Electronic voting machine security suffered another blow as researchers this week showed how they were able to hack a machine and steal votes.
A team of computer scientists from University of California-San Diego, the University of Michigan, and Princeton University used an attack based on "return-oriented programming" to turn a Sequoia AVC Advantage e-voting machine against itself and shift votes from one candidate to another.
Return-oriented programming basically takes snippets of code from the application and totally reassembles it into something with no resemblance to the program -- akin to selecting words or phrases from a story and putting them together into a different paragraph that means something completely different, says Hovav Shacham, a professor of computer science at UC San Diego's Jacobs School of Engineering and one of the lead researchers in the hack. UCSD had previously shown how the technique could work on desktop machines.
The attack (PDF) doesn't require any new code, either: "The attacker reuses short snippets of the existing system and recombines them in such a way that the computation they perform is exactly the computation he wants to carry out," he says.
The researchers exploited a buffer-overflow vulnerability in the Sequoia voting machine, which has built-in defenses against code injection into its RAM. "This is exactly the defense that our use of return-oriented programming defeats," Schacham says.
Brian Chess, CTO of Fortify Software, says return-oriented programming is an effective attack technique. "The lesson here is that there's no substitute for good code," Chess says.
Unlike previous e-voting hacks that have been demonstrated, the UCSD, Princeton, and Michigan researchers didn't have source code or documentation on the machine. "We were able to reverse-engineer the hardware and software of the AVC Advantage using only the physical artifacts -- a voting machine and a memory cartridge -- that an attacker could obtain by stealing a machine left unattended at a polling place the night before an election," UCSD's Shacham says.
It took the researchers about 16 months of work and $100,000 to pull off the hack, he says. "It might take an attacker longer to reverse-engineer the machine without source, but even so, the total time and money it took for us to develop our attack was not very large," he says.
The researchers pooled their resources, with Princeton computer scientists reverse-engineering the hardware of the Sequoia AVC Advantage purchased via a government auction, and a memory cartridge they obtained. They then wrote an exploit using the return-oriented method that simulated an election. "But after the polls are closed, it shifts votes from one candidate to another," Shacham says.