A 21st Century Voting System

Part of DARPA’s SSITH program, this project aims to demonstrate high-assurance secure hardware developed in SSITH by building a supervised voting system. The system will be publicly red teamed at DEF CON 2019 and 2020 to bear evidence to the hardware security guarantees.

DARPA’s System Security Integration Through Hardware and Firmware (SSITH) program seeks to break the cycle of vulnerability exploitation by developing hardware security architectures and associated design tools to protect systems against classes of hardware vulnerabilities. The goal of the program is to develop ideas and design tools that will enable system-on-chip (SoC) designers to safeguard hardware against all known classes of hardware vulnerabilities that can be exploited through software.

This project seeks to demonstrate and assess artifacts developed as part of SSITH— primarily three secure RISC-V CPUs: a microcontroller, a desktop CPU, and a server CPU—in a complex heterogeneous system.

Voting systems were chosen because they represent a compelling example of critical infrastructure that could benefit from secure hardware. The systems we aim to build are not meant for use in actual elections; they are instead a demonstration of secure technology that aims to serve as a teaching and research vehicle.

Public availability and red teaming

To evaluate the systems’ security properties, we aim to demonstrate the voting systems publicly in 2019 and 2020 at the DEF CON Voting Village and invite white hat hackers to analyze and attempt to compromise the systems. Moreover, we aim to make the software and hardware source code publicly available so that red teaming can happen continuously between the DEF CONs and beyond.

Hackers are permitted to attack the voting systems in three ways, two of which are traditional and one of which is unconventional. Attackers can attack (1) over an Ethernet network or (2) via a serial device. But more critically, (3) they have a facilitated means by which to load untrusted binaries directly on the voting systems, effectively presuming that the enemy is inside of the system itself. SSITH secure hardware is meant to detect and defeat even this level of intrusion.

Our aim is to enable cybersecurity professionals, industrial researchers, students, and professors to test and analyze the systems, and use the demonstrators for teaching and learning about hardware design and security, secure compilation, RISC-V technologies, formal methods, and elections technologies.

The open source hardware descriptions and bitstreams will be available to run on off-the-shelf field-programmable gate arrays (FPGAs). We also aim to develop low-cost, crowd-funded FPGA development boards that run a virtual secure CPU and enable running and testing the voting system at home for individuals who don’t have access to an expensive high-end FPGA development board. In addition, open hardware allows electrical engineers to easily order or build the required boards themselves.

The voting system demonstrators we aim to build have both (1) a ballot marking device that produces a paper ballot record, whose main focus is on permitting persons with disabilities to vote independently, and (2) a optical scan voting system, which facilitates voters who wish to vote using traditional paper ballots and a pen.

At DEF CON 2019, we aim to demonstrate a smart ballot box based on SSITH secure hardware, as part of a ballot marking device-based voting system built primarily on commercial off-the-shelf hardware. At DEF CON 2020, we aim to demonstrate all components of a voting system on SSITH hardware, including both ballot marking devices and optical scan systems.

This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. HR0011-18-C-0013. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA). Approved for Public Release, Distribution Unlimited