Part III: Computer Security and the next VVSG

1
Part III Computer Security and the next VVSG

• October 15-17, 2007
• Barbara Guttman
• National Institute of Standards and Technology
• barbara.guttman_at_nist.gov

2
Part III Computer Security and the next VVSG

• October 15-17, 2007
• Barbara Guttman
• National Institute of Standards and Technology
• barbara.guttman_at_nist.gov

3
Disclaimer

• Certain commercial entities, equipment, or
  materials may be identified in this presentation
  in order to describe an experimental procedure or
  concept adequately. Such identification is not
  intended to imply recommendation or endorsement
  by the National Institute of Standards and
  Technology, nor is it intended to imply that the
  entities, materials, or equipment are necessarily
  the best available for the purpose.

4
Agenda

• Security Requirements Overview
• Review of Chapter 4 Security and Audit
  Architecture
• Review of Chapter 5 General Security Requirements

5
Security Requirements Overview

• The security requirements of the next VVSG work
  together to support equipment security
• Difficult to understand security provided by a
  single requirement or set of requirements without
  understanding how requirements relate to each
  other

6
Security Requirements Overview

• For example,
• Cryptography section addresses how cryptography
  is implemented by voting equipment
• Software installation and electronic records
  sections address how cryptography, specifically
  digital signatures, are used to support security
  of voting equipment

7
Security Requirements Overview

• Documentation requirements related to security
• Part 2 Documentation Requirements
• System Security Specification
• Section 3.5 of the Technical Data Package (TDP)
• Section 4.3 of the user documentation

8
Security Requirements Overview

• Section 3.5 System Security Specification (TDP)
• Provided to test lab to assist in the testing
  campaign
• General documentation about security including
• Security Architecture
• Security Threat Controls
• Security Testing and vulnerability analysis
• Detailed implementation specification for each
  security mechanism

9
Security Requirements Overview

• Section 4.3 System Security Specification (User
  documentation)
• Provided to user of the voting system including
  test labs
• How security mechanism are to be used
• Information needed to support security features

10
Chapter 4 Security and Audit Architecture

• Section 4.2 Requirements to support auditing
• Section 4.3 Electronic Records
• Section 4.4 Independent Voter Verifiable Records
  (IVVR)
• VVPAT
• PCOS

11
Software Independence

• TGDC Resolution 06-06 requires software
  independence (SI)
• Software Independence means that changes must be
  detectable
• Detectable, in practice, means auditable
• SI Auditable

12
Why Does the TGDC Want SI?

• With software, it is pretty easy to make a screen
  say one thing, but record another thing inside
  the computer.
• The hard part is making plausible, directed
  changes.

13
Wont a Test Lab Catch This?

• No, software, especially the software that runs
  the user interface, is really complicated.

14
Famous Software that wasnt doing what we thought
it was doing

• NC voting example
• Therac 25
• Phishing

15
NC Computer Loses 4,500 Votes

• Associated Press, November 4, 2004
• JACKSONVILLE, North Carolina -- More than 4,500
  votes have been lost in one North Carolina county
  because officials believed a computer that stored
  ballots electronically could hold more data than
  it did. . Local officials said UniLect, the
  maker of the county's electronic voting system,
  told them that each storage unit could handle
  10,500 votes, but the limit was actually 3,005
  votes.

16
Therac 25

• After this second Tyler accident, the ETCC
  physicist immediately took the machine out of
  service and called AECL to alert the company to
  this second apparent overexposure. The Tyler
  physicist then began his own careful
  investigation. He worked with the operator, who
  remembered exactly what she had done on this
  occasion. After a great deal of effort, they were
  eventually able to elicit the Malfunction 54
  message. They determined that data-entry speed
  during editing was the key factor in producing
  the error condition If the prescription data was
  edited at a fast pace (as is natural for someone
  who has repeated the procedure a large number of
  times), the overdose occurred.
• http//courses.cs.vt.edu/cs3604/lib/Therac_25/The
  rac_2.html

17
(No Transcript)
18
How Does the VVSG Address Auditability?

• Requires equipment to have features that can be
  used for various types of audits
• Requires documentation
• NOTE The VVSG itself does not require auditing
  This is procedural and outside the scope.

19
4.2 Requirements for Supporting Audits

• Types of Audits
• Pollbook Audit
• Hand Audit of Independent Record
• Ballot Count and Vote Total Audit
• Observational Testing
• Note Parallel Testing is another type of audit,
  but it is not included because it does not levy
  requirements on the equipment

20
Auditing Records

• Two types of records Electronic Independent
• 4.3 address electronic records
• 4.4 addresses independent records

21
4.3 Electronic Records

• General Requirements
• Open Format
• Printable
• Digitally signed for Integrity Authenticity

22
4.3 Electronic Records

• Information/data requirements
• Contain all relevant data
• List for Tabulator (4.3.2)
• List for EMS (4.3.3)
• Generally
• Totals
• Read ballots
• Counted ballots
• Rejected ballots
• Overvotes/undervotes
• Write-ins

23
4.4 Independent Voter Verifiable Records (IVVR)

• What is an independent voter verifiable record?
  (4.4.1)
• Direct verification by voter
• Support for hand auditing
• Various security and operational properties (can
  be rejected/durable)
• Doesnt this mean paper?

24
4.4 Independent Voter Verifiable Records (IVVR)

• Direct review (by voter election official)
• Can support a hand audit
• Can support a recount
• Durable
• Tamper evidence
• Support for Privacy

25
4.4 Independent Voter Verifiable Records (IVVR)

• Public Format
• Sufficient Information (ballot configuration, not
  just selections)
• No codebook required
• Support for multiple physical media
• Voter Able to be accepted or reject (per media)
• Non-human readable allowed (public format)

26
4.4 Independent Voter Verifiable Records (IVVR)
Q and A

• Shelley Growden, Alaska
• Donetta Davidson,EAC
• Barbara Guttman, NIST

27
4.4 Independent Voter Verifiable Records (IVVR)

• Two current types of IVVR
• VVPAT
• Optical Scan

28
4.4.2 VVPAT

• VVPAT Accessibility addressed by HFP.
• Note need for observational testing
• Many operational requirements
• Paper rolls allowed

29
4.4.2 VVPAT

• Components and definitions
• Printer/computer interactions
• Protocol of operations
• Human readable contents
• Linking electronic and paper records
• Paper roll privacy

30
4.4.3 PCOS

• Few additional security requirements
• Allow non-human readable marks (record
  identifiers, batch information, integrity checks)

31
Chapter 4 Q A

• Lynn Bailey, Richmond County, Georgia
• Shelley Growden, Alaska
• Larry Lomax, Nevada
• Britt Williams, NASED, TGDC
• John Wack, NIST
• Wendy Noren, Boone County, Missouri

32
End of Presentation

• Additional VVSG Training Modules at
• http//vote.nist.gov

Next VVSG Training