Tampering with Special Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting

Aggelos Kiayias
University of Connecticut, Department of Computer Science and Engineering
USA

Laurent Michel
University of Connecticut, Department of Computer Science and Engineering
USA

Alexander Russel
University of Connecticut, Department of Computer Science and Engineering
USA

Narasimha Sashidar
University of Connecticut, Department of Computer Science and Engineering
USA

Andrew See
University of Connecticut, Department of Computer Science and Engineering
USA

Special purpose trusted computing devices are currently being deployed to offer many services for
which the general purpose computing paradigm is unsuitable. The nature of the services offered by many
of these devices demand high security and reliability, as well as low cost and low power consumption.
Electronic Voting machines is a canonical example of this phenomenon. With electronic voting machines
currently being used in much of the United States and several other countries, there is a strong need for
thorough security evaluation of these devices and the procedures in place for their use. In this work,
we first put forth a general framework for special purpose trusted computing devices. We then focus on
Optical Scan (OS) electronic voting technology as a specific instance of this framework. OS terminals are
a popular e-voting technology with the decided advantage of a user-verified paper trail: the ballot sheets
themselves. Still election results are based on machine-generated totals as well as machine-generated
audit reports to validate the voting process.
In this paper we present a security assessment of the Diebold AccuVote Optical Scan voting terminal
(AV-OS, a popular OS terminal currently in wide deployment anticipating the 2008 Presidential elec-
tions) that is based solely on reverse-engineering; we demonstrate a number of security issues that relate
to its proprietary language used for results reporting called AccuBasic. While this language is thought
to be benign, especially given that it is essentially sandboxed by the firmware to have only read access,
we demonstrate that it is powerful enough to (i) strengthen known attacks against the AV-OS so that
they become undetectable prior to elections (and thus significantly increasing their magnitude) or, (ii)
to conditionally bias the election results to reach a desired outcome. Given the discovered vulnerabili-
ties and attacks we proceed to discuss how random audits can be used to validate with high confidence
that a procedure carried out by a multitude of special purpose devices such as the AV-OS has not been
manipulated. We end with a set of recommendations for the design and safe-use of OS voting systems.

Keywords: Electronic voting

Read Paper Read Paper (in PDF)