Graduate School and Research Center In communication systems

An experience in testing the security of real-world electronic voting systems

Balzarotti, Davide; Banks, G. ; Cova, M. ; Felmetsger, V. ; Kemmerer, R. ; Robertson, W. ; Valeur, F. ; Vigna, G

IEEE Transactions on Software Engineering, July-August 2010, Vol 36, N°4

Voting is the process through which a democratic society determines its government. Therefore, voting systems are as important as other well-known critical systems, such as air traffic control systems or nuclear plant monitors. Unfortunately, voting systems have a history of failures that seems to indicate that their quality is not up to the task. Because of the alarming frequency and impact of the malfunctions of voting systems, in recent years a number of vulnerability analysis exercises have been carried out against voting systems to determine if they can be compromised in order to control the results of an election. We have participated in two such large-scale projects, sponsored by the Secretaries of State of California and Ohio, whose goals were to perform the security testing of the electronic voting systems used in their respective states. As the result of the testing process, we identified major vulnerabilities in all of the systems analyzed. We then took advantage of a combination of these vulnerabilities to generate a series of attacks that would spread across the voting systems and would “steal” votes by combining voting record tampering with social engineering approaches. As a response to the two large-scale security evaluations, the Secretaries of State of California and Ohio recommended changes to improve the security of the voting process. In this paper, we describe the methodology that we used in testing the two real-world electronic voting systems we evaluated, the findings of our analysis, our attacks, and the lessons we learned.

Document Doi Bibtex

Keywords:Voting systems , security testing , vulnerability analysis
Type:Journal
Language:English
City:
Date:
Department:Networking and Security
Eurecom ref:3196
Copyright: © 2010 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Bibtex: @article{EURECOM+3196, doi = {http://dx.doi.org/10.1109/TSE.2009.53 }, year = {2010}, month = {08}, title = {{A}n experience in testing the security of real-world electronic voting systems}, author = {{B}alzarotti, {D}avide and {B}anks, {G}. and {C}ova, {M}. and {F}elmetsger, {V}. and {K}emmerer, {R}. and {R}obertson, {W}. and {V}aleur, {F}. and {V}igna, {G}}, journal = {{IEEE} {T}ransactions on {S}oftware {E}ngineering, {J}uly-{A}ugust 2010, {V}ol 36, {N}°4 }, url = {http://www.eurecom.fr/publication/3196} }
See also: