23rd Annual Computer Security Applications Conference (ACSAC 2007)December 10-14, 2007
Miami Beach, FL
IEEE Computer Society 2007
Tampering with Special Purpose Trusted Computing Devices:
A Case Study in Optical Scan E-Voting
Aggelos Kiayias, Laurent Michel, Alexander Russell, Narasimha Shashidhar, Andrew See, Alexander Shvartsman, Seda DavtyanVoting Technology Research CenterDepartment of Computer Science
University of Connecticut
Storrs, CT
Abstract:snip
In this paper we present a security assessment of the Diebold AccuVote Optical Scan voting terminal (AV-OS), a popular OS terminal currently in wide deployment anticipating the 2008 Presidential elections. The assessment is developed using exclusively reverse-engineering, without any technical specifications provided by the machine suppliers.
We demonstrate a number of security issues that relate to the machine’s proprietary language, called AccuBasic, that is used for reporting election results. While this language is thought to be benign, especially given that it is essentially sandboxed by the firmware to have only read access,
we demonstrate that it is powerful enough to (i) strengthen known attacks against the AV-OS so that they become undetectable prior to elections (and thus significantly increasing their magnitude) or, (ii) to conditionally bias the election results to reach a desired outcome. Given the discovered vulnerabilities and attacks we proceed to discuss how random audits can be used to validate with high confidence that a procedure carried out by special purpose devices such as the AV-OS has not been manipulated. We end with a set of recommendations for the design and safe-use of OS voting systems.
snip
3.2.2 Our Results : AccuBasic MalWare for Concealing Tampering and Results ManipulationDuring our own experimentation
we found that the bytecode language offers a wealth of functions that can be potentially exploited by an attacker. In particular, we will demonstrate a “time bomb” attack in which the bytecode checks the date and time in order to decide whether the election has begun.
An attack utilizing such code can retain proper behavior in pre-election testing, in which the machine is verified by comparison with hand counted ballots, while behaving improperly during the actual election.Altering ResultsAs evident from the previous sections, the AccuBasic election reporting functionality is powerful
enough to perform various kinds of biased reporting. In particular,
if the AV-OS election reporting printouts are the sole means of reporting the election results (as it is the case in fact in many jurisdictions) then one can write quite complex malicious reporting functionalities that get triggered in specific cases (when e.g., the number of votes of a certain candidate are below a certain percentage) and perform arbitrary vote transfers between the candidates. The election totals report also includes the number of blank votes in each race. A blank indicates that a voter decided not to assign their vote to any candidate. Thus, the total votes for all candidates plus the blank votes should equal the total number of ballots cast.
The bytecode has access to the blank count as well, and so can also transfer votes from these blanks to a target candidate in the report, thus preserving total voter counts and possibly avoiding suspicion.snip
pdf:
http://voter.engr.uconn.edu/voter/Reports_files/seeA-tamperEVoting.pdf