I examine the question of how to design election-related software, with particular attention to the threat of insider attacks, and propose the goal of simplifying the software in electronic voting machines. I apply a technique called prerendering to reduce the security-critical, voting-specific software by a factor of 10 to 100 while supporting similar or better usability and accessibility, compared to today's voting machines. Smaller and simpler software generally contributes to easier verification and higher confidence.It turned out bigger than i expected — 324 pages — but don't let that scare you. That includes 14 pages of front matter, 10 chapter cover pages, 11 pages of bibliography, 102 pages of appendices (31 of which are source code), and 5 pages of the GNU FDL. In short, 182 pages of content and 142 pages of fluff. The content is broken up into little sections in an attempt to make it easier to read.
I demonstrate and validate the prerendering approach by presenting Pvote, a vote-entry program that allows a high degree of freedom in the design of the user interface and supports synchronized audio and video, touchscreen input, and input devices for people with disabilities. Despite all its capabilities, Pvote is just 460 lines of Python code; thus, it directly addresses the conflict between flexibility and reliability that underlies much of the current controversy over electronic voting. A security review of Pvote found no bugs in the Pvote code and yielded lessons on the practice of adversarial code review. The analysis and design methods I used, including the prerendering technique, are also applicable to other high-assurance software.
Many people contributed to the work. The more i learned about things that other graduate students have had to deal with, the more i realized how lucky i was to have Dave Wagner and Marti Hearst as advisors — they got back to me quickly, read drafts carefully, and had lots of well-thought-out and constructive comments to offer. Candy Lopez showed me around the election office in Contra Costa County and patiently explained to me how everything was done in real life. Noel Runyan and Scott Luebking taught me about accessibility, and i appreciate their advice very much even though the dissertation doesn't address accessibility as much as it could; the research didn't include user testing with disabled voters. Matt Bishop, Ian Goldberg, Yoshi Kohno, Mark Miller, Dan Sandler, and Dan Wallach volunteered a huge amount of time to review my source code. Joe Hall has been a great help on questions about election law and policy.
The type is Lucida; i chose it because it has a harmonized family of serif, sans-serif, and fixed-width typefaces. Alas, the original Lucida fonts are unkerned (and the word "Voting" shows up a lot, which makes the lack of kerning more obvious), so i added some kerning pairs by hand (available for regular and bold; please reuse). The page design is inspired by Scott Kim's thesis on Viewpoint — he also used Lucida and a wide left margin for small figures and illustrations. It looks like his left margin was chosen to match the first of three equal columns, which would occasionally be used for three equal-sized figures. I moved the left margin so that the vertical edge divides the page in the golden ratio. Just because.
If you're curious about the topic of electronic voting, please check it out. I hope you find it interesting.
Update: Pvote has a website where you can get the source code and documentation, as well as a sample ballot definition file. Also on that site is the assurance document, which is the specification that was used for the Pvote security review, and a report on the results of the security review. 20 comments | post a comment