Re: code validation?

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Tue Feb 22 2005 - 16:05:47 CST

On Feb 22, 2005, at 4:45 PM, Ron Crane wrote:
> This means that we have to trust certain people in the "official
> releasing authority", especially if portions of the executable code
> base are built (e.g. compiled) from the publicly-revealed sources.
> Let's say that someone associated with OVC wanted to add cheating
> code. If the executable code were built from the sources, it would be
> relatively simple for the cheater were she to become the "build
> maven" or a sysadminThis is a strong argument for using only
> interpreted languages (without self-modifying capabilities!)

While I'm a big fan of -dynamic- languages (Python, Ruby, etc), as you
can find in the archives, I don't want to push them based on false
arguments. The solution to getting properly verified voting system
code is a combination of open source and good crypto protocols (largely
use of a strong hash). This isn't any different whether the OVC apps
are coded in, e.g. Python, or in C.

Let's say I wanted to insert malicious code (as someone quite plausible
to have the role of "build maven", having been project lead for a
while, and now being OVC CTO), what would happen? So I write the nasty
code, simple enough.

But here's the rub: to maintain transparency, OVC releases the complete
code, including build scripts or instructions. I.e. (1) Here's the
code; (2) It is compiled with MyLang compiler version 3.14, using
switches -x -y -z; (3) The resultant executable is hashed using the
widely available tool 'sha' and produces hash 0x1a3c245....

In my power position I can easily release code X, while internally
building with malicious code X'. But all those people out there who
try compiling the released code (and they all have the Free Software
MyLang-compile application) find that their hash doesn't match mine.
So the word goes up that the current build is not to be trusted until
matching code and hash are specified. If I release X', they many eyes
will (hopefully) find my malicious modification (it still takes human
examination, but I can't hide what I've done).

The guiding principle of OVC is "trust no one"... not me, not Alan, not
Arthur, not your own mother, etc. With transparency, everything we
claim to be so can be independently verified. This includes that the
right CD is actually delivered to polling places, the released code is
that actually used to build the CDs, etc.

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Feb 27 17:17:10 2005

This archive was generated by hypermail 2.1.8 : Sun Feb 27 2005 - 17:17:13 CST