Re: Avante Releases White Papers on AVVPAT...

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Sun Jun 13 2004 - 16:23:31 CDT

On Jun 13, 2004, at 11:37 AM, Joseph Lorenzo Hall wrote:

> So was Prof. Jones comment targeted specifically at object code? That
> is, checksumming will not work for object code because it is unique
> for each computer (because it holds things like the name of the
> computer, or what-have-you)?

Say I hand you a voting machine, and I assert: This is running
Scam-A-Vote Version 10.3.2.4. You turn it on, and it prints out
"Scam-A-Vote 10.3.2.4" on its internal printer.

What assurance does this give you? Nothing. Do you gain any
assurance when it prints out "ROM signature = 05F8C4D3", the
expected CRC32 for the contents of the resident ROM? No. If,
in addition, it prints "RO Filesystem signature = "4AC320FE688C"
did you learn more? Not a thing.

In sum, no self-report from a computer system should convince
you that that system is authentic. If the system claims to be
dumping the entire contents of its disk and ROM to the serial port,
you still don't know that it's telling the truth. It could have
twice the hard drive capacity internally, using most of it to
store the correct system images while the code it actually
executes is in the other half of the drive.

So, you need some way to independently inspect the contents of
memory.

Either this needs to be a special hardware port that a memory
inspection device can be attached to, or you need to be able to
extract the memory from the voting system and attach it to a
second machine used to inspect the contents. In either case, the
inspection mechanism needs to be guaranteed to be unable to write
things, so if you're verifying compact flash cards, your CF
reader needs to be incapable of writing the card. Verifying
CD-ROM is easy, but the moment it's stored on CD-RW media, your
verifier must be certified to be unable to write (easy, use a
CD-ROM player that doesn't support the write function, but the
problem here is that covert substitution of a writer would be
fairly easy.)

In sum, it's tough.

> Is this a place that Trusted Computing (a/k/a NGSCB, a/k/a Palladium)
> could help specifically in the context of elections systems?

Potentially.

                Doug Jones
                jones@cs.uiowa.edu
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Jun 30 23:17:14 2004

This archive was generated by hypermail 2.1.8 : Wed Jun 30 2004 - 23:17:30 CDT