Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage

By Stephen Checkoway, Ariel J. Feldman, Brian Kantor, J. Alex Halderman, Edward W. Felten, and Hovav Shacham.

Introductory Video

Abstract

A secure voting machine design must withstand new attacks devised throughout its multi-decade service lifetime. In this paper, we give a case study of the long-term security of a voting machine, the Sequoia AVC Advantage, whose design dates back to the early 80s.

The AVC Advantage was designed with promising security features: its software is stored entirely in read-only memory and the hardware refuses to execute instructions fetched from RAM. Nevertheless, we demonstrate that an attacker can induce the AVC Advantage to misbehave in arbitrary ways—including changing the outcome of an election—by means of a memory cartridge containing a specially-formatted payload. Our attack makes essential use of a recently-invented exploitation technique called return-oriented programming, adapted here to the Z80 processor. In return-oriented programming, short snippets of benign code already present in the system are combined to yield malicious behavior. Our results demonstrate the relevance of recent ideas from systems security to voting machine research, and vice versa. We had no access either to source code or documentation beyond that available on Sequoia's web site. We have created a complete vote-stealing demonstration exploit and verified that it works correctly on the actual hardware.

Full Research Paper [PDF]

Appeared in Proceedings of EVT/WOTE 2009. USENIX/ACCURATE/IAVoSS, Aug. 2009.

News Release

Interview Video with Hovav Shacham

Press Coverage

Press for our paper: NPR’s Talk of the Nation—Science Friday; KPBS; The Register; Dark Reading; PC World; InformationWeek; Canwest; The Hindustan Times; Slashdot; Digg; Ars Technica; Engadget.