk, compact flash card,
whatever) can only be loaded with one of the approved versions that the
boot ROM is prepared to accept.

                Doug Jones
                jones@cs.uiowa.edu

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Dec 31 23:17:10 2004

This archive was generated by hypermail 2.1.8 : Fri Dec 31 2004 - 23:17:22 CST