Friday, March 09, 2007

The FSU report on the ES&S iVotronic used in Sarasota County

On February 23, a team of computer scientists, based out of Florida State University put out an exceptional report analyzing the ES&S iVotronic 8.0.1.2 voting machine firmware. The reason that this particular machine was of interest is that it was used in the 13th Congressional race in Sarasota County last November. As many of you know, this is the machine that was responsible for approximately 18,000 undervotes in that race. The research team was chartered with the task of attempting to determine if anything related to that code could have caused the missing votes due to some bug in the software on the voting machine. Of course, they could only analyze the source code of software that was supposed to be on the machine. They did not have an opportunity to examine whether or not the binaries actually running on those machines corresponded to that source code, nor is such a determination possible today.

When I first heard about this study (and I was even approached about joining it), my first thought was that it is a silly idea to try to figure out what went wrong in Sarasota County by analyzing the source code. So many factors that have nothing to do with the source code could have contributed to the problem, and source code analysis cannot be used to find all problems that may have arisen in the software. There are all kinds of run time conditions such as, for example, race conditions and runtime bounds errors that could cause problems without the ability to be detected by source code analysis.

However, the team, which contains quite a few all stars, proved that even though a source code analysis is not likely to shed any light on what happened in this particular election, it is nonetheless an extremely valuable exercise. I wish more real voting systems were subjected to such careful scrutiny followed by a public report. I have not seen the confidential appendices in this report, but just from the table of contents, it is clear that some serious problems were found in this machine, and once again it boggles the mind that it was ever certified and used in elections. On page 37, section 7.1 begins as follows:

    "We identified several buffer overflow vulnerabilities that in a worst case scenario may allow an attacker to take control of a voting machine by corrupting data on a PEB. These create the possibility of a virus that propagates by exploiting the buffer overflow vulenrability."

This is reminiscent of the vulnerability that the Princeton team exploited in the Diebold DRE. I would not suggest reading this report before bed, because it is quite scary. To me, the Princeton work, coupled with this FSU report should serve as wake-up calls to the elections community that these sorts of studies need to take place before voting systems are deployed, not after an election has proven problematic. Studies such as the FSU one should be done as part of the certification process. This report clearly uncovered problems that would have been show stoppers, and yet, relatively little attention has been paid to this.