Security Analysis of the Diebold AccuBasic Interpreter

Citation

• D. Wagner, D. Jefferson, M. Bishop, C. Karlof, and N. Sastry, “Security Analysis of the Diebold AccuBasic Interpreter”, Technical Report, Voting Systems Technology Assessment Advisory Board, Office of the Secretary of State of California, Sacramento, CA 95814 (Feb. 2006).

Paper

• PDF
• PS

About This Report

From the Summary:

The questions we addressed [in this report] are these:

• What kinds of damage can a malicious person do to undermine an election if he can arbitrarily modify the contents of a memory card?
• How can the possibility of such attacks be neutralized or ameliorated?

The scope of our investigation was basically limited to the above questions. We did not do a comprehensive code review of the whole codebase, nor look at a very broad range of potential security issues. Instead, we concentrated attention to the AccuBasic scripting language, its compiler, its interpreter, and other code related to potential security vulnerabilities associated with the memory cards.

We found a number of security vulnerabilities, detailed below. Although the vulnerabilities are serious, they are all easily xable. Moreover, until the bugs are xed, the risks can be mitigated through appropriate use procedures. Therefore, we believe the problems as a whole are manageable.

Background

This report came out of a request by the Office of the Secretary of State to the Voting Systems Technical Assessment Advisory Board.