Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

>>: Good morning, everyone, and welcome. There are... about voting that have come about in recent years, we've...

advertisement 
>>: Good morning, everyone, and welcome. There are a lot of important issues
about voting that have come about in recent years, we've seen, although maybe
come about -- maybe it's not right to suggest they're new, but a lot of interesting
technology issues, certainly come to the forefront.
We have a lot of people in this area who have done some interesting work on
voting, and a few visitors also. It was actually Sidney Comora's [phonetic] idea,
the co-organizer of this workshop, who thought as long as we have all these
people around, it would be really nice to get people together to talk about ideas
and introduce some of the main points the people who may not have seen them
in the past.
So he and I spent some time and put things together. I think we've got an
exciting list of speakers in workshop this morning. We'll have morning set up as
more of a formal, sort of structured background set of talks to give people a little
bit of an introduction to the area and then the afternoon is going to be more
free-flowing, talking about some current work some ideas, the ideas that it's more
flexible and more of an exchange.
To start off and give us a little bit of is the background of what's happening, I'm
very pleased that we have Paul Miller, who is the voting systems manager for the
state of Washington, who is going to tell us -- give us some grounding, I guess,
about what it's really like out there in the world, and how things work. Some of
the issues facing the public sector and some of the problems.
Paul, in addition, has worked as a member of the technical guidelines
development committee of the election assistance commission. Have I got that
right?
>> Paul Miller: Um-hmm.
>>: Which is doing a lot of work now on trying to advance new requirements,
new ideas into the landscape of voting systems. And he's going to tell us a little
bit about some of what's going on. So welcome. Thank you, Paul.
>> Paul Miller: Sure. Well, I first of all, I was voting systems manager, probably
the last time Josh and I worked together. My title now is actually senior, which
means I'm old. Senior election technology analyst. And my -- and I, in addition
to working for the Secretary of State for the past ten years, before May, 2000, I
was working for King County elections as their elections director, assistant
director in charge of data processing.
So I've had a lot of experience, both at the local level in terms of putting voting
systems together and getting them fielded, and then at the state level, looking at
the systems and deciding which ones should be certified and which ones
shouldn't be.
And so to sort of give you a quick background, you know in terms of Washington
and voting systems, they -- we have four different voting systems that are in use
in the state of Washington. It was originally three different vendors and now it's
kind of all up in the air. We have with a used to be Global, then Diebold, then
Premiere, and now ES&S with the DOJ suit requiring them to divest themselves
of much of what they acquired from premiere, it's unclear the system King County
belongs to. They're the only system -- county in the state that has that particular
system.
And then we've got about 12 ES&S systems, which also are fill in the oval. We
have about Sequoia systems, which are the connect the arrow system. And we
have Hart, which is a digital scan, fill in a box, have it scan the entire image gets
scanned and stored and processed. And we have about 21 counties that are
Hart counties.
I originally understood Josh to be asking me to talk with you about why election
officials don't like end-to-end voting, which just to prove that you guys are a lot
smarter than I am, after thinking long and hard about that, I thought I don't really
want to do that and called Josh and he clarified that that's not what he was
asking me to do. He was asking me more to talk about what the real world
problems are as opposed to that we encounter as election officials and probably
in the process I'm giving you the perspective that we tend to approach these
issues from, which may well be a very different perspective than you're
approaching these issues from. And again from my, at least I can speak for
myself. From my perspective, having worked in this area for 20 years, the
challenges to ensuring the accuracy of election start primarily with human error.
Either human error on part of the voter or human error on part of election staff.
So one of the challenges is to build systems and create processes and an overall
system that reduces that amount of error while also preserving the values that we
have in our society about voting, which is to protect the privacy of the ballot and
to ensure that one person, one vote. And ensure a way that, you know -- and
one of the things that I think that we're adding in terms of being able to ensure
public trust in the system is ensuring that all systems can be auditable.
So that's number one. Number two, I think, is probably the human ballot
interface issues. That there are a lot of problems that occur in that area that
create inaccuracies. And then I would probably put machine failures way down
at the bottom and I make the comment that I think that a lot of things that get
reported in the press as being machine failures and computer failures are, in fact,
human errors and human and procedural processes that weren't followed
correctly.
Thought I'd talk quickly about a couple, a few national issues that I've -- my
perspective on them and then I'd get down to Washington state specific, because
that's what I know. And Washington state, we're a little bit unique in that we and
Oregon are the two states that virtually everyone votes by mail. We have almost
no polling places, which means we also have almost no DREs and some of those
kind of issues which other states are dealing with.
But at a national level, and as an infrastructure level issue, I think one of the big
issues that we're dealing with is sort of the market size that we're dealing with
and the funding sources that we're dealing with. As we were discussing last
night, the market is small. It's not a market that a lot of companies want to get
into, number one. And number two, it's not a market that's particularly a
profitable one. I believe it was Forbes magazine had an article that I really
thought nailed it on the head and it referred to voting system salesmen as that
type of salesman who works out of the trunk of their car. I think that's not
completely accurate picture, but it can -- it really conveyed the idea that up until
2000, at least, voting systems were on a 40-year cycle. They were the IBM
punch card machines, and they were the lever machines. And those things had
been around forever. And jurisdictions did not intend to replace them until they
wore out, broke down.
