electronic voting: danger and opportunity j. alex halderman department of computer science center...
TRANSCRIPT
Electronic Voting:Danger and Opportunity
J. Alex Halderman
Department of Computer ScienceCenter for Information Technology Policy
Princeton University
Joint work with …
Joe Calandrino Ari Feldman Ed Felten
2000 Recount Debacle
Legislative response:
Help America Vote Act
Provided $3.9 billion to statesto upgrade voting machines by November 2006
DREs to the Rescue?
Direct Recording Electronic – Store votes in internal memory
DREs are Computers
BugsRootkits
VirusesAttacks
=
Diebold’s History of Secrecy
• Prevented states from allowing independent security audits – hid behind NDAs, trade secret law
• Source code leaked in 2003, researchers at Johns Hopkins found major flawsDiebold responded with vague legal threats,personal attacks, disinformation campaign
• Internal emails leaked in 2003 reveal poor security practices by developersDiebold tried to suppress sites with legal threats
We Get a Machine(2006)
Obtained legally from an anonymous private party
Software is 2002 version, but certified and used in actual elections
First complete, public, independent security audit of a DRE
Research Goals• Conduct independent security audit
• Confirm findings of previous researchers(Hursti, Kohno et al.)
• Verify threats by building demonstration attacks
• Figure out how to do better
Who wants to know? Voters, candidates, election officials, policy makers, researchers
16 MB Flash
128 KB EPROM
SH3CPU
32 MBRAM
2 PCMCIA Slots
Boot Jumper Table
Software Problems
One Example:
DES-CBCK(BallotID:VoteBitmap), CRC-16(…)
Our Findings
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
[Feldman, Halderman & Felten 2007]
Correct result: George 5, Benedict 0
Our Findings
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute
[Feldman, Halderman & Felten 2007]
The Key
Our Findings
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute
• Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
[Feldman, Halderman & Felten 2007]
Voting Machine Virus
Viral Spread
Joe Calandrino Ari FeldmanBill Zeller Harlan YuAlex Halderman
Debra Bowen
California “Top-to-Bottom” Study
Hart Sequoia Diebold
California “Top-to-Bottom” Results
WHAT TO DO?
Voters prefer it
Faster reporting
Fewer undervotes
Improved accessibility
Potentially increased security*
E-Voting Advantages
WE CAN DO BETTER!
Electronic + Paper Records
Touch-screen (DRE) machine,plus voter-verifiable paper trail
Hand-marked paper ballot,machine-scanned immediately
Failure Modes
Paper BallotsPhysical tampering“Retail” fraudAfter the election
Redundancy + Different failure modes = Greater security
Electronic RecordsCyber-tampering“Wholesale” fraudBefore the election
But…Redundancy only helps if we use both records!
How to Use Paper Records?
Use a machine to count the paper records
Count all the paper records by hand
Check a random subset of paper records by hand…but which subset?
Too risky
Too expensive
Standard Approach
Pick some precincts randomly.Hand-count paper records.
Should match electronic records.
Statistical Auditing’s Goal
Establish, with high statistical confidence, that hand-counting all of the paper records would yield the same winner as the electronic tally.
Audit Example
Alice: 55%Bob: 45% Goal: Reject hypothesis that
≥ 5% of ballots differ between electronic and paper
For 95% confidence, hand-audit 60 precincts
Cost: about $100,000
An Alternative Approach
Precinct-based auditing
Ballot-based auditing
100 marbles, 10% blue 6300 beads, 10% blue
How large a sample do we need?
Audit Example
Alice: 55%Bob: 45% Goal: Reject hypothesis that
≥ 5% of ballots differ between electronic and paper
For 95% confidence, hand-audit 60 precincts
Cost: about $100,000
ballots
$1,000
Why Not Ballot-based?
VotingMachine
Alice
Bob
Alice
● Alice○ Bob
○ Alice● Bob
● Alice○ Bob
Need to match up electronic with paper ballots.
Compromises the secret ballot!
Secret BallotPrevents coercion and vote-buying
Requirements: Nobody can tell how you voted. You can’t prove to anyone how you voted. You can be confident in these properties.
Serial Numbers
VotingMachine
1 Alice
2 Bob
3 Alice
1
● Alice○ Bob
2
○ Alice● Bob
3
● Alice○ Bob
“Random” Identifiers
VotingMachine
325631 Alice
218594 Bob
810581 Alice
325631
● Alice○ Bob
218594
○ Alice● Bob
810581
● Alice○ Bob
Machine-Assisted Auditing
[Calandrino, Halderman & Felten 2007]
=
○ Alice● Bob
1
1 Bob2 Alice
...
929 Bob
Alice: 510
Bob: 419
○ Alice● Bob
Step 1. Check electronic records against paper recordsusing a recount machine.
Machine-Assisted Auditing
[Calandrino, Halderman & Felten 2007]
=
○ Alice● Bob
1
1 Bob2 Alice
...
929 Bob
Alice: 510
Bob: 419
○ Alice● Bob
=
321 Bob716 Alice
Machine-Assisted Auditing
[Calandrino, Halderman & Felten 2007]
○ Alice● Bob
1
1 Bob2 Alice
...
929 Bob
=
○ Alice● Bob
321
● Alice○ Bob
716
○ Alice● Bob
1
Step 2. Audit the recount machine by selecting random ballots for human inspection.
We can use a machinewithout having to trust it!
Machine-Assisted Auditing
As efficient as ballot-based auditing,while protecting the secret ballot.
Machine Recount Manual Audit
Doing Even Better
Key idea: Probability of auditing a ballot should depend on how that ballot is marked
Full algorithm accounts for:multi-candidate racesmulti-seat racesundervotes and overvoteswrite-ins
Doing Even Better
Alice: 55%Bob: 45%
Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper
Goal: Reject hypothesis that ≥ 5% of ballots are marked electronically for Alice but on paper for Bob.
Only need to audit ballots marked for Alice.
Evaluation
2006 Virginia U.S. Senate race0.3% margin of victoryWe want 99% confidence
Precinct-
basedMachine-assisted
Content-sensitive
# ballots 1,141,900 2,339 1,179 # precincts 1,252 1,351 853
Electronic Voting:Danger and Opportunity
J. Alex Halderman
Department of Computer ScienceCenter for Information Technology Policy
Princeton University
Proposed Legislation
H.R. 811: Voter Confidence and Increased Accessibility Act
• Voter-verifiable paper record and random manual audits
• Access to voting software and source code, to verify security
• Additional money for states
Rep. Rush Holt