Automating Voting Terminal Event Log Analysis

Similar documents
Automating Voting Terminal Event Log Analysis

Technological Audit of Memory Cards for the August 12, 2014 Connecticut Primary Elections

Elections, Technology, and the Pursuit of Integrity: the Connecticut Landscape

PROCEDURE FOR USE OF VOTE TABULATORS MUNICIPAL ELECTIONS 2018

The name or number of the polling location; The number of ballots provided to or printed on-demand at the polling location;

Act means the Municipal Elections Act, 1996, c. 32 as amended;

PROCEDURES FOR THE USE OF VOTE COUNT TABULATORS

SECURITY, ACCURACY, AND RELIABILITY OF TARRANT COUNTY S VOTING SYSTEM

Colorado Secretary of State Election Rules [8 CCR ]

CITY OF ST. CATHARINES PROCEDURE FOR USE OF VOTE TABULATORS

AFFIDAVIT OF POORVI L. VORA. 1. My name is Poorvi L. Vora. I am a Professor of Computer Science at The George

Electronic Voting Machine Information Sheet

(1) PURPOSE. To establish minimum security standards for voting systems pursuant to Section (4), F.S.

Global Conditions (applies to all components):

MUNICIPAL ELECTIONS 2014 Voting Day Procedures & Procedures for the Use of Vote Tabulators

IN-POLL TABULATOR PROCEDURES

Analysis and Report of Overvotes and Undervotes for the 2014 General Election. January 31, 2015

Analysis and Report of Overvotes and Undervotes for the 2012 General Election. January 31, 2013

Election Audit Report for Pinellas County, FL. March 7, 2006 Elections Using Sequoia Voting Systems, Inc. ACV Edge Voting System, Release Level 4.

PROCEDURE FOR VOTING WITH THE USE OF VOTE TABULATORS

Trusted Logic Voting Systems with OASIS EML 4.0 (Election Markup Language)

Voting System Examination Election Systems & Software (ES&S)

Direct Recording Electronic Voting Machines

Please see my attached comments. Thank you.

PROCEDURES FOR USE OF VOTE TABULATORS. Municipal Elections Township of Norwich

Logic & Accuracy Testing

GAO. Statement before the Task Force on Florida-13, Committee on House Administration, House of Representatives

Computers and Elections

ARKANSAS SECRETARY OF STATE

Volume I Appendix A. Table of Contents

1S Recount Procedures. (1) Definitions. As used in this rule, the term: (a) Ballot text image means an electronic text record of the content of

H 7249 S T A T E O F R H O D E I S L A N D

IC Chapter 15. Ballot Card and Electronic Voting Systems; Additional Standards and Procedures for Approving System Changes

City of Orillia Tabulator Instructions

Vote Tabulator. Election Day User Procedures

H 5372 S T A T E O F R H O D E I S L A N D

Municipal Election Voting Method Procedures December 13, 2017

This page intentionally left blank

Instructions for Closing the Polls and Reconciliation of Paper Ballots for Tabulation (Relevant Statutes Attached)

UPDATE ON RULES. Florida Department of State

Allegheny Chapter. VotePA-Allegheny Report on Irregularities in the May 16 th Primary Election. Revision 1.1 of June 5 th, 2006

H 8072 S T A T E O F R H O D E I S L A N D

Automated Election Auditing of DRE Audit Logs

STATE OF NEW JERSEY. SENATE, No th LEGISLATURE

Michigan Election Reform Alliance P.O. Box Ypsilanti, MI

NOTICE OF PRE-ELECTION LOGIC AND ACCURACY TESTING

Vote Count Tabulators

WHY, WHEN AND HOW SHOULD THE PAPER RECORD MANDATED BY THE HELP AMERICA VOTE ACT OF 2002 BE USED?

VOTERGA SAFE COMMISSION RECOMMENDATIONS

COMMISSION CHECKLIST FOR NOVEMBER GENERAL ELECTIONS (Effective May 18, 2004; Revised July 15, 2015)

Key Considerations for Oversight Actors

Anoka County Procedural Law Waiver Application Narrative Section A: Background Implementation of the Help America Vote Act of The Help America

Colorado Secretary of State Election Rules [8 CCR ]

ELECTION PLAN TOWN OF GODERICH MUNICIPAL ELECTIONS. January 2014

Statement on Security & Auditability

Options for New Jersey s Voter-Verified Paper Record Requirement

IC Chapter 3. Counting Ballot Card Votes

ARKANSAS SECRETARY OF STATE. Rules on Vote Centers

Braille Voting Instructions - Improving Voter Empowerment

Draft rules issued for comment on July 20, Ballot cast should be when voter relinquishes control of a marked, sealed ballot.

Logic and Accuracy Test Information Packet 2018 City of Longmont Special Election - Ward 1

GAO ELECTIONS. States, Territories, and the District Are Taking a Range of Important Steps to Manage Their Varied Voting System Environments

Municipality of Chatham-Kent. Municipal Election Voting Method Procedures

Colorado Secretary of State

Ballot Reconciliation Procedure Guide

AFFIDAVIT OF DOUGLAS W. JONES. 1. I am an Associate Professor of Computer Science at the University of

Key Considerations for Implementing Bodies and Oversight Actors

The Case Against. Diebold and Florida s Division of Elections

Auditing a DRE-Based Election in South Carolina

PROCESSING, COUNTING AND TABULATING EARLY VOTING AND GRACE PERIOD VOTING BALLOTS

The E-voting Controversy: What are the Risks?

E-Voting as a Teaching Tool

Electronic Voting Machine Information Sheet

IC Chapter 13. Voting by Ballot Card Voting System

RESPONDENT S MOTION IN SUPPORT OF THE ENTRY OF THE RECOUNT PROCEDURAL ORDER

REQUESTING A RECOUNT 2018

Voting System Certification Evaluation Report

If your answer to Question 1 is No, please skip to Question 6 below.

2. Scope: This policy applies to the Auditor and the staff identified within this policy.

Good morning. I am Don Norris, Professor of Public Policy and Director of the

Cuyahoga County Board of Elections

FSASE Canvassing Board Workshop. Conducting Recounts. Presented by: Susan Gill, SOE Citrus County

Introduction of Electronic Voting In Namibia

Any person who is disorderly or who, in the judgment of the Board, unreasonably disrupts the 5% test may be removed.

2. The GEMS operator deletes any subsequent deck of ballots because a problem is encountered.

AUDIT & RETABULATION OF BALLOTS IN PRECINCTS WHERE A DISCREPANCY EXISTS

BYLAW NUMBER 35M2018 BEING A BYLAW OF THE CITY OF CALGARY TO CONDUCT ELECTIONS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Risk-limiting Audits in Colorado

IT MUST BE MANDATORY FOR VOTERS TO CHECK OPTICAL SCAN BALLOTS BEFORE THEY ARE OFFICIALLY CAST Norman Robbins, MD, PhD 1,

L9. Electronic Voting

Secretary of State Chapter STATE OF ALABAMA OFFICE OF THE SECRETARY OF STATE ADMINISTRATIVE CODE

A paramount concern in elections is how to regularly ensure that the vote count is accurate.

The documents listed below were utilized in the development of this Test Report:

Case 1:08-cv Document 1 Filed 01/17/2008 Page 1 of 20

Acceptance Testing More Important Than Ever. Texas Association of Election Administrators January 10, 2018

DIRECTIVE May 21, All County Boards of Elections Directors, Deputy Directors, and Board Members. Election Administration Plans SUMMARY

Manual Audit Requirements

Procedures for the Use of Optical Scan Vote Tabulators

Michael Morisi Comp 116: Web Security

Many irregularities occurred as Travis County conducted the City of Austin s City Council Runoff election:

Transcription:

VoTeR Center University of Connecticut Automating Voting Terminal Event Log Analysis Tigran Antonyan, Seda Davtyan, Sotirios Kentros, Aggelos Kiayias, Laurent Michel, Nicolas Nicolaou, Alexander Russell, Alexander A. Shvartsman Voting Technology Research (VoTeR) Center University of Connecticut http://voter.engr.uconn.edu Presented by Nicolas Nicolaou Work funded by the Connecticut Secretary of the State Office

Why Auditing? [http://www.statehousereport.com] 8/11/2009 EVT/WOTE 09 2

Motivation Electronic Voting Technologies Direct Recording Electronic (DRE) Optical Scan (OS) tabulator VVPAT Voter Verifiable Paper Audit Trail Used in over 50% of counties in 2008 Terminal Usage in Election Procedures Safe Storage No Interaction (?) Polling Place Officials (Before Election) Voters + Officials (During Elections) Officials (After Elections) Officials Interaction Safe storage (No Interaction) Voters+ Officials Interaction Is the interaction with the terminal benign and does it follow the election procedures? Officials Interaction 8/11/2009 EVT/WOTE 09 3

Question How can someone check the Actions and their Validity, performed on an E-Voting Terminal during an Election Process? Can we devise an Automated Procedure to perform this check? 8/11/2009 EVT/WOTE 09 4

The Event Log What is an Event Log A list of Timestamped Entries Actions performed on the terminal, and Time/Date associated with any recorded action What actions are recorded? Where an Event Log is found In every E-voting Terminal with Logging Capabilities Usually Dedicated Memory Space Event Logs are useful for: Monitoring actions on e-voting terminals Before, During and After the elections Report environmental effects i.e. Power Failure 8/11/2009 EVT/WOTE 09 5

Why Auditing the Event Log? Detect Expected Event Histories Compliant with electoral procedures Detect Irregular Event Histories Deviation form electoral procedures Malfunction of machines Reveal any malicious intent To Improve Electoral Procedures Minimize procedural uncertainties Increase the chance of detecting malicious actions Event Log Audit is Essential for any Election Process Every E-Voting System should provide an Event Log 8/11/2009 EVT/WOTE 09 6

The Need for Independent Log Audit E-Voting Systems with Logging Capabilities Print Event Log Provide Software to read and analyze the Event Log Usually Developed by the Vendor Issues Printing Module Module Defects Wrong Sequence of events Manual Parse of the printout Time Consuming and Inaccurate Vendor Software Reliability What are the analysis criteria? Conflict of Interest? Is it trustworthy? 8/11/2009 EVT/WOTE 09 7

Our Approach Understand and Parse the Log Input: Event Log raw data and format Output: Exact Action sequence recorded in the Log Examine log sequences in light of predefined Action Rules Rules can be customized by Voting Terminal: Actions it can record Election Process: Sequence of Actions it contains Report whether Log Sequences satisfy the Rules 8/11/2009 EVT/WOTE 09 8

Case Study: AccuVote (AV-OS) Premier s Accu-Vote Optical Scan tabulator Provides inherent VVPB/VVPAT But is not perfect: Tampering with Memory cards [Hursti 05], [EVT 07] Firmware manipulations [SAC 09] Reports by others and CA, CT, FL, AL, Provides Logging Capabilities Printing the Event Log for Auditing Print Module is Defective Suffers from other Deficiencies 8/11/2009 EVT/WOTE 09 9

Case Study: AccuVote OS (AV-OS) Physical Characteristics Firmware Version 1.96.6 Input Devices Yes/No Buttons Optical Scanner Output Devices Printer LCD Memory Card Contains Election Data Divided in 5 sections Contents of the MC obtained by build-in extraction module Header Event Log Election Data Bytecode (AccuBasic) Counters 8/11/2009 EVT/WOTE 09 10

Applying Our Approach: AV-OS Logs Design and Implement a Procedure for AccuVote OS Event Log Audit Parse, analyze and evaluate event logs Automated Log Analyzer General for other E-Voting Systems Discover AV-OS event log Defects and Deficiencies Used in the Event Log Audit in the CT Presidential Elections of November 2008 8/11/2009 EVT/WOTE 09 11

Log Audit Procedure at a Glance 1. Understand the contents of the AV-OS Event Log 2. Model AV-OS as a finite state machine (FSM) AV-OS states State transitions (Actions) Logged Events 3. Specify the electoral process Augment FSM Actions with Time-Sensitive information based on the definition of the electoral process. 4. Develop Analysis Tool Parse AVOS Event Log Compare the Event Action Sequence over Time- Sensitive Action Sequence Rules 8/11/2009 EVT/WOTE 09 12