And they were remarkably sturdy and hardy technologies. So one of the sea
changes I think that's happened that hasn't really been fully worked out in our
country yet is that after HAVA, we have moved dramatically to increase the
amount of the personal computer type of technology that's being used, the life
cycle on that is usually intended to be three or four years. It's going to be in the
elections industry, I think, at least ten years, and that ten years is coming up
sometime in 2012, 2013 and I don't know what jurisdictions are going to do at
that point. Because the funding priorities tend to put election equipment down
below the sewers and pothole fixes.
And so some counties have already begun to start replacing their equipment and
get upgrades and that sort of stuff. That's been encouraging that there's been
money for that. But my experience has been that to get, really to get the funding
that an elections department needs, something has to go drastically wrong in an
election, and then we throw money at it, and then, and often without laying the
kind of groundwork that really needed to be laid to throw the money at it. And
then it's expected to last another 10 or 20 or 30 years.
And one of the -- the other aspect of this is is that election officials are actually
very resourceful in trying to make the technology that they have work, and it may
require them a lot more work, a lot more staff than it ought to. The operation may
be more expensive than it ought to be. But they make it work. And as long as it
works, people don't see a need to change it.
Recruitment of poll workers. In a state like Oregon and Washington, we don't
have a problem with recruitment of poll workers. We don't have any polling
places. But nationwide, that is a big problem, trying to find people who are willing
to work for 13 hours a day for minimum wage. What you get are people who are
not working, and your best people that you can get are people who consider it a
civic responsibility, are willing to work 13 hours and be yelled at all day, and they
tend to be retired and elderly.
Some of the human interface issues, you're all familiar with the butterfly ballot.
You may also be familiar with Sarasota county and the issues that came about in
that Congressional race, where there are so many under votes on DRE
machines than they were in any other methods of voting.
From my perspective, it was pretty obvious when I saw how the ballot was laid
out and portrayed on the screen as opposed to how it was laid out and portrayed
on paper. And on the screen, it was pretty obvious why the human eye would
skip over that contest to go to the next contest.
But when the culprit is considered to be -- so the interface is an issue, if we
understand it, we can solve it. If the machine is a problem, we can understand
that and solve that. But when the thing is that it's some diabolical computer
program that is doing this, we can't get to the problem and solve the problem.
And so part of getting public trust is making sure that, I believe, that our systems
all have some means of accountability, which is my, as a member of the TGDC, I
supported Ron rye vest's proposal for software independence. Not because I like
the term software independence, it was more a matter, I thought this brought in
an assures of a way of auditing our results and being able to say if there's a
question in a low -- about our outcomes that we can show whether or not the
outcomes we produced were accurate outcomes.
So take a minute to talk about Washington in particular. As I indicated earlier, we
are vote by mail, except for one county and that's Pierce County. We have 39
counties with approximately 300 -- 3.5 million registered voters. And we -- they
range from about, oh, 1,500 registered voters in a couple of our very small
eastern counties, to King County, which is about 1.2 million registered voters and
about the 13th largest voting jurisdiction in the country.
Combined with Pierce and Snohomish, which are both Puget Sound counties,
that counts for over half of our registered voters in the state of Washington.
Which means that 99% of the ballots that we count are paper ballots. And
there's two principal means of processing paper ballots. One is that, is what we
call optical scan and the other is what we call digital scan. In the optical scan
world, what the machine is looking for is for a mark that is adequately bold -- and
how do you define what is adequately bold is an issue. But a mark that is
adequately bold at a certain horizontal and vertical intersection.
And if it's there, if they see it, it's added to the vote. And if it's not, then it's not.
With the digital scan, the 21 Hart counties, what they're actually doing is taking
and actually using off the shelf type of copy machines, Fujitsus and Rijoh, and
that kind of equipment to scan the entire ballot and then the software is able to
process that, the ballot in terms of being able to determine who voted and for
what candidate, what contest.
Since we're a voter intense state, the challenge for us is that when we receive a
ballot, that that ballot be marked in a way that the machine can actually read it.
Now, I think it's probably pretty obvious, it would be pretty obvious to all of you,
because a smart bunch of people, that if somebody circles the name and doesn't
fill in the response area, the machine is not going to see that as a vote.
If they use -- what might not be quite so obvious is if they use the wrong kind of
ink or use pencil instead of ink, or vice versa, depending upon which technology
you're using, the scanner's not going to pick it up. And so we have preinspection
after sort of the identifying aspect of the packet has been separated from the
ballot packet, we unseal the ballot end and pull out the ballot and take a look at it
and the staffs that are there are trained to recognize what will read in the optical
scan reader and what won't. And what won't, they have to duplicate to another
ballot. So that's the process there.
What kind of impact does that have? Well, one, what I've illustrated is that within
a vote by mail environment, we have less control over the utensil that the voter is
using to mark their ballot.
What we also don't have in that environment are means of providing immediate
feedback to the voter. At the polling place, if you're using a DRE, the DRE
immediately gives you feedback as to what it thinks your touch meant. And if it
doesn't respond the way you think it should have, you try again or you try
something else, you try not to put your finger and drag your finger down the
screen or touch your screen with your palm of your hand or do some of the other
kinds of things. And sometimes there calibration issues. So if you actually mark
the candidate below or just a little bit below where you think you should be
touching or above, you'll find that it finally will accept your vote the way you
intended.
There are some real machine/human interface issues in DREs that need to be
dealt with, that need to be better than what they are. But it isn't, I don't believe at
all, any diabolical type of issues. Ironically, because a voter has that immediate
feedback and they immediately see that the feedback is wrong, interpret that as
diabolical. Whereas, interestingly enough, in a state like New York, which still
has lever machines, we've got people fighting against having DREs who want to
keep lever machines, where it is very well documented that the lever machines
have a lot of problems but you don't know it, because you don't get the feedback.
