Ari Feldman will present his research seminar/general exam on Tuesday May 15 at 2PM in Room 402. The members of his committee are Ed Felten (advisor), Andrew Appel, and David Walker. Everyone is invited to attend his talk, and those faculty wishing to remain for the oral exam following are welcome to do so. His abstract and reading list follow below. ----------------------------------- Security Analysis of the Diebold AccuVote-TS Voting Machine The Diebold AccuVote-TS is the most widely deployed electronic voting platform in the United States. It belongs to a class of voting systems known as Direct Recording Electronic (DRE) voting machines, which are essentially general-purpose computers running specialized software that displays the ballots, records each voter's choices, and tabulates the votes. Since, on DREs, the most important parts of the voting process depend entirely on software, the possibility that malicious software could be installed on them poses a grave threat to the accuracy and trustworthiness of elections. Although computer scientists have long recognized the threat of malicious code to DREs, election officials and policy-makers have, until recently, been slow to accept it. Moreover, often attention in this area has focused on the threat posed by a malicious developer employed by a voting machine manufacturer. In this talk, I describe how malicious software running on a single AccuVote-TS can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. I also show how anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install malicious code in as little as one minute. Furthermore, I explain how the AccuVote-TS is susceptible to viruses that can spread a vote-stealing payload automatically from machine to machine during normal pre- and post-election activity. Finally, I discuss the following strategies for mitigating the threat of malicious software on voting machines: hardware modifications, limiting access to voting machines and memory cards, parallel testing, whole system certification, and software independent design. I argue that, of these, only software independent design can provide an acceptable level of security. Reading List: Books Niels Ferguson, Bruce Schneier. Practical Cryptography. Indianapolis: Wiley, 2003. Matt Bishop. Computer Security. Addison-Wesley, 2003. Chapters 1-3, 10, 12-14, 20, 22-24, 29. Papers William A. Arbaugh, David J. Farber, Jonathan M. Smith. A Secure and Reliable Bootstrap Architecture. Available at: http://www.cs.umd.edu/~waa/pubs/oakland97.pdf. Arel Cordero, David Wagner, David Dill. The Role of Dice in Election Audits -- Extended Abstract. Available at: http://www.cs.berkeley.edu/~daw/papers/dice-wote06.pdf. June 2006. Douglas W. Jones. Counting Mark-Sense Ballots. 2003. Available at: http://www.cs.uiowa.edu/~jones/voting/optical/. Douglas W. Jones. Voting on Paper Ballots. Available at: http://www.cs.uiowa.edu/~jones/voting/paper.html. Chris Karlof, Naveen Sastry, David Wagner. Cryptographic Voting Protocols: A Systems Perspective. Available at: http://www.cs.berkeley.edu/~daw/papers/neffchaum-usenix05.pdf. Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, Dan S. Wallach. Analysis of an Electronic Voting System. February 2004. Available at: http://avirubin.com/vote.pdf. C. Andrew Neff. Practical High Certainty Intent Verification for Encrypted Votes. Available at: http://www.votehere.com/vhti/documentation/vsv-2.0.3638.pdf. October 2004. C. Andrew Neff. Verifiable Mixing (Shuffling) of ElGamal Pairs. Available at: http://www.votehere.com/vhti/documentation/egshuf-2.0.3638.pdf. April 2004. Lawrence Norden et al. The Machinery of Democracy: Voting System Security Accessibility, Usability, and Cost. Brennan Center for Justice. pp. 38-121 (Accessibility, Usability). Available at: http://www.brennancenter.org/dynamic/subpages/download_file_38150.pdf. Stefan Popoveniuc, Ben Hosp. An Introduction to Punchscan. Available at: http://www.punchscan.org/papers/ popoveniuc_hosp_punchscan_introduction.pdf. October 2006. Ronald L. Rivest. On Estimating The Size of a Statistical Audit. Available at: http://theory.lcs.mit.edu/~rivest/Rivest- OnEstimatingTheSizeOfAStatisticalAudit.pdf. November 2006. Ronald L. Rivest, John P. Wack. On the notion of "software independence" in voting systems. Available at: http://vote.nist.gov/SI-in-voting.pdf. July 2006. Naveen Sastry, Tadayoshi Kohno, David Wagner. Designing Voting Machines for Verification. Available at: http://www.cs.berkeley.edu/~daw/papers/varch-use06.pdf.