Want to know how to fix an election without resorting to bribery and corruption? Ever thought about throwing some Return Oriented Programming into the voting equation?
Ordinarily, the hacking into of an electronic voting machine might spark a little bit of interest if there were an election looming perhaps. That said, the potential insecurity of such machines can happily be filed under old news.
However, my attention was grabbed by the paper (Can DREs Provide Long-Lasting Security?) from a bunch of security researchers based at the Universities of California, Michigan and also Princeton. Not least because while it did, I admit, involve revealing how a Direct Recording Electronic voting machine had been hacked it also described something called Return Oriented Programming. Also, much of the research that has gone before when it comes to the security of voting machines tends to rely greatly upon having access to source code. The researchers say that they hope their results "go some way towards answering the objection, frequently raised by vendors, that voting security researchers enjoy unrealistic access to the systems they study."
The DRE voting machine in question, a Sequoia AVC Advantage, dates back to the 80's so maybe it is not that surprising that it can be hacked today. However, that does not make it an easy target: the thing employs numerous safeguards such as separating data and code, and throwing up a non-maskable interrupt error if someone were to try and execute injected code in RAM (the actual executable code for this machine is held in ROM). Nor does it make the research irrelevant, as the team states in its paper "because the development, certification, and procurement cycle for voting machines is unusually slow, the service lifetime can be twenty or thirty years."
Yet the research team are insistent, courtesy of Return Oriented Programming techniques, that if someone used the same techniques as they describe it would be possible, assuming they had access to the machine in the first place, to replace the installed election application with one of their own which could manipulate the voting in any way the attacker wished.
"The Z80 instruction set is very dense. Every byte is either a valid opcode or is a prefix byte. As there are no invalid or privileged instructions, instruction decoding of any sequence of data always succeeds" the researchers explain in their paper, adding "This density facilitates return-oriented programming since we can exploit unintended instruction sequences to build gadgets — a sequence of pointers to instruction sequences ending with a ret." By using a stack that is made up of code snippet addresses the researchers were able to show how they can recreate what are, for all intents and purposes, arbitrary programs. It's clever stuff, using a bog standard buffer overflow within the program code to create the stack and having a ret instruction triggering one ret after another in order to execute the vote rigging code itself.
The team have managed to demonstrate that an attacker could exploit vulnerabilities in one particular voting machine in order to install vote-stealing malware using a maliciously formatted memory cartridge. The important thing being that they have done this without replacing the system ROMs and starting out with "no source code, schematics, or nonpublic documentation." The whole attack-stealing code was produced in less than 16 man-months of labour and at a cost, if replicated in the private sector of around $100,000.
Kudos to Stephen Checkoway, J. Alex Halderman, Ariel J. Feldman, Edward W. Felten, Brian Kantor and Hovav Shacham for their innovative research.