So the human interface on the DRE needs to be dealt with and improved and we
need a means of being able to audit that process so that we can establish that, in
fact, that that voter had the opportunity to see how the machine interpreted their
touches and that their touches were counted in the way that the machine
understood their touch.
We have -- so with -- and on top of that, in terms of the difference between
absentee balloting and poll balloting, is that we have a signature requirement that
we have to be able to match their signature against the signature on their original
registration form. Which means that a certain number of people whose
signatures get -- who change over a period of time wind up getting their
signatures rejected.
We have a process to try to contact them, get them in, get their signature
updated so that we can get their ballot counted, but we still probably have
somewhere in the range of one percent, maybe two, who get rejected on that
kind of basis.
>>: Thumb print fix that problem?
>> Paul Miller: A thumb print has the potential for fixing that problem, I think,
yeah. And we've been talking about that may be the technology of the future as
far as how we would do this authentication process.
As we discussed last night at our dinner, we also have a bit less control over the
voting environment, which opens up the potential for other issues like coercion,
which in the years that we have been using that in this state and in Oregon, we
haven't gotten any reports of that. But it may be a very difficult issue to get to.
Another issue that is difficult for us is the concept of -- is disability -- access for
people with disabilities. We're required to have one DRE at the county site for
people with disability issues. It presents problems for people with disabilities to
get to this one location in the county. We are working with ways of getting the
equipment to them so that they can vote.
We also looked at ways, including this past fall, where Franklin County, when
they sent out their absentee ballots, also made an online ballot available where, if
you typed in the ballot code, which is not anything unique identifying them.
Simply what style of ballot. Type it in, they were able to vote online and print that
out and send it back. Helps people who have difficulty -- it's easier for them to
hear something than it is for them to see it. It's going to help them.
>>: [inaudible] rather than downloading voting locally and printing so no
information leaks out?
>> Paul Miller: I believe that's the -- that's the way that worked. But even in that,
loading down the app, it was important to us that you couldn't -- that the system
couldn't identify who was doing the voting. That the only thing that they needed
to provide was -- and how am I doing on time, Josh?
>>: You're fine.
>> Paul Miller: That the only thing they needed to provide was what style ballot
they were going to vote, and so they went through, clicked their thing. They were
also able to click and get the voter pamphlet statement of the candidates and the
picture and all of that kind of stuff. And if they had the equipment on their
computer that would read them to it, jaws, it would read it to them and so forth.
Not a perfect solution, though. You still have to be able to see well enough to
make a signature on the oath. You still have to be able to fold that ballot up and
insert it into an envelope and then insert that envelope into another envelope and
send it back.
Audits and recounts. I think in terms of our work in that area, one of the things
I'm proud of is Washington state's rules on recounts, which is that if the apparent
winner and the apparent loser are less than 0.5% different, there's an automatic
state-funded -- or, you know, county funded, government-funded recount. And if
that difference is less than 0.25%, or a quarter of a percent, it is automatically
hand recounted. And those hand recounts are done in units, basic -- the precinct
units so that after the humans do their count, we can compare that with the
machine count, and very often we'll find that we pick up errors in that process like
a ballot from another precinct got into this batch of precinct ballots. Or they didn't
pick up that one of the ballots was an overvote so they counted it for one of the
candidates or they just flat out miscounted it.
So we can send it back, have another team count it, and try to make that process
as accurate as we can make it. It is -- human counting is not a very accurate
process, I can tell you, based on my experience with that.
The terms of the audits, we provide that a four percent audit on the DRE
equipment that's used. Means that four percent of the equipment that's used,
they have to pull the tape and count that against the results that they got.
Now, in our state again, the only use that it's used for is for disability access. In
many counties, nobody votes on it. Pierce County, because they have so many
polling places, still have so many polling places, probably has the highest
numbers of those currently.
And then we also provide what used to be parties could call for a count of three
percent -- I shouldn't say -- of three precincts at random that they picked. We
would hand recount and match that against the computer count. That's been
increased to six batches. And here's the reason why. The ballots come back -when we have polling places, the ballots come back grouped by precincts or
grouped by a polling place. It makes it easier to sort out the ballots.
But when they're coming in daily, they're coming in just as they come in the mail
and so you may have a batch, and that batch may contain 50 different precincts
from all over the county. So what we ->>: [inaudible].
>> Paul Miller: I'm sorry?
>>: With different ballot styles?
>> Paul Miller: With different ballot styles, yes.
>>: [inaudible] post office do the sorting so each precinct has a mailbox?
>> Paul Miller: Yeah. And there are -- some levels of sorting that are done. I
think right now, King County is sorting into ledge districts so that at least they're
grouped by ledge districts.
But actually, if I understand some of the theory behind audits, having a
distribution rather than having a concentrated precinct is a smaller groups of -that is more widely distributed is actually better auditing technique. And so the
auditing the batches -- and I can use some help here. You guys are a lot smarter
than me, but that's sort of my understanding of some of the theory behind
auditing.
So in conclusion, I would make this comment. That I would argue that what we
have found in our experience is that despite all of these issues that I've raised, is
that the process is remarkably accurate. And I would argue it based on our
experience with the hand, automatic hand recounts, where the difference is
0.25%.
That we have never seen an election outcome change. I'm not saying the results
don't change. The raw numbers don't change. But the election outcome change,
except when the original difference between the candidates was minisculely
small. And, of course, we had exactly the perfect illustration in this state in 2004
of that.
The original machine recount between Rossi and Gregoire was 50 votes, as I
recall, in favor of Rossi, and it wound up after the hand recount to be about 122
revotes in favor of Gregoire. Out of 2.9 million votes cast, that's something like a
46-ten thousandths of a point difference. So that in 99.9% of our contests, the
process is accurate enough to come up with the right candidate in the end.
But when you get into an election like that one, you have got -- you have entered
into where we have not been able to compress the margin of error small enough
yet. And that margin of error, as suggested in my opening, human error both on
the part of voters and election staff, design interfaces between the user and
either the paper ballot they're using or the DRE equipment that they're using, and
then finally, in some actually what my experience over 20 years is some pretty -is relatively rare machine failure type of issues. And usually, when the machine
error -- there's a machine error failure, it's identifiable and correctible before it's
certified.
So thank you very much for letting me have the time to talk with you.
[applause]
>>: We'll take a question or two, if -- I guess I'll start off by asking, is there
anything is that you think the research community can do that will make your life
easier or make it -- make the system work more trustworthy somehow?
>> Paul Miller: I'm not sure if this fits with the -- couple things I would respond to
you on that question. One is helping us understand better how we can get an
audit that is a good audit, but that it's also a doable audit.
And there's some push -- and you have to understand too that there is some
push-back from the elections community in part because we have these recounts
and they seem to suggest that our -- that the process is pretty accurate. And in
Washington, we have these recounts, we probably have two or three of these
mandatory hand counts every year, and half a dozen or more of the machine
recounts every year. So over the years, we've had a lot of testing, a lot of
opportunity to review.
The other, and I'm not sure that this fits into your area, but I've been pushing for
common data formats, and I actually have a paper that I can make available to
anybody who's interested that I presented to NIST last October. For the
elections community, what I think it means partially is this. What we have in the
marketplace right now is that if a county purchased vendor X's equipment in
order to do central count and they purchased that 15 years ago or 20 years ago,
that's their vendor. Now they've got to add DREs on to it, they've got to add poll
site counters on to it. Where are they going to go? Well, who can develop
market the equipment that's going to talk to their tabulation system that can get
the ballot layout from their ballot layout system and talk to their tabulation
system. It's going to be the vendor they purchased their equipment from 15
years ago.
So we're requiring these companies to get into areas that aren't their strengths
and we're tying companies down to products that the only reason that they
purchased it is because it was what they could afford based upon the vendor that
they've been using for the past 15, 20 years.
So if we can get in some kind of a common data format where the inputs into
devices is defined and the outputs from those devices is defined, think we can
create a better marketplace. And we have some specific issues coming up now
where we are trying to do more for our UIC HAVA voters where mail doesn't work
well. They don't -- when you are in Iraq or Afghanistan, it's hard to get the ballot
to you, and then it's hard to get the ballot back from you.
And so we're looking at ways of at least delivering the ballot electronically. But
we need some vendors to be able to work with the ballot layout systems so they
know what ballots to send so that the person can get the ballot printed out, mark
it up, send it back and we cut off at least one end of the transit time.
Common data format.
>>: Thanks. Thanks again, Paul.
[applause]
>>: In the interest of time, because I know Sanjit has to run, I'll skip the whole
explanation of why we're fortunate enough to have him here today. Long story.
Ask me later. But anyway, Sanjit is on the faculty of U.C. Berkeley and does
work in formal verification, models testing and has done some work on voting
machines and he's going to give us a brief summary of it now.
>> Sanjit Seshia: Thank you. Thank you for inviting me here. I'm scheduled to
give a talk next door at 11:00. So this is going to be a very truncated version of
that talk. 10 or 15 minutes. So I apologize in advance if it's too rushed or not
clear.
But this is basically on work that David Wagner and I and our students did, which
was published at CCS last year so the paper is on our website and I can send
the slide to anyone who is interested.
Okay. So as the title suggests, this is about formally verifying and testing a
voting machine. So I want to start with the disclaimer. This talk is mainly about
verification and not about, you know, not about all the issues dealing with
security. Verification is one issue, but it's not everything. For instance, we don't
talk about securing the voting machine against tampering, for instance. So
correctness, proving correctness of the voting machine design is necessary for
security, but I understand that it's not sufficient.
So also this work is I think a very small first step. What we wanted to do was
explore what we can do in the design stage to make verification and testing
easier. And so we designed a voting machine from scratch in hardware using
very [indiscernible] synthesizing into an FPG.
So what we tried to do was create a DRE. All of you are familiar with this so I'll
just go through it very quickly. So the setup for this talk is we want to verify the
correct operation of a single voter session. So a voter session is a sequence of
contests for president, Senator, et cetera. Each contest is a choice of picking L
out of K options.
And at the end, so you can navigate back and forth between these contests. But
at the end, you cast and that irrevocably casts your vote, your choices or all
contests.
So our contribution is that we show that you can combine formal verification with
manual testing by a panel of human voters to prove correctness of the voting
machine.
And in this context, we're interested in proving correctness not just of the code,
but also of the interface, of the human computer interface. And so we
implemented a simplified DRE in hardware and we used techniques, verification
techniques like model checking and satisfy ability, solving [indiscernible]
improving. And one of the things we do is we show you can use a small
polynomial number of tests by humans to augment the results of formal
verification.
