Re: code validation? - rom based attacks

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Wed Feb 23 2005 - 14:41:42 CST

> This would mean forgoing the security benefits of open source software
> and falling back upon the second level of security provided by VVPAT.

Not forgoing. We want both.

The BIOS attack is significant, but not as overwhelming as Ron seems to
think. Stipulate that a nasty BIOS corrupts machines. It's not all
that easy to make that happen: the software on CD is quite a bit bigger
than normal ROM holds; tampering would have to detect/modify the
specific certified code version; the machine modification would need to
hide itself from visual and on-screen detection; etc. None of these
hacks are in-principle impossible to do, but they're not that simple.
Especially once you add chain-of-custody procedures around the physical

But the paper acts as a check. Suppose a machine does various nasty
thing. Voters inspect their ballots. If the tallies of paper don't
match the electronic tallies and audit records, that raises the level
of examination of the suspect machines. Not to a level where it is
100% inconceivable that tampering can evade detection, but it's as good
as the real-world gets (when I get on an airplane, or in a car, I'm not
100% sure I won't die because of mechanical or software failures).

Not every voter needs to actually inspect their ballot. Not even the
majority of voters need to. Just a moderately large random slice of
them need to make the actual checks to make it statistically HIGHLY
likely discrepancies will be detected. Maybe one of the statisticians
around here can tell us whether we need 2%, 5%, 10%, or what exactly
for actual voter verification.

> in a way that attempts to avoid the effects of VVPAT. An example of
> the former would be occasionally presenting the favored candidate
> first, or occasionally omitting disfavored candidates from the
> selections, or presenting the favored candidate in slightly bolder
> text than the disfavored ones, or making the favored candidate's
> selection area larger than the others (!),

Yeah... those are more subtle changes. But voters should be presented
with instructions prior to voting. As in, a piece of paper that says:
your on-screen ballot should look exactly like the below picture. Of
course not all voters will concretely check and catch subtle
discrepancies like font size and candidate position. But SOME of them
would. And those who noticed would report complaints. And scrutiny is
heightened, forensic analysis performed, etc.

OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Feb 27 17:17:12 2005

This archive was generated by hypermail 2.1.8 : Sun Feb 27 2005 - 17:17:13 CST