I. An emitted-code model of configuration control and practical audit of e-voting software.
The evoting application uses a PKI
approach to protect collected votes so that supporting systems do not require code
auditing.The reported design has formed the basis of a binding public election and
several private elections. Our ongoing work involves reducing the code size of the
ballot application and deploying a parallel testing framework.
4. Does live voting application obtain any election parameters from external files or external
sources? If so, can we be sure those parameters or outside sources will not affect the voting
process?
5. Can the evoting application software be modified in transit or in situ so that a cleanly compiled
binary can be compromised after an in situ audit?
6. How can the software be practically maintained and improved and yet retain a software
certification?
The above are the confounding questions which make the certification of voting systems (both hardware and software) a very difficult task. Additionally, for closed-source systems, exposing proprietary sources is a competitive risk for suppliers. Due to these significant hurdles, and considering that the United States Voting Systems Standards 2002[2] required updating, the current US standards are voluntary[3] and the Electoral Assistance Commission has now requested voting systems providers to surrender software for source control by NIST[4]. While this is certainly a step in the right direction, it perhaps only addresses point 1 of our questions above, and only if both sources and production applications are submitted to NIST and sources can be compiled to the production applications.
The subject of this report is a more incremental approach to providing an evoting application which has been designed to address at least some of the above questions and so attempt to increase voter confidence in the correct handling of their votes. It is important to assert here that while there has also been progress in cryptographic protocols for voting, the above problems are simple and profound : source control, independent audit, practical audit, configuration control and open inspection are the foundation of a transparent system. In addition, incremental approaches to dealing with security are becoming more common as the complexity of software increase and prevalence of zero-day threats grows.
The system and software auditing process in this report formed the basis of a binding UK election [5,6] and has served a number of private elections. The software has also been tested as part of a distributed (P2P) voting system [7].
Everyone Counts Inc - July 19, 2006
Abstract:
we report on the ongoing use of a evoting architecture which employs a Java translator
to produce a free-standing balloting application for single use. The system accepts a
formal description of election parameters (candidates, formality rules, instructions, etc)
and creates Java source codes and comments of about 4000 lines. The codes can be
exported and made public, but are intended to be code-audited with the auditor
compiling and signing the applet on a clean system.
1. Is the live voting application built from the published software sources?
2. Were the compiler or development tools used to build from the sources free from errors or
malicious software - 'malware' ?
3. Can we in fact audit the software to the degree of detail necessary to be sure that it is
significantly free of errors or malware?
Introduction:
evoting machines deployed in Ireland and the United States have received damning criticism primarily because they automate the voting process in a manner that makes traditional observation
impossible. That is, traditional election transparency is not possible. Indeed, all forms of
automation rendering a physical process in to an electronic one suffer this kind of compromise and
the rise of legal action over the non-deniability of software flaws can be seen in other public
systems law suits such as those concerning motorway speed camera software [1].
Open Source software has been proposed as a new basis from which to provide more transparent
voting systems. However, while this does by virtue of the GPL and similar licenses also provide
software sources for all to see, there are numerous other problems which reduce our confidence that
publicly observable software sources are the basis of the voting application we want to trust.
They
include:
