Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

These studies crack me up!!

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) Donate to DU
 
stillcool Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Jan-20-08 02:14 PM
Original message
These studies crack me up!!

Brennan Center For Justice AT NYU School of Law
http://brennan.3cdn.net/a56eba8edf74e9e12e_r2m6b86s2.pdf
Security Analysis of the Diebold AccuBasic Interpreter

Pg. 12
Types of vulnerabilities. The vulnerabilities include several instances of the classic buffer over-run vulnerability, as well as vulnerabilities with a similar effect. This kind of vulnerability would allow someone who could exit the AccuBasic object code on the memory card to completely control the behavior of the voting machine. The instant that the AccuBasic interpreter on the AV-OS or AV-TSx attempts to execute the malicious AccuBasic object code, the machine will be compormised.

Pg 13.
Impact. The consequence of these vulnerabilities is that any person with unsupervised access to a memory card for sufficient time to modify it, or who is in a position to switch a malicious memory card for a good one, had the opportunity to completely compromise the integrity of the electronic tallies from the machine using that card.
Many of these vulnerabilities allow the attacker to seize control of the machine. In particular, they can be used to replace some of the software and the firmware with code of the attacker's choosing. At that point, the voting machine is not longer running the code from the vendor, but is instead running illegitimate code from the attacker. Once the attacker can replace the running code of the machine, the attacker has full control over all operation of the machine. Some of the consequences of this kind of compromise could include:
*The attack could manipulate the electronic tallies in any way desired. These manipulations could be performed at any point during the day. They could be performed selectively, based on knowledge about running tallies during the day. For instance, the attack code could wait until the end of the day, look at the electronic tallies accumulated so far, and choose to modify them only if they are not consistent with the attackers desired outcome.
**The attack could print fraudulent zero reports and summary reports to prevent detection.
**The attack could modify the contents of the memory card in any way, including tampering with electronic vote counts and electronic ballot images stored on the card.
**The attack could erase all traces of the attack to prevent anyone from detecting the attack after the fact.

**It is even conceivable that there is a way to exploit these vulnerabilities so that changes could persist from one election to another.
**It is conceivable that the attack might be able to propagate from machine to machine, like a
computer virus.
**The attack could a ect the correct operation of the machine. For instance, on the AV-OS,
it could turn o under- and over-vote noti cation. It could selectively disable over-vote
noti cation for ballots that contain votes for a disfavored candidate, or selectively provide
false over-vote noti cations for ballots that contain votes for a favored candidate.

----------------------------

Security Analysis of the Diebold AccuBasic Interpreter
David Wagner David Jefferson Matt Bishop
Voting Systems Technology Assessment Advisory Board (VSTAAB)

with the assistance of:
Chris Karlof Naveen Sastry
University of California, Berkeley
February 14, 2006
http://www.votetrustusa.org/pdfs/California_Folder/DieboldReport.pdf
--------------------------
Memory card attacks are a real threat: We determined that anyone who has access to a
memory card of the AV-OS, and can tamper it (i.e. modify its contents), and can have
the modi ed cards used in a voting machine during election, can indeed modify the election
results from that machine in a number of ways. The fact that the the results are incorrect
cannot be detected except by a recount of the original paper ballots.
 Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is de nitely real. He was
indeed able to change the election results by doing nothing more than modifying the contents
of a memory card. He needed no passwords, no cryptographic keys, and no access to any
other part of the voting system, including the GEMS election management server.
 Interpreter bugs lead to another, more dangerous family of vulnerabilities: However, there is
another category of more serious vulnerabilities we discovered that go well beyond what Mr.
Hursti demonstrated, and yet require no more access to the voting system than he had. These
vulnerabilities are consequences of bugs|16 in all|in the implementation of the AccuBasic
interpreter for the AV-OS. These bugs would have no e ect at all in the absence of deliberate
tampering, and would not be discovered by any amount of functionality testing; but they
could allow an attacker to completely control the behavior of the AV-OS. An attacker could
change vote totals, modify reports, change the names of candidates, change the races being
voted on, or insert his own code into the running rmware of the machine.
 Successful attacks can only be detected by examining the paper ballots: There would be no
way to know that any of these attacks occurred; the canvass procedure would not detect any
anomalies, and would just produce incorrect results. The only way to detect and correct the
problem would be by recount of the original paper ballots, e.g. during the 1 percent manual
recount.
 The bugs are classic, and can only be found by source code review: Finding these bugs was only
possible through close study of the source code. All of them are classic security flaws, including
bu er overruns, array bounds violations, double-free errors, format string vulnerabilities, and
several others. There may, of course, be additional bugs, or kinds of bugs, that we did not find.