So very briefly I'll talk about why we have this combinations of formal verification
and testing, I'll have a couple of toy examples, and then I'll just state the main
results and conclude.
So let's look at testing. If you want to prove a correctness of design by testing,
you need exhaustive testing but in many cases you can't even do exhaustive
testing because the test sequences have to be infinite. So as this quote by
Dikstra illustrates, testing is usually a way of finding bugs but not proving
correctness.
Formal verification, of course, can prove correctness, but it requires a formal
specification. You have to precisely define the requirements. So some
properties of the voting machine you can precisely design. Like if the reset signal
is set to one, then clears the selection state for all contests. But what about
voters' expectations? How do you formalize something like this, if the voter
presses what they think is the button next to the name Alice and then sees the
Alice highlighted, then the voter thinks that, okay, the machine has recorded my
vote for Alice, right? And so how do you actually -- you can't really formalize that.
And so that's the challenge. It's hard to use formal methods for something like
that.
So to summarize this very quickly, formal methods can prove the correctness of
the DRE, the code. But you can't formalize voters' expectations. On the other
hand, testing by humans, if you have a representative panel of human voters,
then you can argue that you've tested the interface, but then testing is not
sufficient to prove correctness. So that's why we try to use both.
So the approach is for precise properties that you can formally verify, we'll do just
that.
For voters' expectations, we'll use testing by a representative panel.
And this combination, as we show and prove in the paper, makes testing sound.
And from my viewpoint, as a person who does formal verification, the cool thing
was you can use formal verification to exponentially reduce the number of tests
you need. And I'll say a bit more about this at the end.
So what's the challenge for testing? I think the problem that, the reason why you
can't do exhaustive testing is that you require infinitely many input traces. Input
trace is a sequence of button presses that you would give to a human voter and
ask them to test out.
So here's an example, okay. So this is a sequence, each element of the
sequence is separated by commas. So the sequence means initially that you
have the empty set, which means that no candidate is selected. Then you have
Alice, which says that the voter selected Alice. Then again you have empty set,
which means the voter deselected Alice. Then the voter selects Bob, then goes
back to the empty set.
So what that means is that the voter's toggling between Alice and Bob. And the
voter can do this, in theory, infinitely many times, okay?
And so how do we know that there isn't some logic in the voting machine that,
after a thousand such toggles, will trigger some erroneous behavior, right? And
so that's why if you don't know anything else about the design of the voting
machine, you can't tell how long you have to test it.
So before I talk about how we use formal verification to address that problem, let
me tell you about what we mean by correctness. This is a notion that's come in
the formal verification community called trace equivalence. The idea is you have
at the bottom there, the implementation, that's the hardware FPGA based design
that we did. Then you have the model, the mental model that the human voter
has in mind.
And we want to show that the execution of the voting machine, the real
execution, which I'll show down here, will match of the execution in the voter's
mind. And so the approach is, let's say, initially the voting machine, the
implementation starts in contest number one, okay. So that's what that is,
contest number. And in contest number one, you have no candidate selected.
So then the voting machine display looks like this, where there are two options
and neither of them is highlighted, which shows that, you know, no candidates
are selected. And the human looks at that and says, okay, from this, I
understand -- from the screen, I understand that I'm in contest one and there are
no selections.
Then let's say the voter presses Alice, and then ideally the implementation must
record this, that in contest one Alice has been selected. The implementation
must output the display which highlights the button for Alice. And then the voter
look at that and gets feedback and says okay, now the machine is in contest one,
and my selection of Alice has been highlighted. Right.
And so here you have a trace of what's happening inside the machine, and up
there, you have a trace of what's happening in the voter's mind, and what we
want is those two should be equivalent. That's what trace equivalence is.
So to give you a toy example, let's see how an interaction like this might happen.
So let's say the voter look at the screen and sees that nothing is highlighted,
right. So inside the machine, you have the empty set, no selections made. And
that's what the voter understands. Then the voter presses button one, thinking
that they're voting for Alice. The machine should record in internally Alice, should
highlight that. And that's what the voter sees. And now the voter keeps track of
the fact that now according to the voter, the machine has record the vote for
Alice. And then you want to check that what the voter has in mind is, indeed,
what's inside the machine, right.
And so the approach we take to do that is for every unique screen, we have a
way -- we ensure that you can press cast from that screen. You get, let's say,
some record. Maybe on paper and then the voter compares what he or she has
in her mind to what's on paper and that's how they do this equality check down
there.
Okay. So now let me tell you how we use formal verification to make testing
easier. So the first thing that we proved formally on the code is that the machine,
voting machine transition function is a deterministic function of only those inputs
that it should be of.
For instance, the selection state is only a function of the current -- the selection
state at the previous Stein point, the button that was pressed, and the contest
number and nothing else. Right? And so that's what we mean by proving the
DRE's deterministic.
The second thing we prove is that the output should be unambiguous. That is,
each unique output screen represents a unique internal state. From just looking
at the output screen, the voter should be able to tell what the contest number is
and what the selection state is. And that corresponds to proving that the cord -the output function, that the cord that computes the output function is a one to
one function of the selection state and the contest number.
And finally, we need to verify that the cast vote record accurately records the
selection state at the very end. And so all of these things are properties that we
can prove on the code using a combination of model checking and satisfy ability
solving.
So now, given those properties that we prove, we have then come up with a set
of coverage metrics for tests. So we say that if you give a sequence of tests that
satisfy these coverage metrics, then we have a theorem that you then get trace
equivalence. So here are the three coverage metrics. The first is initial state
coverage, which means that the machine starts in valid state. The machine in
the initial contest, before any selections are made, if you press cast right there,
then you get back a record which shows that nothing was -- there were no
candidates selected in any contest.
The second has to do with transition coverage. So every contest is a state
machine. You know, you're in some state and then you press a button and you
go to the next state. And what we want to do is we want to cover all the
transitions for the state machine for every contest. Okay. So that's what these
two bullets are describing.
And then finally, we have something called output screen coverage, which
means that for every unique output screen, we check that the voter has an
opportunity to check that their view of the state of the voting machine for that
output screen is, indeed, what is recorded, right. So you see an output screen,
there's some internal selection [indiscernible] contest number. There is
something in the voter's mind and we want to match that up.
Okay. So now what I showed you first was just interaction of a voter with the
machine for one contest. But if you have even two contests, so say in contest
one, you're selecting between Alice and Bob, A and B. In contest two, you have
to select between eve and Mallory, E and M. Then you already have this
blow-up in the space of the number of options that there are, right.
So here, for instance, the voter selected Alice and then went to the next contest,
which is what that label means and in the select contest they selected eve and
went up there. So that's what that part means. But they could have select the
Bob and gone down here or they could have selected Mallory from that state. So
there's an exponential blow-up as the number of contests increases.
So if we were naive about testing, we would have to test every part through this
state machine.
So to solve that problem, what we do is again we use formal verification, but this
time, we prove that the logic for one contest cannot influence the outcome in
another contest. This is independence property.
And so if you can then prove independence of different contests, it's sufficient to
test each contest separately. So all you have to do is to test contest I, you just
navigate, press next, next, next, next, go to contest I, and then test the transitions
in contest I. And this is what I meant by talking about an exponential reduction
number of tests. Instead of having to test every part in the picture that you had in
the previous slide, now we only have to test the transitions within each contest.
Okay. So conceptually, this is what the DRE looks like. You have a state
machine for every contest. You have to cover the transitions within each box, but
not parts across the boxes.
So in the interest of time, I'll wind up. So there are six major properties that we
need to formally verify. And these are also in the paper. And given that, then we
have a theorem, which is also proven in the paper, which says that if the DRE
satisfies these six properties, then if we have a test suite that satisfies our
coverage criteria and if it passes, then it means the DRE is correct. And if the
DRE is correct, then the test will pass.
Okay. And so now, if you have an election with N contests and K choices in
each contest and you're picking one out of K in each contest, then our approach
requires K times N tests. Whereas otherwise you'd have to consider all possible
combinations, which would work out to be K to the N.
Okay. So there are lots of limitations and assumptions that we make. I think the
previous talk mentioned, you know, support for people with disabilities and this is
something, of course, that this does not handle at all. We assume that the
compile of use from vary log to silicon is trusted and so we make all these
assumptions. And so as I said before, it's a first step. But from the viewpoint of
verification, I think it's a very interesting exploration in the use of formal
verification and its combination with testing.
Okay. So I will stop here. Thank you very much.
>>: Questions?
>> Sanjit Seshia: Yes?
>>: Corresponds between what's displayed in candidate and the database?
>> Sanjit Seshia: Yes. So the correspondence that we check is that the display
is a one-to-one function of the contest number and the state of the selections that
have been made. And so --
>>: [inaudible].
>> Sanjit Seshia: So if you just, if you reorder them.
>>: [inaudible].
>> Sanjit Seshia: Yeah, so I should mention that this is -- so okay. So I think we
assume that, so there's some election definition file which specifies how the
candidate name should appear and the translation from that election definition
file to the screen is correct. Which I think is what you're alluding to. Right. And
so that ->>: [inaudible].
>> Sanjit Seshia: That is right. So I think we could attempt to apply formal
techniques to it, if that were an automatic translation. Yes?
>>: A standard question is, do all the work to formally verify the software. How
do I as a voter or election official know that that's the actual software that's
running on the DRE at the time the voting takes place?
>> Sanjit Seshia: That's one of the issues we don't handle in this work, like I
said, right. So you have to have some other mechanism of ensuring that what
you've verified has not been tampered with and it's running on election day. So,
you know, that's one of the things that we -- that should be done but we don't
address in our work. Thanks very much.
>>: Thank you. Thank you for your flexibility.
>> David Molnar: Pleasure to be here. So Josh asked me to talk about attacks
on voting systems, and so what I did is I went through the literature and I picked
out four attacks which I think are illustrative of different issues that come up with
today's voting systems. This is not an exhaustive list by any means, but I will
explain why I picked each of these in turn.
So the first attack I'm going to talk about dates all the way back to, Yoshi, your
original paper with Avi and Dan and everyone, and Adam. This is, of course, sort
of a critique of the software that was used in the original Diebold DRE. As we all
know, there are many, many problems with this software. The one I want to
mention today is the use of the encryption.
So this is a case where the developers knew they needed some kind of
checksum and some kind of confidentiality properties for vote records that were
on the DRE. Unfortunately, the cryptography they chose was poor. So they
started off using 56 bit DES which perhaps at the time they define the would be
defensible. But they defined an ASCii constant key that's constant for all
machines. For authentication, they said we know we need some kind of
authentication check so we'll use a 16 bit CRC. As the paper notes, Doug Jones
mentions some of these issues in the 1997 report, but they were still present in
2004.
Then for extra credit, there's a linear congruential generator with a comment in
the source code saying oh, yes, as per applied cryptography, 1996. So this was
a vulnerability where the designers had some notion of what they really needed
to do, and then they went to a textbook and completely misunderstood how to do
it.
The next thing I want to talk about is the Harry Hursti attack. This is different. It's
not a DRE. This is an optical scan system. As we heard about already today,
you have these scans, they go into a machine and out come some total. We'll
take a look at the total. If it looks right, we'll accept it. If it doesn't look like or it's
too close, maybe we'll hand count it.
The question in this attack is what is the initial state of the memory on the
machine. So if you have two yes votes and six no votes and you scan them all
and the machine starts off with initial state of yes zero and no zero, you should
get an outcome of yes of two and no of six.
What Hursti noticed in this attack, which was kind of interesting, is that you could
have negative votes on the original machine memory card. And then if you could
slip a memory card with this negative number into this stack of cards used to
initialize the machines, the initialization check that election officials did at that
time was simply to print out what's called a zero tape, which would then say
okay, let's sum up the yes and nos and make sure they sum to zero and print the
results.
If you add five votes to yes and subtract five votes to no, you get something that
sums to zero. And that, of course, completely changes the results.
The problem here, as you already talked about, was that even if you hand audit
this, unless you hand audit the original tape, you might say oh, well, it was just,
you know, the original memory contents, you might say, oh, well maybe it's just
human error or maybe it just got recounted wrong. You may or may not notice
that this is a problem in the machine.
Then the third attack is something that came up in the California top to bottom
review. So we're progressing through time here. The original attack I mentioned
is from 2004. The attack at Hursti discovered was in 2005. This is from 2007.
So this is a Sequoia [indiscernible] electronic with voter verified paper audit trail.
So you walk up to the machine and it turns out that this particular machine will
honor autorun.inf, which is a mechanism in windows for automatically installing
software. And it turns out a standard USB stick could be used to install arbitrary
software on the machine after the machine had been deployed.
So this gets to the question of how do I know the machine is running the software
that I verified in the lab?
Okay, but fine, it's got a verified voter paper audit trail. This shouldn't really hurt
us, except it turns out the procedures of this particular machine in the California
do hurt us in the following way.
The attack goes as follows. You're the voter. You walk up to the machine, you
cast your vote. The machine prints the receipt on the VV pad and you see it, you
say everything's fine and you leave. But then the machine prints voided as if you
had decided to void this vote and then go back and recast.
So there is fleeing voter procedure which gets triggered in this case, where it
looks like the voter went to the machine, entered his or her vote and then just left
the building. And the election official apparently, according to the report, is
allowed to come in and finalize the vote of the fleeing voter.
The malicious software can change this vote and because of the privacy concern
over the election official not being able to see the vote of the voter, there's no
way for the official to tell whether the VD pat that gets finally printed and
committed to the log is the thing the voter actually meant to put out.
So the problem here is even though we have an audit mechanism, the
mechanism interacts badly with a procedure that was put in place to protect voter
privacy and malicious software that can be introduced post hoc can take
advantage of this mismatch in order to create an audit trail that looks perfectly
reasonable but, in fact, is not what the voter intended.
And then the final attack, this is allegedly discovered by some election officials in
Kentucky, I say allegedly, because they're under indictment right now. And so
this description goes credit to Matt Blaze for photo and blog post describing this
attack.
This is a picture of an iVotronic machine. It has a big button at the top that says
vote. I would think, many people would think if you push that button, it casts your
ballot. So here you go, push the button. Actually, it goes to confirmation screen.
So you push the button and it doesn't actually cast. It says okay, are you sure
you want to cast? And you have to push another button on the terminal itself to
actually cast your vote.
>>: A yes button next to the vote button.
>> David Molnar: There apparently is a yes button next to the screen. Here is
the attack. Step zero, become an election judge. As we heard, people are dying
for election help. Step number one, tell people that when you push the big red
button, that's all you need to do, and you can leave. Pay no attention to the big
yes button that appears on the screen.
Many of them will believe you. Step two, sneak over to the voting machine after
they leave, see if they believed you. If they did believe you, you can just push
the back button and change the vote to the correct value. Step four is profit.
So these officials in Clay County, Kentucky, are alleged to have sold elections by
doing this. And what was interesting about the report so far is that they appeared
to have discovered this property as early as they got the first machines. And this
isn't a property that was missed by researchers who actually looked at this.
So if I had to boil these all down into sort of one sentence as to what went wrong
in each case. I would say in 2004, again, this is not the only problem with the
Diebold DRE by any means, but one of the problems was we had the textbook
crypto problem. You had people who knew they needed something, they went to
the textbook and they got it wrong.
In 2005, we had an insufficient initial state check that there's the procedures
people had at the time. They thought they were checking that the machine had a
clean initial state, that it didn't have any votes left over from previous contests in
its memory, but the check they used didn't take into account this devious ability to
put in negative numbers. And you could argue as well that the ability to have
negative votes is a bug, not a feature in a voting machine.
In 2007, the problem here is that the fleeing voter protocol interacts badly with
the ability to add software to the machine after it's tested and certified. And that
fleeing voter protocol ends up interacting badly with the audit trail.
Finally, in 2009, the fact that you have the bad user interface where the vote
button doesn't do what you think it does, combined with the fact that people
training voters are corrupt, leads to this attack.
So the thing that I found when looking at these attacks and other attacks like
them is what are the commonalities. Ideally, we'll see commonalities between
vulnerabilities that would allow us to target the kind of proposals that we all love
and say look, here's a class of attacks we can get rid of.
