Re: Avante Releases White Papers on AVVPAT...

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Sun Jun 13 2004 - 23:08:33 CDT

At 4:23 PM -0500 6/13/04, Douglas W. Jones wrote:
>On Jun 13, 2004, at 11:37 AM, Joseph Lorenzo Hall wrote:
>
>>So was Prof. Jones comment targeted specifically at object code? That
>>is, checksumming will not work for object code because it is unique
>>for each computer (because it holds things like the name of the
>>computer, or what-have-you)?
>
>Say I hand you a voting machine, and I assert: This is running
>Scam-A-Vote Version 10.3.2.4. You turn it on, and it prints out
>"Scam-A-Vote 10.3.2.4" on its internal printer.
>
>What assurance does this give you? Nothing. Do you gain any
>assurance when it prints out "ROM signature = 05F8C4D3", the
>expected CRC32 for the contents of the resident ROM? No. If,
>in addition, it prints "RO Filesystem signature = "4AC320FE688C"
>did you learn more? Not a thing.
>
>In sum, no self-report from a computer system should convince
>you that that system is authentic. If the system claims to be
>dumping the entire contents of its disk and ROM to the serial port,
>you still don't know that it's telling the truth. It could have
>twice the hard drive capacity internally, using most of it to
>store the correct system images while the code it actually
>executes is in the other half of the drive.
>
>So, you need some way to independently inspect the contents of
>memory.
>
>Either this needs to be a special hardware port that a memory
>inspection device can be attached to, or you need to be able to
>extract the memory from the voting system and attach it to a
>second machine used to inspect the contents. In either case, the
>inspection mechanism needs to be guaranteed to be unable to write
>things, so if you're verifying compact flash cards, your CF
>reader needs to be incapable of writing the card. Verifying
>CD-ROM is easy, but the moment it's stored on CD-RW media, your
>verifier must be certified to be unable to write (easy, use a
>CD-ROM player that doesn't support the write function, but the
>problem here is that covert substitution of a writer would be
>fairly easy.)

That's why we have proposed booting off a CD-R containing all the
software and personalization, and later the EBIs (electronic copies
of the ballots). Can you rewrite a CD-R? I think not.

Best regards,
Arthur

>In sum, it's tough.
>
>>Is this a place that Trusted Computing (a/k/a NGSCB, a/k/a Palladium)
>>could help specifically in the context of elections systems?
>
>Potentially.
>
> Doug Jones
> jones@cs.uiowa.edu

-- 
-------------------------------------------------------------------------------
Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Wed Jun 30 23:17:15 2004

This archive was generated by hypermail 2.1.8 : Wed Jun 30 2004 - 23:17:30 CDT