CODE VERFICATION FOR ELECTRONIC VOTING MACHINES

Bryce Eakin and Bryan Smith

1 INTRODUCTION

Voting systems are one of the pillars of our nation. Without them, this nation would cease to be a democracy because the voice of the people would go unheard. Consequently, much is required of voting systems. They must correctly relay the intent of the voter. They must provide privacy and anonymity to the electorate. They must be auditable. They must be usable by the electorate, regardless of age, disability, or infirmity. These are only a few of the voting machine requirements.

The Florida 2000 presidential election showed to the world the weaknesses of the paper ballot. As a result, many have adopted the “direct recording electronic” (DRE) voting system. However, DREs raise many new security risks; one such risk is malicious software on the voting system. To mitigate this risk, correct software execution must be verified.

There are two types of code verification: hardware-based and software-based. As the names imply, hardware-based code verification requires hardware modifications while software-based approaches require modification to software. Software-based approaches can verify the software running on a platform at the present time. This run-time attestation provides a stronger assurance than load-time attestation, which is done by most secure co-processor (e.g. TCG). Therefore, we chose the software-based approach, specifically, a software code-execution verifier called Pioneer [1].

2 PIONEER

Pioneer consists of a challenge-response protocol between the dispatcher, an external trusted entity, and the untrusted platform. The protocol has two steps. First, the dispatcher is assured that there is a trusted computing base on the untrusted platform by having the untrusted platform compute a checksum of a random nonce using checksum code provided by the dispatcher. The dispatcher knows the hardware configuration of the untrusted platform, so he can check the validity of the received checksum and the amount of time the untrusted platform took to compute the checksum. Second, the dispatcher obtains a guarantee of verifiable code execution from the trusted computing base. This approach has been implemented on Intel Pentium IV Xeon processors based on the NetBurst Microarchitecture running the Fedora Core 3 Linux distribution [1].

3 METHODS

The goal of this research is to provide verifiable code execution for voting systems, which include variants of Linux, Windows, and even Macs. In order to reach this goal, we will attempt to re-engineer the provided implementation of Pioneer to be platform independent. If we cannot find a way to do this in the timeframe allotted, we will re-engineer the provided implementation for Linux.

We began with "Pioneer: Verifying Code Integrity and Enforcing Untampered Code Execution on Legacy Systems". In the process of obtaining the paper, we also found CMU's implementation of Pioneer, complete with source code. We then communicated with Arvind Seshardi of Carnegie Mellon about the implementation requirements. From the conversion, we were informed that the hardware requirements for the demonstration were very stringent. We obtained a machine meeting the dispatcher requirements from Dr. Cox, but have not been able to obtain a machine meeting the untrusted platform requirements. Because of time schedule, we have decided to use an available machine as our untrusted platform instead of continuing our search for a machine that meets the untrusted platform requirements. As a result, we will be unable to run their demonstration without making some modifications, but we will be moving closer to our goal of OS-independent solution. We currently are in the process of configuring the two machines.

We have also downloaded Carnegie Mellon's demonstration source code. We have determined that their demonstration source code is a modification of the PCI ethernet driver. We have found and analyzed the CMU modifications for the dispatcher's and untrusted platform's PCI ethernet driver.

Upon completion of machine configuration, we will get a modified version of the CMU Pioneer implementation working. Then, we will begin re-engineering the working implementation to provide OS-independence. Then, we will test it using the same method that the working implementation uses for verifying the Linux system’s code execution. Finally we will test it using VoteBox, voting software developed at Rice University.

4 MILESTONES

REFERENCES

[1] A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla, “Pioneer: Verifying Code Integrity and Enforcing Untampered Code Execution on Legacy Systems”, 20th ACM Symposium on Operating Systems Principles, October 2005.