votebox a verifiable tamper evident electronic voting
play

VoteBox: a verifiable, tamper-evident electronic voting system - PowerPoint PPT Presentation

Jul 02, 2023 •500 likes •1.38k views

VoteBox: a verifiable, tamper-evident electronic voting system Daniel R. Sandler Rice University

  1. VoteBox: a verifiable, tamper-evident electronic voting system � � � ฀ � � � � � � � � Daniel R. Sandler � � ฀ � � � � � � ฀ Rice University � ฀ � � � � � � � ฀ � � � � � � February 17, 2009 | The Johns Hopkins University

  2. T alk outline Background Trustworthiness of electronic voting machines Why it’s worth improving them The design of VoteBox Durability and audit Ballot casting assurance Beyond

  3. 1. Background

  4. DRE voting machines (Direct Recording Electronic)

  5. flash memory graphical display touch screen buttons dials

  6. + US Presidential election (2000) HAVA (2002)

  7. DREs discredited High-profile failures in real elections A few examples: 2006: Sarasota, FL undervoting ~18,000 ballots blank in the congressional race (~15%) margin of victory: 369 votes 2008: video documentation of “vote flipping” touch-screen calibration? buggy input filters? Ongoing: long lines due to complex set- up, equipment problems, etc.

  8. DREs discredited Software bugs & design flaws identified by e-voting researchers 2003 Analysis of Diebold AccuVote TS Leaked source code analyzed [Kohno et al. 2004] Poor software engineering, incorrect cryptography, vulnerable to malicious upgrades, multiple voting 2006 “Voting-machine virus” developed Self-propagating malicious upgrades that spread from machine to machine, altering votes and leaving no trace [Feldman et al. 2006]

  9. DREs discredited Software bugs & design flaws identified by e-voting researchers 2007 Involvement by computer scientists in statewide voting systems audits groundbreaking access to source code of commercial voting systems Top-To-Bottom Review (California) ‣ All machines certified for use in CA found to have serious bugs & be vulnerable to attack ‣ Viral-style attacks found in all systems EVEREST study (Ohio) ‣ All machines certified in OH found vulnerable (validating CA-TTBR) ‣ Showed that hundreds of votes were lost in 2004

  10. malfunctions could result in changed or lost votes design flaws could let attackers alter the election outcome without leaving evidence

  11. Result: undermined trust in elections

  12. ?

  13. voters prefer electronic voting S. P . Everett, K. K. Greene, M. D. Byrne, D. S. Wallach, K. Derr, D. R. Sandler , and T. Torous. Electronic voting machines versus traditional methods: Improved preference, similar performance. In CHI 2008.

  14. legitimate benefits accessibility feedback flexibility satisfaction

  15. can we design a better DRE? “better” = ?

  16. goals 1. resistance to failure & tampering essential vote data should survive hardware failure, poll worker mistakes, attempts to attack the system

  17. goals 2. tamper-evidence if we are unable to prevent data loss, we must always be able to detect the failure

  18. goals 3. verifiability two useful properties: cast-as-intended “Was my vote recorded faithfully?” very, very hard for DREs to satisfy counted-as-cast “Has my vote been tallied correctly?” can be somewhat addressed with recounts

  19. goals resistance to failure & tampering prevent or minimize data loss tamper-evidence if resistance is futile verifiability cast-as-intended; counted-as-cast (DRE user experience)

  20. a computer science problem resistance to failure & tampering replication; gossip tamper-evidence secure logs Auditorium verifiability cryptography Ballot challenge

  21. 2. VoteBox

  22. A field study.

  23. Webb County, TX

  24. Laredo March 7, 2006: Democratic primary election (County’s first use of DREs)

  25. An unusual situation Voters given a choice: OR DRE Paper (ES&S iVotronic) (central ES&S op-scan)

  26. Flores v. Lopez ~50,000 votes cast Margin of victory: ~100 votes The loser suspected the DREs …because he looked better on paper Lawsuit Bring in the experts.

  27. initial investigation: gathering data (April 2006)

  28. Webb Co. data Raw binary data from Compact Flash cards Opaque, undocumented format Text output from tabulation process IMAGELOG.TXT (cast ballots) EVENTLOG.TXT (more on that later)

  29. What we found A smoking gun? Evil voting machines? HACKS?? inherently difficult to find evidence with DREs!

  30. What we (really) found Anomalies in the event logs Per-machine records Captured during machine run time Transferred to tabulator ( IMAGELOG.TXT ) A timeline of important election events e.g. “terminal open,” “ballot cast,” …