---------------------------------------------

Impact. The consequence of these vulnerabilities is that any person with unsupervised access to
a memory card for sucient time to modify it, or who is in a position to switch a malicious memory
card for a good one, has the opportunity to completely compromise the integrity of the electronic
tallies from the machine using that card.

Many of these vulnerabilities allow the attacker to seize control of the machine. In particular,
they can be used to replace some of the software and the rmware on the machine with code of
the attacker's choosing. At that point, the voting system is no longer running the code from the
vendor, but is instead running illegitimate code from the attacker. Once the attacker can replace
the running code of the machine, the attacker has full control over all operation of the machine.
Some of the consequences of this kind of compromise could include:
 The attack could manipulate the electronic tallies in any way desired. These manipulations
could be performed at any point during the day.
They could be performed selectively, based
on knowledge about running tallies during the day. For instance, the attack code could wait
until the end of the day, look at the electronic tallies accumulated so far, and choose to modify
them only if they are not consistent with the attacker's desired outcome.
 The attack could print fraudulent zero reports and summary reports to prevent detection.
 The attack could modify the contents of the memory card in any way, including tampering
with the electronic vote counts and electronic ballot images stored on the card.
 The attack could erase all traces of the attack to prevent anyone from detecting the attack
after the fact.
For instance, once the attack code has gained control, it could overwrite
the malicious AccuBasic object code (.abo le) stored on the memory card with legitimate
AccuBasic object code, so that no amount of subsequent forensic investigation will uncover
any evidence of the compromise.
 It is even conceivable that there is a way to exploit these vulnerabilities so that changes could
persist from one election to another.
For instance, if the rmware or software resident on
the machine can be modi ed or updated by running code, then the attack might be able to
modify the rmware or software in a permanent way, a ecting future elections as well as the
current election. In other words, these vulnerabilities mean that a procedural lapse in one
election could potentially a ect the integrity of a subsequent election. However, we would
not be able to verify or refute this possibility without experimentation with real systems.
---------------------------------------------------------------------------
It is conceivable that the attack might be able to propagate from machine to machine, like a
computer virus.
For instance, if an uninfected memory card is inserted into an infected voting
machine, then the compromised voting machine could replace the AccuBasic object code on
that memory card with a malicious AccuBasic script. At that point, the memory card has
been infected, and if it is ever inserted into a second uninfected machine, the second machine
will become infected as soon as it runs the AccuBasic script.
------------------------------------------
In addition, most of the bugs we found could be used to crash the machine. This might
disenfranchise voters or cause long lines. These bugs could be used to selectively trigger a crash only on some machines, in some geographic areas, or based on certain conditions, such as which
candidate has received more votes.
For instance, it would be possible to write a malicious AccuBasic script so that, when the operator prints a summary report at the end of the day, the script examines the vote counters and either crashes or continues operating normally according to which candidate is in the lead.
Unfortunately, the ability of malicious AccuBasic scripts to crash the machine is currently embedded in the architecture of the interpreter. Any in nite loop in the AccuBasic script immediately translates into an in nite loop in the interpreter (which causes the machine to stop responding, and is indistinguishable from a crash), and any in nite recursion in the AccuBasic script translates into stack over row in the interpreter (which could corrupt stack memory or crash the machine).


http://itpolicy.princeton.edu/voting/
Security Analysis of the Diebold AccuVote-TS Voting Machine
Executive Summary

Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten
http://itpolicy.princeton.edu/voting/summary.html

Main Findings The main findings of our study are:

1. Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack.

2. Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.

3. AccuVote-TS machines are susceptible to voting-machine viruses — computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.

4. While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security.


Security Assessment of the Diebold Optical Scan Voting Terminal

A. Kiayias L. Michel A. Russell A. A. Shvartsman
UConn VoTeR Center and
Department of Computer Science and Engineering,
University of Connecticut
with the assistance of
M. Korman, A. See, N. Shashidhar, D. Walluck
October 30, 2006
------------------------------------------
In particular we show that even if the memory card is sealed and pre-election testing is performed, one can carry out a devastating array of attacks against an election using only off-the-shelf equipment and without having ever to access the card physically or opening the AV-OS system box.
Our attacks include the following:
1. Neutralizing candidates. The votes cast for a candidate are not recorded.
2. Swapping candidates. The votes cast for two candidates are swapped.
3. Biased Reporting. The votes are counted correctly by the terminal, but they are reported incorrectly using conditionally-triggered biases.
Our attacks exploit the serial communication capability of the AV-OS and demonstrate how the attacker can easily take control of the machine and force it to compromise its sealed-in resident memory card. Moreover, we demonstrate how one can make the AV-OS appear to be uncompromised to an evaluator that performs a pre-election test by voting hand-counted ballots, or to an evaluator that examines the audit reports that are produced by the terminal. A corrupted terminal will in fact appear to be faithfully reporting any election procedure that is conducted prior to the day of the election, only to misreport its results on the day of the election.
We also present a low-tech “digital ballot stuffing” attack that is made possible due to the mechanical characteristics of the optical scan reader. This simple attack enables any voter to vote an arbitrary number of times using two Post-it-notes. This attack makes it imperative to have the terminal under constant supervision during elections.
The vulnerability assessment provided in this paper is based only on experimentation with the system. At no point in time had we used, or had access to, internal documentation from the manufacturer or the vendor, including internal machine specifications, source code of the machine’s operating system, layout of the data on the memory card, or the source of the GEMS ballot design and tabulation software. We developed attacks and software that compromises the elections from first principles, by observing system’s behavior and interaction with its environment. Based on this fact, we conclude that attackers with access to the components of the AVOS system can reverse-engineer it in ways that critically compromise its security, discover the vulnerabilities presented herein and develop the attacks that exploit them.
----------------------------------------------
4.1.3 Compromised Election Results
An election is deemed corrupted when the miscounted results get tabulated into the overall election totals. If this is performed manually using the printed receipts that are produced by a corrupted terminal, the corruption of an election would be immediate. The results can also be tabulated electronically, by consolidating memory cards using a terminal and communicating such results to the central tabulation system implemented in GEMS.
The compromised cards that contained the improperly aligned counters are accepted by the central tabulation system without any warning or any other indication that they may be corrupted.
4.2 Multiple Voting Using Two Post-It R Notes
In this section we present a simple low-tech attack that is based on the following facts regarding the ballot feeding mechanism of the AV-OS terminal:
• The ballot-feed sensor is located on the right side of the slot. Feeding paper into the left side does not trigger the feed mechanism.
• Once a ballot is fed into the AV-OS, the rollers cease. It is thus possible to retract a ballot from the other side of the rollers. This is easily done even when the AV-OS has been properly locked into position atop the ballot box. Moreover, this can be done very quickly, so that the amount of extra votes is only limited to the amount of time the voter is able to spend alone with the ballot box on election day.
• The machine is unable to recognize ballots that have already been cast. Although the AV-OS verifies an election identifier which is global to every ballot in a precinct, it allows the same ballot to be cast as many times as desired.
UConn VoTeR Center Security Assessment of the Diebold Optical Scan Voting Terminal 13
We demonstrate how this vulnerability can be very easily exploited by any voter during the actual election if she is allowed to operate the machine without being observed by a poll-worker. See Figure 9 for an example of an AV-OS ballot with the two Post-it notes affixed to its side. The attacker in this case is allowed to use the machine while unattended and he can pull out and re-insert the shown ballot so that the same vote is cast multiple times.
http://voter.engr.uconn.edu/voter/Report-OS_files/uconn_report-os.pdf


Optical Scan Ballot Design
Douglas W. Jones
Sept 15, 2005

------------------------------
Resource requirements: The perpetrator must be in a position to control the design and printing of the ballots. For attacks targeted at the precinct level, this means that the perpetrator must either work for the ballot printer or the county. The printer can introduce alignment errors, while the county controls all of the textual content. For attacks that exploit different ballot designs from county to county, the perpetrator must either control many county election offices or must work in a supervisory role at the state level. The state officer who approves ballot content can do quite a bit if he simply gives a free rein to incompetent county election administrators in counties controlled by the opposition while extending help primarily to election administrators in counties favoring the ruling party.
Potential gain:
Rates of voter error have exceeded 10% in some jurisdictions during some elections. If this error can be controlled so that these high rates occur primarily in communities where opposition voters are likely to vote, the net benefit, in terms of the final election total, could easily be on the order of 1% or more.
Likelihood of detection:
Anything involving ballot design is public record, and the ballots themselves remain to be examined for 22 months after the election. Should a candidate suspect that there has been deliberate misprinting of index marks or voting targets, this can easily be detected if the ballots are available for examination. There is a common catch-22 here: In many jurisdictions, attempts to examine the actual ballots have been blocked because the person wanting to make the examination had no proof that there was anything wrong. The proof, of course, rested in the ballots themselves. Bad human factors in ballot design is so widespread that any deliberate manipulation of the design can be easily hidden or blamed on incompetent underlings or local officials.
http://vote.nist.gov/threats/papers/optical_scan_ballot_design.pdf

Ballot Definition Files
No Review Is Provided for a Key Component of Voting System Software

While the cause of many election miscounts is not clear, many other miscounts suggest that the ballot definitions were programmed incorrectly. Here are several examples of elections in which errors in the ballot definition file definitely caused the problems:

September 2002. Union County, Florida. A programming error caused ES&S Model 100 machines to
read 2,642 Democratic and Republican votes as entirely Republican in the September 2002 election.

November 2002, Wayne County, North Carolina. A programming error caused the Optech Eagle optical
scan machines to skip several thousand party-line votes, both Republican and Democrat. Correcting
the error turned up 5,500 more votes and reversed the outcome for the House District 11 state
representative race.20

April 2003, Lake County, Illinois. An ES&S ballot programming error failed to account for "no
candidate" listings in some races on the ballot, and results were placed next to the names of the
wrong candidates in four races. Correcting the problem changed the outcomes in some races.21

May 2004, Craighead County, Arkansas. The chip programmed by ES&S for the county's optical scanner
gave one candidate all the votes for constable. A manual recount revealed the error. 22

November 2004, Medford, Wisconsin. ES&S programmers failed to set up the optical scanners to read
straight-party votes. About 600 of the 2,256 ballots cast were not counted.23

June 2006, Pottawattamie County, Iowa. ES&S set up the ballot data and created the test deck, but failed to account for candidate rotation, so votes were tallied wrong in the rotated races.24
The following miscount strongly suggests that the candidates were simply switched in the ballot data of the computer in "one ward."

August 2002. Clay County, Kansas. The tabulation machine showed that one candidate for commissioner
had won, but a hand recount showed that his opponent had won by a landslide. In one ward, the
computer had mistakenly reversed the totals.25
Though the cause of the following problem wasn't fully analyzed, the symptoms suggest that the ballot definition file in the central tabulation computer didn't match those on the data packs.

November 2002. Baldwin County, Alabama. The ES&S Optech 3P Eagle optical scanners printed out
results of the gubernatorial election when the polls closed. Then the data packs were taken to the
central computer to be tabulated, and the tabulation machine, which gave different results, showed
the election was won by the wrong candidate. Three other counties had the same problem, but they
corrected the problem by typing in the vote totals rather than reading the data packs.26
The ballot program in the memory packs read the ballots incorrectly. The vendor, ES&S, accepted
responsibility for the programming error and paid for a hand recount. 15

September 2002. Robeson County, North Carolina. Ballot tabulating machines failed to work properly in 31 of 41 precincts. Local election officials said the problem was the result of a software glitch, and ballots had to be recounted. There had been a problem in the programming of the memory cards. 16


November 2002. Scurry County, Texas. A landslide victory for two commissioner candidates caused poll workers to question the results. The chip in the ES&S 650 contained an incorrect ballot program. ES&S sent a new chip, and the county officials also counted the votes by hand. The opposing candidates actually won by large margins.18
http://www.votersunite.org/info/BallotProgramming.pdf
Printer Friendly | Permalink |  | Top
Elspeth Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Jan-20-08 02:18 PM
Response to Original message
1. Oh, good lord. K&R
:kick:
Printer Friendly | Permalink |  | Top
 
stillcool Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Jan-20-08 02:30 PM
Response to Reply #1
2. They must all be a bunch of conspiracy...
theorists. Just in case they are not one might want to think on this:

http://salsa.democracyinaction.org/o/199/campaign.jsp?campaign_KEY=22334

Tell Congress: Pass Emergency Bill for Secure Elections in 2008

Now is your best chance to to help make the 2008 Presidential election verifiable. Please ask your members of Congress to co-sponsor the "Emergency Assistance for Secure Elections Act of 2008”, Representative Rush Holt's bill to provide emergency funding for paper ballots voting systems and random hand counted audits of the November elections.
Printer Friendly | Permalink |  | Top
 
Elspeth Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Jan-20-08 02:48 PM
Response to Reply #2
4. Well, if we're looking at a conspiracy...
then we should be conspiracy theorists
Printer Friendly | Permalink |  | Top
 
stillcool Donating Member (1000+ posts) Send PM | Profile | Ignore Sun Jan-20-08 02:39 PM
Response to Original message
3. I felt so fortunate...
when I looked at this site: http://www.verifiedvoting.org/verifier/
I found out my state uses all paper ballots. Too bad we don't count them!:rofl: I wonder what happens when multiple people change the results on multiple machines? I guess we'll never find out!:rofl:
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view 
this author's profile Click to add 
this author to your buddy list Click to add 
this author to your Ignore list Thu Oct 31st 2024, 05:53 PM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators


Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC