Software Review and Security Analysis of the ES&S iVotronic 8.0.1.2 Voting Machine Firmware


Citation

Paper

About This Report

From the Executive Summary:

On December 15th, 2007 the Florida Department of State (FLDoS) commissioned an independent expert review of the ES&S iVotronic 8.0.1.2 firmware, as documented in the Statement of Work. The team, led by Florida State University’s (FSU) Security and Assurance in Information Technology (SAIT) Laboratory, was commissioned to conduct a static software code review as part of the state’s audit of the 2007 Florida Congressional District 13 (CD13) election between candidates Vern Buchanan and Christine Jennings. This report is the culmination of that review.

Our investigation was limited to the scope specified in the Statement of Work:

The sole purpose of this project is to conduct a scientifically rigorous static software analysis on the iVotronics version 8.0.1.2 firmware source code to determine and identify flaws, vulnerabilities or anomalies, if any, that may have potentially caused, contributed or otherwise created the higher than expected under-vote rate in the District 13 Race.

The team’s unanimous opinion is that the iVotronic firmware, including faults that we identified, did not cause or contribute to the CD13 undervote. We base this opinion on hundreds of hours of manual code review complemented by automated static analysis and extensive study of the problem symptoms and the execution environment. We traced program execution from terminal Software Review and Security Analysis of the ES&S iVotronic 8.0.1.2 Voting Machine Firmware initialization, through voter selection, to ballot image creation, to ballot image collection. We also investigated the possibility of asynchronous system faults not associated with any particular phase of voting. Our investigation provided no evidence that an iVotronic software malfunction caused or contributed to the CD13 undervote.

We do not claim that these results extend beyond the scope of our investigation. We emphasize that these findings are neither an endorsement nor a repudiation of the iVotronic, the larger class of Direct Recording Equipment (DRE) systems, nor any other form of electronic voting system. We specifically do not contend that these systems are correct or secure beyond the specific opinions that we give herein. This report is concerned solely with the question posed to us regarding the cause of the CD13 undervote in Sarasota County in November, 2006, and we do not claim that these results extend to a broader context.

Background

Alec Yasinsac, a long-time friend, invited me to join the source code analysis effort. The report, which all the team members wrote, speaks for itself. It was issued by the Division of Elections of the Florida Department of State. Three appendices are redacted from the public version because they are confidential; see §2.1 on p. 4 of the report for an explanation.

This is a local copy. The definitive version is available at http://election.dos.state.fl.us/pdf/FinalAudRepSAIT.pdf