  31. Example event log Votronic PEB# Type Date Time Event 5140052 161061 SUP 03/07/2006 15:29:03 01 Terminal clear and test 03/07/2006 15:29:03 160980 SUP 03/07/2006 15:31:15 09 Terminal open 03/07/2006 15:34:47 13 Print zero tape 03/07/2006 15:36:36 13 Print zero tape 160999 SUP 03/07/2006 15:56:50 20 Normal ballot cast 03/07/2006 16:47:12 20 Normal ballot cast 03/07/2006 18:07:29 20 Normal ballot cast 03/07/2006 18:17:03 20 Normal ballot cast 03/07/2006 18:37:24 22 Super ballot cancel 03/07/2006 18:41:18 20 Normal ballot cast 03/07/2006 18:46:23 20 Normal ballot cast 160980 SUP 03/07/2006 19:07:14 10 Terminal close

  32. Problem #1 Logs starting mid-day 03/07/2006 15:29:03 Terminal clear and test 03/07/2006 15:31:15 Terminal open Polls opened around 7 AM across Webb Co. What happened between 7 and 3:30? Lost votes?

  33. Problem #2 Election events on wrong day A normal voting pattern: Votronic PEB# Type Date Time Event 5142523 161061 SUP 02/26/2006 19:07:05 01 Terminal clear and test 161115 SUP 03/06/2006 06:57:23 09 Terminal open 03/06/2006 07:01:47 13 Print zero tape 03/06/2006 07:03:41 13 Print zero tape 161109 SUP 03/06/2006 10:08:26 20 Normal ballot cast [... 9 more ballots cast ...] 161115 SUP 03/06/2006 19:29:00 27 Override 03/06/2006 19:29:00 10 Terminal close The election was held on 03/07! Ballot box stuffing the day before?

  34. A different pattern: Votronic PEB# Type Date Time Event 5145172 161061 SUP 03/06/2006 15:04:09 01 Terminal clear and test 161126 SUP 03/06/2006 15:19:34 09 Terminal open 160973 SUP 03/06/2006 15:26:59 20 Normal ballot cast 03/06/2006 15:30:39 20 Normal ballot cast 161126 SUP 03/06/2006 15:38:37 27 Override 03/06/2006 15:38:37 10 Terminal close 26 machines with exactly two ballots cast the day before (always for the same guy) We learned that these might be “logic and accuracy test” votes, erroneously included in the tally

  35. initial investigation follow-up trip: direct inspection

  36. photo of voting machines

  38. source: wunderground.com

  39. Findings Machines containing only two votes Hardware clock appeared normal Most likely L&A test votes Others Hardware clock set incorrectly …just enough to account for anomaly This is not proof of correct behavior!

  40. Problem #3 Insufficient audit data We couldn’t collect data from every machine Many were cleared after the election (Poll workers not supposed to do this!) Paper records missing Zero tapes Cancelled ballot logs Procedural errors by administrators, pollworkers (but the machines didn’t help)

  41. “Mistakes were made.”

  42. Mistakes were made Violations of election procedures Counting test votes in final results Loss of zero tapes and other paper logs Erasure of some machines Local (mis)configuration Hardware clocks set wrong These things cast doubt on the results

  43. Honest mistakes or illegitimate votes?

  44. No way to be sure. Believable audits impossible.

  45. Research goals Make it easier to audit results after the election Make it harder to make mistakes on election day In particular: Prove every vote tallied is valid every valid vote is present Tolerate accidental loss/deletion of records election-day machine failure

  46. How?

  47. Connect the machines together.

  48. “The Auditorium” “The Auditorium”

  49. Auditorium’s approach Store everything everywhere Massive redundancy Stop trusting DREs to keep their own audit data Link all votes, events together Create a secure timeline of election events Tamper-evident proof of each vote’s legitimacy D. Sandler and D. S. Wallach. Casting Votes in the Auditorium. In Proceedings of the 2nd USENIX/ACCURATE Electronic Voting Technology Workshop (EVT’07).

  50. Ingredient: hash chains “Machine turned on” (HASH = 0x1234) “Cast a vote after event 0x1234” (HASH = 0xABCD) “Cast a vote after event 0xABCD” (HASH = 0xBEEF) “Turned off after event 0xBEEF” (HASH = 0x4242) A hash-chained secure log Every event includes the cryptographic hash (e.g. SHA1) of a previous event [Schneier & Kelsey ’99] Result: provable order If Y includes H( X ), then Y must have happened after X Any individual change to the log invalidates all later hashes (breaks the chain) To alter, insert, or delete a single record you must alter every subsequent event as well

  51. Ingredient: timeline entanglement Entanglement = “chain with hashes from others” Result: event ordering between participants [Maniatis & Baker ’02] Malicious machines can’t retroactively alter their own logs it would violate commitments they have already exchanged with others

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo,

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Arajo, Amira Barki, Solenn Brunet and Jacques Traor 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING16 February 26th, 2016

532 views • 23 slides
AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing G. Edward Suh, Dwaine

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing G. Edward Suh, Dwaine

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology L C S Cases for Physical Security Applications

519 views • 23 slides
Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice

Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice

Efficient Data Structures for Tamper-Evident Logging Scott A. Crosby Dan S. Wallach Rice University Everyone has logs Tamper evident solutions Current commercial solutions Write only hardware appliances Security depends on

1.32k views • 82 slides
Usable Verifiable Remote Electronic Voting case study HELIOS 18.07.2012 SecVote Dagstuhl

Usable Verifiable Remote Electronic Voting case study HELIOS 18.07.2012 SecVote Dagstuhl

Usable Verifiable Remote Electronic Voting case study HELIOS 18.07.2012 SecVote Dagstuhl Comments Based on research results from the project Usable Verifiability in Remote Electronic Voting Project funded by Research conducted

769 views • 59 slides
TAMPER EVIDENT BYPASSES BY MOS AND BOO THE PACKAGING COUNCIL OF AUSTRALIA Packaging which

TAMPER EVIDENT BYPASSES BY MOS AND BOO THE PACKAGING COUNCIL OF AUSTRALIA Packaging which

TAMPER EVIDENT BYPASSES BY MOS AND BOO THE PACKAGING COUNCIL OF AUSTRALIA Packaging which possesses a barrier to entry which, if breached or missing, will provide visible evidence to consumers that tampering had occurred MESOPOTAMIAN

516 views • 30 slides
Electronic Voting Electronic voting at a precinct Analysis of an Internet Voting Focus

Electronic Voting Electronic voting at a precinct Analysis of an Internet Voting Focus

Electronic Voting Electronic voting at a precinct Analysis of an Internet Voting Focus is on preventing fraud on the part of Protocol people building and running system. Electronic voting over the internet Dale Neal Must

508 views • 5 slides
Ersin kszo lu Dan S. Wallach VoteBox Full featured DRE voting machine Paper in

Ersin kszo lu Dan S. Wallach VoteBox Full featured DRE voting machine Paper in

EVT/WOTE 09 AUGUST ST 10, 2009 Ersin kszo lu Dan S. Wallach VoteBox Full featured DRE voting machine Paper in USENIX Security Symposium 2008 2 Pre-rendered Network ballot user interface replication increases the

325 views • 28 slides
New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions (PUFs) Vincent

New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions (PUFs) Vincent

New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions (PUFs) Vincent Immler, Karthik Uppund Conference on Cryptographic Hardware and Embedded Systems, Atlanta, Aug 26, 2019 PUF in a Nutshell: Biometrics of Objects PUF

403 views • 21 slides
MA Final Talk: Tamper-Evident Publication of Internet Measurements Max Helm Advisors: Oliver

MA Final Talk: Tamper-Evident Publication of Internet Measurements Max Helm Advisors: Oliver

Chair of Network Architectures and Services Department of Informatics Technical University of Munich MA Final Talk: Tamper-Evident Publication of Internet Measurements Max Helm Advisors: Oliver Gasser, Benjamin Hof, Quirin Scheitle July 16,

423 views • 26 slides
5/24/10 Modern Hardware is Complex Modern systems built on layers of hardware Tamper Evident

5/24/10 Modern Hardware is Complex Modern systems built on layers of hardware Tamper Evident

5/24/10 Modern Hardware is Complex Modern systems built on layers of hardware Tamper Evident Microprocessors Applications OS Hypervisor Motherboard/ Slave Chips Adam Waksman CPU Simha Sethumadhavan Complexity increases risk of

340 views • 4 slides
Publius: A robust, tamper-evident, censorship-resistant web publishing system M Waldman, A Rubin

Publius: A robust, tamper-evident, censorship-resistant web publishing system M Waldman, A Rubin

Publius: A robust, tamper-evident, censorship-resistant web publishing system M Waldman, A Rubin and L Cranor Ranjit Randhawa Department of Computer Science Virginia Tech Outline Overview of Publius Anonymity tools Publius in

414 views • 13 slides
Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution Riccardo

Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution Riccardo

Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan, Adam Bates, Christopher W. Fletcher, Andrew Miller, Dave Tian Logs Are Useful 2 Custos: Practical

730 views • 58 slides
Source Paper An Anonymous Electronic Voting Protocol An Electronic Voting Protocol for

Source Paper An Anonymous Electronic Voting Protocol An Electronic Voting Protocol for

Source Paper An Anonymous Electronic Voting Protocol An Electronic Voting Protocol for Voting Over the Internet, Indrajit Ray, (revisited) Indrakshi Ray, Natarajan Narasimhamurthi Paul Valiant extending work by Dale Neal &

441 views • 5 slides
Enhanced Tally Scheme for the DEMOS End-2- End Verifiable E-voting Thomas Souliotis 1

Enhanced Tally Scheme for the DEMOS End-2- End Verifiable E-voting Thomas Souliotis 1

Enhanced Tally Scheme for the DEMOS End-2- End Verifiable E-voting Thomas Souliotis 1 Table of Contents Background Public Key Cryptography Zero Knowledge Proofs Homomorphic Encryption DEMOS Introduction

492 views • 34 slides
Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of

Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of

Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of Birmingham joint work with St ephanie Delaune and Steve Kremer LSV Cachan, France SoCS Seminar November 2007 Outline Electronic voting Electronic

763 views • 33 slides
Electronic Voting Ronald L. Rivest MIT CSAIL NSA June 3, 2004 Outline Introduction /

Electronic Voting Ronald L. Rivest MIT CSAIL NSA June 3, 2004 Outline Introduction /

Electronic Voting Ronald L. Rivest MIT CSAIL NSA June 3, 2004 Outline Introduction / Voting Voting using mix-nets Randomized Partial Checking (Jakobsson/Juels/Rivest USENIX 02) Pedagogic variant of Chaums proposal Voting

758 views • 36 slides
Friedrich NIETZSCHE If it is in purple then it is a quote GOD IS DEAD. God remains

Friedrich NIETZSCHE If it is in purple then it is a quote GOD IS DEAD. God remains

Friedrich NIETZSCHE If it is in purple then it is a quote GOD IS DEAD. God remains dead. And we have killed him. How shall we comfort ourselves, the murderers of all murderers? What festivals, what sacred games of atonement shall we

815 views • 27 slides
Brooklin French Immersion Study Committee Meeting 1 February 13, 2020 Agenda 1. Welcome 2.

Brooklin French Immersion Study Committee Meeting 1 February 13, 2020 Agenda 1. Welcome 2.

Brooklin French Immersion Study Committee Meeting 1 February 13, 2020 Agenda 1. Welcome 2. Land Acknowledgement | Opening Prayer 3. Introduction of Committee Members 4. Mandate of the Committee 5. Meeting Dates and Locations | Meeting

500 views • 37 slides
Open Domain Question Answering Bogdan Sacaleanu (based on slides from Bernardo Magnini, RANLP

Open Domain Question Answering Bogdan Sacaleanu (based on slides from Bernardo Magnini, RANLP

21.12.2011 Open Domain Question Answering Bogdan Sacaleanu (based on slides from Bernardo Magnini, RANLP 2005) 1 Outline of the Tutorial Introduction to QA I. QA at TREC II. System Architecture III. - Question Processing - Answer

890 views • 42 slides
Measuring Topic Quality in Latent Dirichlet Allocation Sergey Nikolenko Sergei Koltsov Olessia

Measuring Topic Quality in Latent Dirichlet Allocation Sergey Nikolenko Sergei Koltsov Olessia

Topic modeling Measuring topic quality Measuring Topic Quality in Latent Dirichlet Allocation Sergey Nikolenko Sergei Koltsov Olessia Koltsova Steklov Institute of Mathematics at St. Petersburg Laboratory for Internet Studies, National

597 views • 26 slides
Canyon Bible Church Ma Mark 1 k 12:30-31 31 BL BLESSED BE BE YOU YOUR NAME Bl Blesse

Canyon Bible Church Ma Mark 1 k 12:30-31 31 BL BLESSED BE BE YOU YOUR NAME Bl Blesse

Canyon Bible Church Ma Mark 1 k 12:30-31 31 BL BLESSED BE BE YOU YOUR NAME Bl Blesse ssed be Your r name ame In In the e lan and that at is s plen entifu ful Wh Where ere the e st stream reams s of f ab abundan ance

1.26k views • 92 slides
Computer Supported Modeling and Reasoning David Basin, Achim D. Brucker, Jan-Georg Smaus, and

Computer Supported Modeling and Reasoning David Basin, Achim D. Brucker, Jan-Georg Smaus, and

Computer Supported Modeling and Reasoning David Basin, Achim D. Brucker, Jan-Georg Smaus, and Burkhart Wolff April 2005 http://www.infsec.ethz.ch/education/permanent/csmr/ Na ve Set Theory David Basin, Burkhart Wolff, and Jan-Georg

897 views • 54 slides
A Formal Interpretation of Frame Composition Wiebke Petersen & Tanja Osswald

A Formal Interpretation of Frame Composition Wiebke Petersen & Tanja Osswald

Frames Classification of concepts Frame Composition Composition and Language A Formal Interpretation of Frame Composition Wiebke Petersen & Tanja Osswald Heinrich-Heine-Universit at D usseldorf Research group on Functional

1.11k views • 86 slides
Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today More

Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today More

Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today More Segues Modal Unwind Popover Embed CS193p Winter 2017 Modal View Controllers A way of segueing that takes over the screen Should be used with care.

744 views • 35 slides

More recommend