Ka-Ping Yee

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2007-167

December 19, 2007

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-167.pdf

I examine the question of how to design election-related software, with particular attention to the threat of insider attacks, and propose the goal of simplifying the software in electronic voting machines. I apply a technique called <i>prerendering</i> to reduce the security-critical, voting-specific software by a factor of 10 to 100 while supporting similar or better usability and accessibility, compared to today's voting machines. Smaller and simpler software generally contributes to easier verification and higher confidence. <p> I demonstrate and validate the prerendering approach by presenting Pvote, a vote-entry program that allows a high degree of freedom in the design of the user interface and supports synchronized audio and video, touchscreen input, and input devices for people with disabilities. Despite all its capabilities, Pvote is just 460 lines of Python code; thus, it directly addresses the conflict between flexibility and reliability that underlies much of the current controversy over electronic voting. A security review of Pvote found no bugs in the Pvote code and yielded lessons on the practice of adversarial code review. The analysis and design methods I used, including the prerendering technique, are also applicable to other high-assurance software.

Advisors: David Wagner and Marti Hearst


BibTeX citation:

@phdthesis{Yee:EECS-2007-167,
    Author= {Yee, Ka-Ping},
    Title= {Building Reliable Voting Machine Software},
    School= {EECS Department, University of California, Berkeley},
    Year= {2007},
    Month= {Dec},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-167.html},
    Number= {UCB/EECS-2007-167},
    Note= {Pvote is available at <a href="http://pvote.org/">http://pvote.org/</a>.},
    Abstract= {I examine the question of how to design election-related software, with particular attention to the threat of insider attacks, and propose the goal of simplifying the software in electronic voting machines.  I apply a technique called <i>prerendering</i> to reduce the security-critical, voting-specific software by a factor of 10 to 100 while supporting similar or better usability and accessibility, compared to today's voting machines. Smaller and simpler software generally contributes to easier verification and higher confidence.
<p>
I demonstrate and validate the prerendering approach by presenting Pvote, a vote-entry program that allows a high degree of freedom in the design of the user interface and supports synchronized audio and video, touchscreen input, and input devices for people with disabilities. Despite all its capabilities, Pvote is just 460 lines of Python code; thus, it directly addresses the conflict between flexibility and reliability that underlies much of the current controversy over electronic voting. A security review of Pvote found no bugs in the Pvote code and yielded lessons on the practice of adversarial code review. The analysis and design methods I used, including the prerendering technique, are also applicable to other high-assurance software.},
}

EndNote citation:

%0 Thesis
%A Yee, Ka-Ping 
%T Building Reliable Voting Machine Software
%I EECS Department, University of California, Berkeley
%D 2007
%8 December 19
%@ UCB/EECS-2007-167
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-167.html
%F Yee:EECS-2007-167