|
Printer-friendly format Email this thread to a friend Bookmark this thread |
This topic is archived. |
Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) |
stillcool (1000+ posts) Send PM | Profile | Ignore | Sun Jan-20-08 02:14 PM Original message |
These studies crack me up!! |
Brennan Center For Justice AT NYU School of Law http://brennan.3cdn.net/a56eba8edf74e9e12e_r2m6b86s2.pdf Security Analysis of the Diebold AccuBasic Interpreter Pg. 12 Types of vulnerabilities. The vulnerabilities include several instances of the classic buffer over-run vulnerability, as well as vulnerabilities with a similar effect. This kind of vulnerability would allow someone who could exit the AccuBasic object code on the memory card to completely control the behavior of the voting machine. The instant that the AccuBasic interpreter on the AV-OS or AV-TSx attempts to execute the malicious AccuBasic object code, the machine will be compormised. Pg 13. Impact. The consequence of these vulnerabilities is that any person with unsupervised access to a memory card for sufficient time to modify it, or who is in a position to switch a malicious memory card for a good one, had the opportunity to completely compromise the integrity of the electronic tallies from the machine using that card. Many of these vulnerabilities allow the attacker to seize control of the machine. In particular, they can be used to replace some of the software and the firmware with code of the attacker's choosing. At that point, the voting machine is not longer running the code from the vendor, but is instead running illegitimate code from the attacker. Once the attacker can replace the running code of the machine, the attacker has full control over all operation of the machine. Some of the consequences of this kind of compromise could include: *The attack could manipulate the electronic tallies in any way desired. These manipulations could be performed at any point during the day. They could be performed selectively, based on knowledge about running tallies during the day. For instance, the attack code could wait until the end of the day, look at the electronic tallies accumulated so far, and choose to modify them only if they are not consistent with the attackers desired outcome. **The attack could print fraudulent zero reports and summary reports to prevent detection. **The attack could modify the contents of the memory card in any way, including tampering with electronic vote counts and electronic ballot images stored on the card. **The attack could erase all traces of the attack to prevent anyone from detecting the attack after the fact. **It is even conceivable that there is a way to exploit these vulnerabilities so that changes could persist from one election to another. **It is conceivable that the attack might be able to propagate from machine to machine, like a computer virus. **The attack could aect the correct operation of the machine. For instance, on the AV-OS, it could turn o under- and over-vote notication. It could selectively disable over-vote notication for ballots that contain votes for a disfavored candidate, or selectively provide false over-vote notications for ballots that contain votes for a favored candidate. ---------------------------- Security Analysis of the Diebold AccuBasic Interpreter David Wagner David Jefferson Matt Bishop Voting Systems Technology Assessment Advisory Board (VSTAAB) with the assistance of: Chris Karlof Naveen Sastry University of California, Berkeley February 14, 2006 http://www.votetrustusa.org/pdfs/California_Folder/DieboldReport.pdf -------------------------- Memory card attacks are a real threat: We determined that anyone who has access to a memory card of the AV-OS, and can tamper it (i.e. modify its contents), and can have the modied cards used in a voting machine during election, can indeed modify the election results from that machine in a number of ways. The fact that the the results are incorrect cannot be detected except by a recount of the original paper ballots. Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is denitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server. Interpreter bugs lead to another, more dangerous family of vulnerabilities: However, there is another category of more serious vulnerabilities we discovered that go well beyond what Mr. Hursti demonstrated, and yet require no more access to the voting system than he had. These vulnerabilities are consequences of bugs|16 in all|in the implementation of the AccuBasic interpreter for the AV-OS. These bugs would have no eect at all in the absence of deliberate tampering, and would not be discovered by any amount of functionality testing; but they could allow an attacker to completely control the behavior of the AV-OS. An attacker could change vote totals, modify reports, change the names of candidates, change the races being voted on, or insert his own code into the running rmware of the machine. Successful attacks can only be detected by examining the paper ballots: There would be no way to know that any of these attacks occurred; the canvass procedure would not detect any anomalies, and would just produce incorrect results. The only way to detect and correct the problem would be by recount of the original paper ballots, e.g. during the 1 percent manual recount. The bugs are classic, and can only be found by source code review: Finding these bugs was only possible through close study of the source code. All of them are classic security flaws, including buer overruns, array bounds violations, double-free errors, format string vulnerabilities, and several others. There may, of course, be additional bugs, or kinds of bugs, that we did not find. --------------------------------------------- Impact. The consequence of these vulnerabilities is that any person with unsupervised access to a memory card for sucient time to modify it, or who is in a position to switch a malicious memory card for a good one, has the opportunity to completely compromise the integrity of the electronic tallies from the machine using that card. Many of these vulnerabilities allow the attacker to seize control of the machine. In particular, they can be used to replace some of the software and the rmware on the machine with code of the attacker's choosing. At that point, the voting system is no longer running the code from the vendor, but is instead running illegitimate code from the attacker. Once the attacker can replace the running code of the machine, the attacker has full control over all operation of the machine. Some of the consequences of this kind of compromise could include: The attack could manipulate the electronic tallies in any way desired. These manipulations could be performed at any point during the day. They could be performed selectively, based on knowledge about running tallies during the day. For instance, the attack code could wait until the end of the day, look at the electronic tallies accumulated so far, and choose to modify them only if they are not consistent with the attacker's desired outcome. The attack could print fraudulent zero reports and summary reports to prevent detection. The attack could modify the contents of the memory card in any way, including tampering with the electronic vote counts and electronic ballot images stored on the card. The attack could erase all traces of the attack to prevent anyone from detecting the attack after the fact. For instance, once the attack code has gained control, it could overwrite the malicious AccuBasic object code (.abo le) stored on the memory card with legitimate AccuBasic object code, so that no amount of subsequent forensic investigation will uncover any evidence of the compromise. It is even conceivable that there is a way to exploit these vulnerabilities so that changes could persist from one election to another. For instance, if the rmware or software resident on the machine can be modied or updated by running code, then the attack might be able to modify the rmware or software in a permanent way, aecting future elections as well as the current election. In other words, these vulnerabilities mean that a procedural lapse in one election could potentially aect the integrity of a subsequent election. However, we would not be able to verify or refute this possibility without experimentation with real systems. --------------------------------------------------------------------------- It is conceivable that the attack might be able to propagate from machine to machine, like a computer virus. For instance, if an uninfected memory card is inserted into an infected voting machine, then the compromised voting machine could replace the AccuBasic object code on that memory card with a malicious AccuBasic script. At that point, the memory card has been infected, and if it is ever inserted into a second uninfected machine, the second machine will become infected as soon as it runs the AccuBasic script. ------------------------------------------ In addition, most of the bugs we found could be used to crash the machine. This might disenfranchise voters or cause long lines. These bugs could be used to selectively trigger a crash only on some machines, in some geographic areas, or based on certain conditions, such as which candidate has received more votes. For instance, it would be possible to write a malicious AccuBasic script so that, when the operator prints a summary report at the end of the day, the script examines the vote counters and either crashes or continues operating normally according to which candidate is in the lead. Unfortunately, the ability of malicious AccuBasic scripts to crash the machine is currently embedded in the architecture of the interpreter. Any innite loop in the AccuBasic script immediately translates into an innite loop in the interpreter (which causes the machine to stop responding, and is indistinguishable from a crash), and any innite recursion in the AccuBasic script translates into stack over row in the interpreter (which could corrupt stack memory or crash the machine). http://itpolicy.princeton.edu/voting/ Security Analysis of the Diebold AccuVote-TS Voting Machine Executive Summary Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten http://itpolicy.princeton.edu/voting/summary.html Main Findings The main findings of our study are: 1. Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. We have constructed demonstration software that carries out this vote-stealing attack. 2. Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines. 3. AccuVote-TS machines are susceptible to voting-machine viruses — computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity. We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects. 4. While some of these problems can be eliminated by improving Diebold's software, others cannot be remedied without replacing the machines' hardware. Changes to election procedures would also be required to ensure security. Security Assessment of the Diebold Optical Scan Voting Terminal A. Kiayias L. Michel A. Russell A. A. Shvartsman UConn VoTeR Center and Department of Computer Science and Engineering, University of Connecticut with the assistance of M. Korman, A. See, N. Shashidhar, D. Walluck October 30, 2006 ------------------------------------------ In particular we show that even if the memory card is sealed and pre-election testing is performed, one can carry out a devastating array of attacks against an election using only off-the-shelf equipment and without having ever to access the card physically or opening the AV-OS system box. Our attacks include the following: 1. Neutralizing candidates. The votes cast for a candidate are not recorded. 2. Swapping candidates. The votes cast for two candidates are swapped. 3. Biased Reporting. The votes are counted correctly by the terminal, but they are reported incorrectly using conditionally-triggered biases. Our attacks exploit the serial communication capability of the AV-OS and demonstrate how the attacker can easily take control of the machine and force it to compromise its sealed-in resident memory card. Moreover, we demonstrate how one can make the AV-OS appear to be uncompromised to an evaluator that performs a pre-election test by voting hand-counted ballots, or to an evaluator that examines the audit reports that are produced by the terminal. A corrupted terminal will in fact appear to be faithfully reporting any election procedure that is conducted prior to the day of the election, only to misreport its results on the day of the election. We also present a low-tech “digital ballot stuffing” attack that is made possible due to the mechanical characteristics of the optical scan reader. This simple attack enables any voter to vote an arbitrary number of times using two Post-it-notes. This attack makes it imperative to have the terminal under constant supervision during elections. The vulnerability assessment provided in this paper is based only on experimentation with the system. At no point in time had we used, or had access to, internal documentation from the manufacturer or the vendor, including internal machine specifications, source code of the machine’s operating system, layout of the data on the memory card, or the source of the GEMS ballot design and tabulation software. We developed attacks and software that compromises the elections from first principles, by observing system’s behavior and interaction with its environment. Based on this fact, we conclude that attackers with access to the components of the AVOS system can reverse-engineer it in ways that critically compromise its security, discover the vulnerabilities presented herein and develop the attacks that exploit them. ---------------------------------------------- 4.1.3 Compromised Election Results An election is deemed corrupted when the miscounted results get tabulated into the overall election totals. If this is performed manually using the printed receipts that are produced by a corrupted terminal, the corruption of an election would be immediate. The results can also be tabulated electronically, by consolidating memory cards using a terminal and communicating such results to the central tabulation system implemented in GEMS. The compromised cards that contained the improperly aligned counters are accepted by the central tabulation system without any warning or any other indication that they may be corrupted. 4.2 Multiple Voting Using Two Post-It R Notes In this section we present a simple low-tech attack that is based on the following facts regarding the ballot feeding mechanism of the AV-OS terminal: • The ballot-feed sensor is located on the right side of the slot. Feeding paper into the left side does not trigger the feed mechanism. • Once a ballot is fed into the AV-OS, the rollers cease. It is thus possible to retract a ballot from the other side of the rollers. This is easily done even when the AV-OS has been properly locked into position atop the ballot box. Moreover, this can be done very quickly, so that the amount of extra votes is only limited to the amount of time the voter is able to spend alone with the ballot box on election day. • The machine is unable to recognize ballots that have already been cast. Although the AV-OS verifies an election identifier which is global to every ballot in a precinct, it allows the same ballot to be cast as many times as desired. UConn VoTeR Center Security Assessment of the Diebold Optical Scan Voting Terminal 13 We demonstrate how this vulnerability can be very easily exploited by any voter during the actual election if she is allowed to operate the machine without being observed by a poll-worker. See Figure 9 for an example of an AV-OS ballot with the two Post-it notes affixed to its side. The attacker in this case is allowed to use the machine while unattended and he can pull out and re-insert the shown ballot so that the same vote is cast multiple times. http://voter.engr.uconn.edu/voter/Report-OS_files/uconn_report-os.pdf Optical Scan Ballot Design Douglas W. Jones Sept 15, 2005 ------------------------------ Resource requirements: The perpetrator must be in a position to control the design and printing of the ballots. For attacks targeted at the precinct level, this means that the perpetrator must either work for the ballot printer or the county. The printer can introduce alignment errors, while the county controls all of the textual content. For attacks that exploit different ballot designs from county to county, the perpetrator must either control many county election offices or must work in a supervisory role at the state level. The state officer who approves ballot content can do quite a bit if he simply gives a free rein to incompetent county election administrators in counties controlled by the opposition while extending help primarily to election administrators in counties favoring the ruling party. Potential gain: Rates of voter error have exceeded 10% in some jurisdictions during some elections. If this error can be controlled so that these high rates occur primarily in communities where opposition voters are likely to vote, the net benefit, in terms of the final election total, could easily be on the order of 1% or more. Likelihood of detection: Anything involving ballot design is public record, and the ballots themselves remain to be examined for 22 months after the election. Should a candidate suspect that there has been deliberate misprinting of index marks or voting targets, this can easily be detected if the ballots are available for examination. There is a common catch-22 here: In many jurisdictions, attempts to examine the actual ballots have been blocked because the person wanting to make the examination had no proof that there was anything wrong. The proof, of course, rested in the ballots themselves. Bad human factors in ballot design is so widespread that any deliberate manipulation of the design can be easily hidden or blamed on incompetent underlings or local officials. http://vote.nist.gov/threats/papers/optical_scan_ballot_design.pdf Ballot Definition Files No Review Is Provided for a Key Component of Voting System Software While the cause of many election miscounts is not clear, many other miscounts suggest that the ballot definitions were programmed incorrectly. Here are several examples of elections in which errors in the ballot definition file definitely caused the problems: September 2002. Union County, Florida. A programming error caused ES&S Model 100 machines to read 2,642 Democratic and Republican votes as entirely Republican in the September 2002 election. November 2002, Wayne County, North Carolina. A programming error caused the Optech Eagle optical scan machines to skip several thousand party-line votes, both Republican and Democrat. Correcting the error turned up 5,500 more votes and reversed the outcome for the House District 11 state representative race.20 April 2003, Lake County, Illinois. An ES&S ballot programming error failed to account for "no candidate" listings in some races on the ballot, and results were placed next to the names of the wrong candidates in four races. Correcting the problem changed the outcomes in some races.21 May 2004, Craighead County, Arkansas. The chip programmed by ES&S for the county's optical scanner gave one candidate all the votes for constable. A manual recount revealed the error. 22 November 2004, Medford, Wisconsin. ES&S programmers failed to set up the optical scanners to read straight-party votes. About 600 of the 2,256 ballots cast were not counted.23 June 2006, Pottawattamie County, Iowa. ES&S set up the ballot data and created the test deck, but failed to account for candidate rotation, so votes were tallied wrong in the rotated races.24 The following miscount strongly suggests that the candidates were simply switched in the ballot data of the computer in "one ward." August 2002. Clay County, Kansas. The tabulation machine showed that one candidate for commissioner had won, but a hand recount showed that his opponent had won by a landslide. In one ward, the computer had mistakenly reversed the totals.25 Though the cause of the following problem wasn't fully analyzed, the symptoms suggest that the ballot definition file in the central tabulation computer didn't match those on the data packs. November 2002. Baldwin County, Alabama. The ES&S Optech 3P Eagle optical scanners printed out results of the gubernatorial election when the polls closed. Then the data packs were taken to the central computer to be tabulated, and the tabulation machine, which gave different results, showed the election was won by the wrong candidate. Three other counties had the same problem, but they corrected the problem by typing in the vote totals rather than reading the data packs.26 The ballot program in the memory packs read the ballots incorrectly. The vendor, ES&S, accepted responsibility for the programming error and paid for a hand recount. 15 September 2002. Robeson County, North Carolina. Ballot tabulating machines failed to work properly in 31 of 41 precincts. Local election officials said the problem was the result of a software glitch, and ballots had to be recounted. There had been a problem in the programming of the memory cards. 16 November 2002. Scurry County, Texas. A landslide victory for two commissioner candidates caused poll workers to question the results. The chip in the ES&S 650 contained an incorrect ballot program. ES&S sent a new chip, and the county officials also counted the votes by hand. The opposing candidates actually won by large margins.18 http://www.votersunite.org/info/BallotProgramming.pdf |
Printer Friendly | Permalink | | Top |
Elspeth (1000+ posts) Send PM | Profile | Ignore | Sun Jan-20-08 02:18 PM Response to Original message |
1. Oh, good lord. K&R |
:kick:
|
Printer Friendly | Permalink | | Top |
stillcool (1000+ posts) Send PM | Profile | Ignore | Sun Jan-20-08 02:30 PM Response to Reply #1 |
2. They must all be a bunch of conspiracy... |
theorists. Just in case they are not one might want to think on this:
http://salsa.democracyinaction.org/o/199/campaign.jsp?campaign_KEY=22334 Tell Congress: Pass Emergency Bill for Secure Elections in 2008 Now is your best chance to to help make the 2008 Presidential election verifiable. Please ask your members of Congress to co-sponsor the "Emergency Assistance for Secure Elections Act of 2008”, Representative Rush Holt's bill to provide emergency funding for paper ballots voting systems and random hand counted audits of the November elections. |
Printer Friendly | Permalink | | Top |
Elspeth (1000+ posts) Send PM | Profile | Ignore | Sun Jan-20-08 02:48 PM Response to Reply #2 |
4. Well, if we're looking at a conspiracy... |
then we should be conspiracy theorists
|
Printer Friendly | Permalink | | Top |
stillcool (1000+ posts) Send PM | Profile | Ignore | Sun Jan-20-08 02:39 PM Response to Original message |
3. I felt so fortunate... |
when I looked at this site: http://www.verifiedvoting.org/verifier/
I found out my state uses all paper ballots. Too bad we don't count them!:rofl: I wonder what happens when multiple people change the results on multiple machines? I guess we'll never find out!:rofl: |
Printer Friendly | Permalink | | Top |
DU AdBot (1000+ posts) | Thu Oct 31st 2024, 05:53 PM Response to Original message |
Advertisements [?] |
Top |
Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) |
Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators
Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.
Home | Discussion Forums | Journals | Store | Donate
About DU | Contact Us | Privacy Policy
Got a message for Democratic Underground? Click here to send us a message.
© 2001 - 2011 Democratic Underground, LLC