Re: Interesting, But What About the Election-Day Virus?

From: Robert Rapplean <robert_at_rapplean_dot_net>
Date: Fri Dec 10 2004 - 11:06:53 CST

This sounds like the Trusted Computing initiative. Has the group
discussed the application of trusted computing to voting software?

Douglas W. Jones wrote:

>
> On Dec 9, 2004, at 11:10 AM, Nils Paz wrote:
>
>> The idea is intriguing. That is why it would be important to perform
>> OS checksums during an election at various and random times of the
>> day. As suggested by Rick Gideon, MD5 could be the vehicle.
>
>
> Here's how the gambling industry assures that the code in video slots
> is legit. They call it the pyramid of trust in the software:
>
> The processor must boot from genuine ROM - not from writable memory like
> flash memory or eeprom or something like that. Booting from CD-ROM is
> OK, but it must be ROM.
>
> The boot code in ROM may load an application from alterable memory such
> as disk or flash eeprom, but after loading, before execution, it computes
> the checksum (a cryptographically secure checksum like MD5, obviously)
> of the loaded code and compares it with the expected value, a value that
> is burned into the ROM.
>
> This process may continue, so the loaded code may load other code, but
> only if it checks the checksum of that code before execution. If the
> checksums ever fail to reconcile, the system shuts down and the Gaming
> commission must be immediately informed so they can investigate.
>
> At random, people from the gaming commission descend on casinos with
> their
> portable test rig. At each machine, they pull the boot ROM and insert it
> into their test rig to verify that the boot ROM is correct, then put it
> back in the machine and reboot the machine. Pulling the boot ROM and
> testing it cannot be done without someone from the casino with the keys
> to the machine, someone else from the casino with the key required to
> open the electronics cage, and two people from the gaming commission.
> Before removal of the boot ROM, the tamper-evident seal over the ROM is
> checked. When the boot ROM is reinstalled, a new tamper-evident seal is
> signed, dated and applied over the ROM. Everyone takes notes on the
> serial number, who signed, the date and the time.
>
> Note that any update of the software requires a new boot ROM, and this
> requires that the gaming commission examine the entire code release and
> approve it before they'll accept that boot ROM.
>
> Note that this does permit "multiboot" machines. The boot ROM can have
> multiple checksums it will approve, so that one machine can be a penny
> slot on weekdays and then get rebooted as a dollar slot on weekends,
> but the boot ROM must make specific provision for each version in
> advance. The writable media in the machine (disk, compact flash card,
> whatever) can only be loaded with one of the approved versions that the
> boot ROM is prepared to accept.
>
> Doug Jones
> jones@cs.uiowa.edu
>
> _______________________________________________
> OVC discuss mailing lists
> Send requests to subscribe or unsubscribe to
> arthur@openvotingconsortium.org
>
>
>
>

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Dec 31 23:17:10 2004

This archive was generated by hypermail 2.1.8 : Fri Dec 31 2004 - 23:17:22 CST