SAIT Software Review Team Participates in the Florida Thirteenth Congressional District Election Audit
SAIT Laboratory is pleased to announce release of the report: “Software Review and Security Analysis of the ES&S iVotronic 18.104.22.168 Voting Machine Firmware” sponsored by the Florida Department of State. Commissioned to conduct the first of its kind analysis in November 2006, SAIT Laboratory invited a blue ribbon team of software and security experts to conduct this study of national interest.
The effort marks the first time that state officials have called on academic experts to conduct a static source code review as part of an audit of a contested result in a federal election. The effort leveraged extraordinary cooperation between state elections officials, academic information security experts, and elections systems software developers to accomplish the project’s goal.
The bulk of the team’s technical work took place in SAIT Laboratory and culminated in the sixty-seven page public report that detailed the project goals, assumptions, process, findings, and conclusions. After hundreds of hours reviewing source code and exploring possible flaws suggested by a review of ballot operation for disabled and non-disabled voters, polling place records, terminal event logs, outside opinions and hypotheses, and possible inputs, the team formed the following opinion:
“The team’s unanimous opinion is that the iVotronic firmware, including faults that we identified, did not cause or contribute to the CD13 undervote.” [par 1.3]
The report provides a thorough, high-level description of the system hardware and software engineering architecture, description of important state machine transitions, elements of data representation and storage, input/output operations, interactions with removable memory devices and portable electronic ballots, user interface, and other details to enable outside experts to comment on and independently ascertain the methods and processes used by the review team. The report further describes the strategies the team employed to test and verify a number of specific hypotheses.
The team also identified non-contributory software flaws and security vulnerabilities during the analysis. Specific technical descriptions along with accompanying recommendations regarding these faults were reported to the State and the vendor. These constitute an independent contribution of the team to the broader goal of improving voting systems’ reliability and security.
Software Review Team Members
SAIT students and former students Leo Kermes, Jon Nilson, Louis Brooks, Tina Suen, and Kenny Zahn assisted the team’s analysis efforts.