News

Computer Assisted Post Election Audits

Computer Assisted Post Election Audits Tigran Antonyan, Theodore Bromley, Laurent Michel, Alexander Russell, Alexander Shvartsman and Suzanne Stark State Certification Testing of Voting Systems National Conference June 20-21, 2013, Harrisburg, PA, USA Abstract The introduction of electronic voting technology in Connecticut necessitated the development of new policies and procedures by the Secretary of the State (SOTS) Office to safeguard the integrity and security of the new electoral process. Forming a partnership with the University of Connecticut, SOTS Office developed a comprehensive approach that extended the existing electoral procedures to incorporate the use of the new optical scan electronic voting equipment. The new procedures include pre- and post- election audits of the voting equipment programming, and hand-counted post-election audits in 10% of randomly selected districts. Observing that the hand-counted audits are expensive, time-consuming, labor-intensive, and error-pone, it was decided to explore a semi-automated approach to post-election ballot audits. A semi-automated approach was chosen over a completely automated one due to the risks and inadequacy of the latter. Supported by the U.S. EAC and the State of Connecticut, an Audit Station was developed for the purpose of conducting computer-assisted post-election audits. The Audit Station speeds up the audit process, increases audit accuracy, and most importantly, empowers the human auditors to have complete control over the audit down to the interpretation of each voted “bubble.” In essence, the Audit Station does not take the place of a hand count, but augments it by presenting scanned ballot images with useful data for the auditors to consider or to contrast with the official paper ballots. The system is also auditable; upon the completion of the audit it exports the recorded ballot interpretations and the overall results that allow direct comparison with physical ballots and independent validation. The system is implemented using inexpensive commercial off-the-self components, and is equipped with a projector that enables the auditors (and the public) to easily observe the audit process and to control and override it as necessary. The system was recently used in successful pilots in four Connecticut municipailites. Download full paper:: AS-2013.pdf


Read more ...

Malicious Takeover of Voting Systems: Arbitrary Code Execution on Optical Scan Voting Terminals

Malicious Takeover of Voting Systems: Arbitrary Code Execution on Optical Scan Voting Terminals Russell J. Jancewicz, Aggelos Kiayias, Laurent D. Michel, Alexander C. Russell and Alexander A. Shvartsman In Proceedings of the 28th Symposium On Applied Computing (SAC 2013) March 18-22, 2013, Coimbra, Portugal www.acm.org/conferences/sac/sac2013/ Abstract This work focuses on the AccuVote Optical Scan voting terminal (AV-OS) that is widely used in US elections. We present a new attack that can be delivered without opening the system enclosure, and without changing a single bit of the system’s firmware. The attack is launched by inserting a maliciously programmed AV-OS memory card into the terminal. The card contains binary code that exploits careless runtime memory management in the system’s firmware to transfer control to alternate routines stored in the memory card. Once the control is taken by the injected code, the voting system is forced to operate according to the wishes of the attacker. In particular, given that the attack results in the execution of the arbitrary code, an attacker can completely take over AV-OS operation and compromise the results of an election. It is also noteworthy that once a memory card is compromised it can be duplicated using the native function of the voting terminal. In some past elections it was observed that up to 6% of all memory cards were involved in card duplication. There exists a non-trivial possibility that the infection on one memory card can propagate virally to other cards in a given election. This development was performed without access to the source code of the AV-OS system and without access to any internal vendor documentation. We note that this work is performed solely with the purpose of security analysis of AV-OS. Download full paper:: abstract-acmsac2013.pdf


Read more ...

Pre-Election Audit of Memory Cards for the November 6, 2012 Connecticut Elections

The Center for Voting Technology Research (VoTeR Center) at the School of Engineering of the University of Connecticut performed pre-election audit of the memory cards for the Accu-Vote Optical Scan (AV-OS) tabulators that were used in the November 6, 2012 elections. The cards were programmed by LHS Associates of Salem, New Hampshire, and shipped to Connecticut districts. Cards were submitted for two reasons per instructions from the SOTS Office (a) one of the four cards per district was to be selected randomly and submitted directly for the purpose of the audit, and (b) any card was to be submitted if it appeared to be unusable. Given that cards in category (a) were to be randomly selected, while all cards in category (b) were supposed to be submitted, and that the cards were submitted without consistent categorization of the reason, this report considers all unusable cards to fall into category (b). The VoTeR Center received 150 memory cards from 141 districts. Among these 150 cards, 94 (62.6%) fall into category (a). All of these 94 cards were correct. There are 56 cards (37.4% of all cards) that were found to be unusable by the AV-OS, thus falling into category (b). In particular, 53 cards contained apparently random (or ‘junk’) data, one card was unusable by AV-OS, but did not contain random data (this requires further investigation), one card was formatted using AV-OS tabulator, however, it was not programmed , and one card contained only zeros. All these cards were unreadable by the tabulators and could not have been used in an election. Given that such cards were not selected randomly, we estimate that for pre-election audit the percentage of unusable cards is between 1.7% and 9.9% and this range is consistent with the results for prior audits. Cards that fell into category (a) contained valid ballot data and the executable code on these cards was the expected code, with no extraneous data or code on the cards. Overall the audit found no cases where the behavior of the tabulators could have affected the integrity of the elections. We note that the adherence to the election procedures by the districts has improved compared to prior years, however the analysis indicates that the prescribed procedures are not always followed; it would be helpful if reasons for these extra-procedural actions were documented and communicated to the SOTS Office in future elections. The audit was performed at the request of the Office of the Secretary of the State. Full report: VC-pre-audit-Nov-2012


Read more ...

Post-Election Audit of Memory Cards for the August 14, 2012 Connecticut Primary Elections

The Center for Voting Technology Research (VoTeR Center) at the School of Engineering of the University of Connecticut performed post-election audit of the memory cards for the Accu-Vote Optical Scan (AV-OS) tabulators that were used in the August 14, 2012 elections. The cards were programmed by LHS Associates of Salem, New Hampshire, and shipped to Connecticut districts. Cards were submitted for two reasons per instructions from the SOTS Office (a) the 10% of the districts that are the subject of post-election hand-counted audit are randomly selected by the SOTS Office and asked to send their cards for the post-election technological audit, and (b) any card was to be submitted if it appeared to be unusable. Given that cards in category (a) belong to randomly selected districts and were used in the election, while all cards in category (b) were supposed to be submitted, and that the cards were submitted without consistent categorization of the reason, this report considers all unusable cards to fall into category (b). The Center received 86 memory cards from 66 districts. Among these cards, 44 (51.2%) fall into category (a). All of these 44 cards were correct. Out of these cards, 16 cards show elections, with 15 cards that were actually used on Election Day (one card shows an election on a different date). There are 42 cards (48.8% of all cards) that were found to be unusable by the AV-OS, thus falling into category (b). All of these cards contained apparently random (or 'junk') data. These cards were unreadable by the tabulators and could not have been used in an election. Given that such cards were not selected randomly, we estimate that the percentage of unusable cards is between 1.4% and 15.9% in this audit, and this is consistent with prior audit results. All cards in category (a) contained valid ballot data and the executable code on these cards was the expected code, with no extraneous data or code on the cards. Overall the audit found no cases where the behavior of the tabulators could have affected the integrity of the elections. We note that the adherence to the election procedures by the districts had improved compared to prior years, however the analysis suggests that the established procedures are not always followed; it would be helpful if reasons for these extra-procedural actions were documented and communicated to the SOTS Office in future elections. The audit was performed at the request of the Office of the Secretary of the State. Full report: VC-post-2012-Aug


Read more ...

Older entries Newer entries