Re: Integrating two solutions (related to the Calif. bill thread)

From: Ronald Crane <voting_at_lastland_dot_net>
Date: Wed Jan 21 2009 - 22:03:08 CST
Ronald Crane wrote:
Douglas A. Whitfield wrote:
On Wed, Jan 21, 2009 at 11:30 AM, Jim March <> wrote:
As is being thrashed out now, even with open source there are issues related to
firmware hacking (a significant threat!)

Well, this one is pretty firmware.
1. The mainboard BIOS is not the only firmware onboard a computer. Other firmware resides in the video controller, the CDROM controller, other peripheral controllers, and even the CPU itself (see, e.g., to download microcode updates for many Intel x86 CPUs);

2. Even assuming that all firmware-containing devices use "open firmware", the general public needs to be able to verify that they actually contain the proper version of that firmware. Creating a procedure to do this for the voting application on a CD-ROM, such procedure being effective, secure, and acceptable to elections officials, has proven to be rather difficult. Doing it for all firmware-containing devices -- or even just the mainboard BIOS -- will be much more difficult.

I forgot this:

3. The number of people qualified to review mainboard firmware for correctness is far less than the number qualified to review the voting application, the operating system, the device drivers, etc. The number of people qualified to review obscure firmware (e.g., that in peripheral controllers, let alone CPUs) is far smaller.

4. Please see the "Limitations of Many Eyes" thread here, begun by Brian Behlendorf on 5/19/08, about a study by David Wagner & Ping Lee, showing code review's unexpectedly-limited efficacy in finding intentionally-placed security flaws. Presumably review is even less efficacious in the functionally-obscure, often highly-concurrent, and lower-level-language environments that usually characterize firmware.


OVC-discuss mailing list
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Thu Jan 7 00:09:49 2010

This archive was generated by hypermail 2.1.8 : Thu Jan 07 2010 - 00:09:57 CST