[talks] A Feldman general exam
Melissa M Lawson
mml at CS.Princeton.EDU
Wed May 9 16:51:46 EDT 2007
Ari Feldman will present his research seminar/general exam on Tuesday May 15 at
2PM in Room 402. The members of his committee are Ed Felten (advisor),
Andrew Appel, and David Walker. Everyone is invited to attend his talk, and those
faculty wishing to remain for the oral exam following are welcome to do so. His
abstract and reading list follow below.
Security Analysis of the Diebold AccuVote-TS Voting Machine
The Diebold AccuVote-TS is the most widely deployed electronic voting platform in the
United States. It belongs to a class of voting systems known as Direct Recording
Electronic (DRE) voting machines, which are essentially general-purpose computers running
specialized software that displays the ballots, records each voter's choices, and
tabulates the votes.
DREs, the most important parts of the voting process depend entirely on software, the
possibility that malicious software could be installed on them poses a grave threat to the
accuracy and trustworthiness of elections.
Although computer scientists have long recognized the threat of malicious code to DREs,
election officials and policy-makers have, until recently, been slow to accept it.
Moreover, often attention in this area has focused on the threat posed by a malicious
developer employed by a voting machine manufacturer.
In this talk, I describe how malicious software running on a single AccuVote-TS can steal
votes with little if any risk of detection. The malicious software can modify all of the
records, audit logs, and counters kept by the voting machine, so that even careful
forensic examination of these records will find nothing amiss. I also show how anyone who
has physical access to a voting machine, or to a memory card that will later be inserted
into a machine, can install malicious code in as little as one minute.
Furthermore, I explain how the AccuVote-TS is susceptible to viruses that can spread a
vote-stealing payload automatically from machine to machine during normal pre- and
Finally, I discuss the following strategies for mitigating the threat of malicious
software on voting machines: hardware modifications, limiting access to voting machines
and memory cards, parallel testing, whole system certification, and software independent
design. I argue that, of these, only software independent design can provide an acceptable
level of security.
Niels Ferguson, Bruce Schneier. Practical Cryptography. Indianapolis:
Matt Bishop. Computer Security. Addison-Wesley, 2003. Chapters 1-3, 10, 12-14, 20, 22-24,
William A. Arbaugh, David J. Farber, Jonathan M. Smith. A Secure and Reliable Bootstrap
Architecture. Available at:
Arel Cordero, David Wagner, David Dill. The Role of Dice in Election Audits -- Extended
Abstract. Available at:
http://www.cs.berkeley.edu/~daw/papers/dice-wote06.pdf. June 2006.
Douglas W. Jones. Counting Mark-Sense Ballots. 2003. Available at:
Douglas W. Jones. Voting on Paper Ballots. Available at:
Chris Karlof, Naveen Sastry, David Wagner. Cryptographic Voting
Systems Perspective. Available at:
Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, Dan S. Wallach.
an Electronic Voting System. February 2004. Available at:
C. Andrew Neff. Practical High Certainty Intent Verification for Encrypted Votes.
http://www.votehere.com/vhti/documentation/vsv-2.0.3638.pdf. October 2004.
C. Andrew Neff. Verifiable Mixing (Shuffling) of ElGamal Pairs.
http://www.votehere.com/vhti/documentation/egshuf-2.0.3638.pdf. April 2004.
Lawrence Norden et al. The Machinery of Democracy: Voting System Security Accessibility,
Usability, and Cost. Brennan Center for Justice. pp.
(Accessibility, Usability). Available at:
Stefan Popoveniuc, Ben Hosp. An Introduction to Punchscan. Available at:
Ronald L. Rivest. On Estimating The Size of a Statistical Audit.
Ronald L. Rivest, John P. Wack. On the notion of "software independence" in voting
systems. Available at: http://vote.nist.gov/SI-in-voting.pdf.
Naveen Sastry, Tadayoshi Kohno, David Wagner. Designing Voting Machines for Verification.
More information about the talks