Re: code validation?

From: Edward Cherlin <cherlin_at_pacbell_dot_net>
Date: Wed Feb 23 2005 - 00:44:54 CST

On Tuesday 22 February 2005 11:30, Ron Crane wrote:
> This raises several interesting issues.

We have discussed all of these issues at length. I'll give you
short versions of the answers, but I assure you that the long
versions are there.

> How is the software
> reviewed?

Publicly, since it is Open Source. There will also be a standard
test suite in Open Source, so that any interested parties can
run it.

> What are the standards?

We are thinking of an IEEE standard, but that isn't written in
stone. I'm told that the current IEEE draft is rather feeble.

> Who has to review it, and
> for what?

The test suite must go through the full range of normal
operations, verified on screen, in the printed ballots, and in
the log files, and also a wide selection of attacks. For each
known attack, the standard will specify that the software must
either correct the "errors" or put up a "flag" to signal them to
the operator and any observers. That is, there must be a visible
and preferably audible error alert, and the details of the error
must be logged.

> Once review is completed, what happens? Does the
> reviewee incorporate the comments, re-test, then checkin the
> code to some source control system? Does the reviewer
> re-review the result before checkin?

All that and more, although the reviewers can't review stuff
before they can get at it. Remember that one of the main points
about source control is that you can roll back to a previous
version if the new version is hopeless, and that you always
maintain a stable production branch separate from any
development branches.

Software is not certified until it passes the standard test suite
plus any other public testing that people feel like trying on
it. None of this "but we have to get the new features in for
this election" nonsense. Election law needs to state that
election officials cannot plan to use new features in an
election unless software implementing them is certified some
number of months before the election.

> How is the source control
> system's security maintained?

Secure server, secure backup, checksums/hash values on everything
in sight. If you have more questions about how to secure a
server, there are several good books on the subject.

> What's the chain of custody
> between the reviewer(s) and the CD duplicator?

The CDs must pass the checksum/hash test when the machines are
set up for use. Fiddling the data on the disc doesn't let you
fiddle an election.

> Who are the
> people we must simply trust not to muck with the software?

Nobody. The source code can be read and compiled by anybody. The
checksums on the resulting binaries must match the official
distribution if using the same compiler and libraries.

> How
> do we minimize the number of trusted people?

Open Source, public testing, strong cryptography.

> -Ron
> > Hello Paul:
> >
> > Try looking under the word, "hash." A hash is sort of
> > a glorified check sum system that is ran on the
> > original software. When the hash of the CD disk
> > running the software is ran at startup on the voting
> > equipment, the number generated has to be the same as
> > the publically published originally generated hash.
> > Additionally there would be various legal and
> > adminstrative techniques involving multiple, intersted
> > witnesses in the CD duplication process. Foolproof?
> > No, but still very tamper resistant and compliant with
> > a good risk management approach to security IMHO.
> >
> > HTH, Ed Kennedy
> >
> > --- Paul Kinzelman <> wrote:
> >> I took a quick look back in the archives, and
> >> couldn't find this
> >> topic, and you folks must have thought about it
> >> already, but please allow
> >> me to ask it anyway...
> >>
> >> How do you validate that the code running on a
> >> voting machine
> >> has not been tampered with? Have you thought about
> >> using
> >> public key encryption on the OS release or
> >> something?
> >>
> >> _______________________________________________
> >> OVC discuss mailing lists
> >> Send requests to subscribe or unsubscribe to
> >>
> >
> > =====
> > --
> > 10777 Bendigo Cove
> > San Diego, CA 92126-2510
> >
> > Work for the common good.
> > _______________________________________________
> > OVC discuss mailing lists
> > Send requests to subscribe or unsubscribe to
> >
> _______________________________________________
> OVC discuss mailing lists
> Send requests to subscribe or unsubscribe to

Edward Cherlin
Generalist & activist--Linux, languages, literacy and more
"A knot! Oh, do let me help to undo it!"
--Alice in Wonderland
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Sun Feb 27 17:17:11 2005

This archive was generated by hypermail 2.1.8 : Sun Feb 27 2005 - 17:17:13 CST