For instance, we want to have vulnerabilities that fall into the category of software
security because then we can say if we don't have to trust our software, we don't
have to worry about those. Well, these are not all software security problems.
We might say okay maybe the problem is direct recording electronic. If we went
to something where we had recounts or we had an audit trail, we would be able
to get rid of many of our problems. They're not all direct recording electronic
problems.
While human error is a big deal in all these cases, especially the last one, they
aren't all human error problems, because the first issue of cryptography is
something no human could ever determine just by looking at the machine.
Finally, they weren't all discovered by trained researchers. The iVotronic attack
was discovered by election officials who immediately decided to use it for
personal gain. And Matt blaze points out in his blog entry this is something that
had been looked at, a system that had been looked at by trained professional
security researchers and then totally missed this particular problem.
So the question I have, and I would like to sort of pose to everyone here, since
we're going to be talking about new ideas for voting systems, what do
vulnerabilities like this have in common? They don't have to have everything in
common. There's no silver bullet. But when we're proposing new systems, what
are some of the key things that we need to think about when evaluating or
designing new systems?
So with that in mind, I thought I might spend the last little bit of time sort of asking
people if they had thoughts on this, and then we could, you know, put that into
the slides for use later.
>>: [inaudible].
>> David Molnar: Sorry?
>>: Are you also like Sanjit giving another talk?
>> David Molnar: No, I'm not. This is like more of a record thing. So Ben, I'll
pick on you first. What do you think?
>>: Fair enough, fair enough. I think the first thing it means, that this is a
particularly hard problem.
>> David Molnar: Okay.
>>: Kind of an easy one, but human is one we forget. I think that verifying
elections, verifying -- auditing an election in the face of voter privacy
requirements is particularly hard.
>> David Molnar: Yes.
>>: I actually do have a comment. I mean, it's mostly made by your last one.
This is, for somebody like me, you know, who is a very technical person who
looks at these things, I look, my immediate reaction is to dismiss this as human
engineering, right, you know.
But, you know, let's see, I don't want to sound quite so cynical. I think it's
important and I think it needs to be solved. Here's what's missing is nobody yet,
to my knowledge, has ever put down a firm model of what constitutes a fully
operable human being, right? And until you do that we never are going to know
how to solve this problem. The thing is, that issue has been a matter of shifting
sand for as long as I know. And, you know, I mean, I think that intuitively, we all
agree that there is a human being who eventually devolves close enough to
incapable that we are going to have to accept that we cannot deal with those
people, right.
And I don't want to say that we should set that bar really high, but somewhere,
somehow, people are going to have to say those people cannot be expected in
all cases to interact what we would intuit to be correct and just accept it. And say
okay, but our system is good enough to meet 99.99% of the population's
capabilities. When you get there, then you can say maybe you've dealt with the
human engineering problem.
>>: I believe [indiscernible] regular cycle of testing on user, selectively naive
users, known as virgins. Don't know why you have to get new ones, for obvious
reasons.
>>: That's good, and that's important. But my point is that elections are so
political and you run into these problems of people all of a sudden pointing
fingers after the fact, you're never going to have a situation where you feel you've
solved the problem until you decide what is, what is the minimum bar for naivete,
right? I mean, you can't simply say, well, I've designed the system here. Then
go get a stupider voter, you know, who isn't able to interact with the system.
>> David Molnar: Adam has something he wants to say. Adam.
>>: I'd like to object a little bit to your assertion that the voters are stupid.
>>: I tried my best to make it a short cut. They're not stupid.
>>: These systems are complex, and I think part of the problem is the lack of
consistency between what we ask people to do.
>>: Look, I don't think you heard what I said. I agree, and I'm not saying that all
voters are stupid. I'm not trying to characterize people at all. That's not the
point. But the point is that there is some minimum level of capability that we are
going to agree that we're going to address, okay? Beyond that, you can't hope
to, right?
I mean, no, I'm not asking that these systems be designed for computer science
Ph.D.s. That's not the point, right. And they should be designed for as broad a
spectrum of society as we possibly can, okay. Absolutely. And if you can define
that and put boundaries around that broad spectrum of society and show that a
system doesn't meet the requirements of that broad spectrum of society, then I
will say that system has failed, that's fine, okay. But put some boundaries around
what that spectrum is. My dog is very smart. Does it have to meet his
requirements, right? That's my point.
>>: David Molnar: Any other comments or things people want to put up here for
later?
>>: I'm going to throw out something ambitious. I guess I have a sense of this
sort of ad hoc approach that we've taken in the past doesn't -- hasn't proved to
work particularly well, and maybe we need new paradigms. That sort of the
self-serving entry for verifiable paradigms as a completely different approach that
can solve a lot of these problems.
>> David Molnar: Any other comments. This is something I hope we'll be able to
use later on, which is why I put it up here. Yes, Ron?
>>: I don't think we find the search for commonalities. These are very
complicated, many different aspects and dimensions. [inaudible]. Part of human
protocol approaches [inaudible]. Try to take very different things, find
commonalities.
>> David Molnar: Okay. Great. Thank you. All right. Well thank you very
much, guys.
Related documents
Name Hour ____ Date ______ Ch. 19 Voting Section 1 (pp564
Name Hour ____ Date ______ Ch. 19 Voting Section 1 (pp564
S V TUDENT
S V TUDENT
HeltonChapter8
HeltonChapter8
Note guides - private.watertown.k12.sd.us
Note guides - private.watertown.k12.sd.us
Download
advertisement