Log entries: 512 Circular Buffer VoTeR Center University of Connecticut AV-OS Event Log Entries AV-OS Event Log has two types of entries: Action entries Date entries Action entries consist of Time of occurrence Action name Date entries only follow: INITIALIZED action SESSION START action 8/11/2009 EVT/WOTE 09 13

Action Name VoTeR Center University of Connecticut Event Types Recorded by AV-OS Action Description AUDIT REPORT Appears when an Audit Report is printed. BAL COUNT END After the ender card is inserted in an election, this action appears. BAL COUNT START Appears when the first ballot is cast in an election. BAL TEST START Records the beginning of a test election. CLEAR COUNTERS Appears when the counters are set to zero. COUNT RESTARTED Appears if the machine is reset during an election, after at least one ballot is cast. DOWNLOAD END Recorded during the download of data is ended. DOWNLOAD START Recorded during the download of data is started. DUPLICATE CARD Appears when a card is duplicated. Present in the master card and the copy. ENDER CARD Records when an ender card is inserted, signifying the end of an election. INITIALIZED The 1st action in the Log. Date action appears when one programs the card. MEM CARD RESET A memory card reset returns a card in not set status, if it was set for election. OVERRIDE Records an override by a poll worker. Used for the insertion of overvoted ballots. POWER FAIL If the machine is unplugged or a power failure occurs, this action is recorded. PREP FOR ELECT Recorded when the card is set for election. SESSION START Date action. Appears every time you reset the machine. TOTALS REPORT Appears when a Totals Report is printed. UNVOTED BAL TST Appears when an unvoted ballot test is performed. UPLOAD END When an upload is completed, this action is recorded. UPLOAD ERROR Appears when an upload error is detected. UPLOAD STARTED Marks the beginning of an upload. VOTED BAL TEST Appears when an voted ballot test is performed. ZERO TOT REPORT Appears when a Zero Totals Report is printed. 8/11/2009 EVT/WOTE 09 14

Modeling AV-OS as a FSM States: Preserved after a restart Blank State Loaded Election State Set for Election with Zero Counters Set for Election with Non-Zero Counters Print Totals Report Election Closed Not preserved after restart Voted Ballot Test Unvoted Ballot Test Test Election with Zero Counters Test Election with Non-Zero Counters Transitions denoted by a triple < U A L > U: User action A: Ensuing Sequence of Machine Actions L: Sequence of Logged Events 8/11/2009 EVT/WOTE 09 15

Example Set For Election State Restart Machine Print Zero Totals Report Session Start, Zero Totals Report Set For Election / Zero Counters Ender Card End Election, Print Totals Report Ender Card, Bal Count Start, Ballot Count End Cast Ballot Cast Vote Bal Count Start Override Cast Vote Override, Bal Count Start Print Totals Report Set For Election / Non-Zero Counters 8/11/2009 EVT/WOTE 09 16

Specify the Election Process 8/11/2009 EVT/WOTE 09 17

Time-Sensitivity of the Election Process Card Programming and Pre-Election testing by Provider 3-4 weeks before the elections Pre-Election Testing and Setting for Election in the Precincts 1-2 weeks before the elections Expected Sequence of timed events on Election Day: SESSION START-DATE, ZERO TOTALS REPORT Before the polls open BALLOT COUNT STARTS After the polls open Any number of OVERRIDE events While the polls are open ENDER CARD, BALLOT COUNT END, TOTALS REPORT When the polls close 8/11/2009 EVT/WOTE 09 18

Automating the Event Log Analysis Define a set of Time Sensitive Rules Derived from FSM and Election Process Rules defined in an XML file Easily customizable Analysis Tool Input: Set of Rules and AV-OS Event Log Output: Return Expected or Irregular 8/11/2009 EVT/WOTE 09 19

Examples of Flagged Events A. Expected Election Run B. Restart During the Election Process C. Power Failure and Restart During the Election Process 8/11/2009 EVT/WOTE 09 20

AV-OS Event Log Defects/Deficiencies Printing an Overflowed Event Log Totals Report Recording Deficiency Date recording Deficiency 8/11/2009 EVT/WOTE 09 21

Printing Defect Demonstration Printing Enumerates Events Expected Behavior Erroneous Behavior Event Log Actions Let an action event be denoted as <s,n,t> n: action name Seq Seq Buffer 513 503 <n513,t513> Beginning of buffer t: time it occurred Let assume #entries=522 Date Entries = 11 Action Entries = 511 522 512 <n522,t522> 11 1 & 513 <n11,t11> 12 2 & 514 <n12,t12> First Not- Overwritten Entry 10 first entries overwritten Print starts from 11 th entry <n11,t11> 512 502 <n512,t512> Expected Printout: <11,n11,t11>,<12,n12,t12>,,<512,n512,t512>,,<522,n522,t522> Erroneous Printout <1,n11,t11>,,<502,n512,t512>,,<512,n522,t522>,<513,n11,t11>,,<522,n22,t22> Duplicates 8/11/2009 EVT/WOTE 09 22

Totals Report Recording Deficiency Closing Election Ender Card Totals Report Another Copy? Totals Report Event Not logged unless NO is pressed Single appearance in the log event Effects Event is not logged Controversy on the validity of printed totals report Single appearance of the event affects Auditing Process Electoral Process 8/11/2009 EVT/WOTE 09 23

Date recording Deficiency Deficiency Entries followed by date INITIALIZE SESSION START If >24 hours elapse from the date recording without any actions occurring Cannot determine whether the next event occurred on the same date. Effects Modification of the results I.e., leave the terminal ON for a day, cast more votes and close it the next day at the expected time Did these events happen on Nov 04, 2008? 8/11/2009 EVT/WOTE 09

Our Log Audit Procedure in Practice Connecticut Nov 2008 Presidential Elections We collected Event Logs from 421 AV-OS memory cards 279 used in the elections Corresponding to random selection of 30% of all precincts 142 from back-up cards not used in the elections 8/11/2009 EVT/WOTE 09 25

Findings 314 out of 421 contain the expected sequences 15 (3.6%) had >10 SESSION START events 41 (9.7%) contained card duplication events 29 (6.9%) had a ZERO TOTALS REPORT printed before the date of the election. 24 (5.7%) were initialized between 10/27/2008 and 10/30/2008. Our pre-election audit included only cards programmed until 10/26/2008 2 event logs had an additional ZERO TOTALS REPORT event during the election day. 8/11/2009 EVT/WOTE 09 26

Findings (Cont ) 1 event log had ELECTION CLOSE event at 22:08. 6 event logs had PREP ELECTION event the day of the election. 4 event logs had a MEMORY CARD RESET event. 1 event log had an UPLOAD STARTED event. 2 event logs had test elections on 10/31/08 and 1 event log showed a test election on 11/03/08. 1 event log had a test election on 11/26/08 and an election executed on 12/04/08. Findings Suggest No serious security problem or malicious intent Prescribed procedures are not followed uniformly 8/11/2009 EVT/WOTE 09 27

Summary Proposed and Developed an Automated Procedure for Event Log Analysis Modeling AV-OS in terms of FSM Time-Sensitive Action Rules A tool to compare the actions in the logs over the defined rules Our tool may be adjusted and used with other systems Discovered some defects and deficiencies in AV-OS logging procedures Printing an Overflowed Event Log Totals Report Recording Deficiency Date recording Deficiency Used the automated tool in log analysis for CT Nov 2008 elections Findings suggest no malicious intent but reveal non-uniformity in the electoral procedures 8/11/2009 EVT/WOTE 09 28

Conclusions Our Results Suggest Full scale event log analysis is feasible It provides information about Usage of the machines Deviation from procedures. Should included in any procedural audit Part of Post-Election Audit Event Logs should be a part of any E- Voting Terminal 8/11/2009 EVT/WOTE 09 29

VoTeR Center University of Connecticut Thank You. Questions?

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback