In this paper we propose that formal modelling techniques are necessary in establishing the trustworthiness of e-voting systems and the software within. We illustrate how a distributed e-voting system architecture can be analysed against quality of service requirements, through simulation of formal models. A concrete example of a novel e-voting system prototype (for use in French elections) is used to justify the utility of our approach. The quality of service that we consider is the total time it takes for a voter to record their vote (including waiting time). The innovative aspects of the e-voting system that required further research were new requirements for voting anywhere and re-voting; and the potential for undesirable interactions between them. Background and Motivation The E-voting ProblemComputer technology has the potential to modernise the voting process and to improve upon existing systems; but it introduces concerns with respect to secrecy, accuracy, trust and security [15]. Despite ever-increasing uncertainty over the trustworthiness of these systems many countries have recently chosen to adopt e-voting, and this has led to their analysis from a number of different viewpoints: usability [17], trustworthiness [22], transparency [24] and risks [27].Many of the problems in the domain of e-voting have arisen because of poorly specified requirements and standards documents, and the inability to carry out meaningful verification [23]. This is not a good reflection of best practice in the engineering of software. We propose that the use of formal methods [5], following a model-driven development process [29], is a good reflection of best practice in the development of critical software. In this paper we analyse the utility of such an approach in the critical step between requirements and design, where we analyse whether alternative architectures, for an e-voting system, are able to support a critical quality of service. Formal ModellingFormal methods are a tool for achieving correct software: that is, software that can be proven to fulfil its requirements. Building a formal model improves understanding. The modelling of nondeterminism, and its subsequent removal in formal steps, allows design and implementation decisions to be made when most suitable [8].There are three important aspects to the use of formal methods for requirements and design modelling: Firtly, the method must be compositional so that incremental development is supported. A formal object oriented approach illustrates the advantages of an incremental modelling process when using simulation for validation and verification [10]. Secondly, the method must offer a means of specifying operational requirements for animation during validation, where it is important to be able to control execution of a subset of system behaviour whilst a simulator controls the other parts in a manner which corresponds to how the system behaves, or should behave, in the real world [12]. Finally, the method must offer a means of specifying logical requirements: bot...
Abstract.Voting is a critical component of any democratic process; and electronic voting systems should be developed following best practices for critical system development. E-voting has illustrated the importance of formal software engineering in the development of complex systems: poorly engineered and poorly documented voting systems have had serious negative consequences for all system stakeholders. It is clear that the formal verification of e-voting system models would help to address problems associated with certification against standards, and would improve the trustworthiness of the final systems. However, it is not yet clear how best to carry out such formal modelling and verification in order to leverage the compositional nature of the problem, and manage the complexity of the task.The choice of modelling language -for expressing the high level design and architecture of an e-voting system -poses many problems due to the complex mix of requirements that such a system is required to meet. Different modelling languages are more-or-less suited to the verification of different critical requirements. Thus, we report on a mixed model approach: where we address 3 different types of critical requirements using 3 different modelling languages and development strategies. Firstly, we report on network quality-of-service issues that are analyzed through simulation models. Secondly, we report on functional correctness of a counting process that can be validated through algebraic techniques. Finally, we report on the use of formal refinement to reason about the correctness of design steps when adding detail to an architecture model. To conclude, we acknowledge the main problem that arises from such a mixed-model approach to architecture verification: how can we be sure that the different models are coherent when we integrate them in a final implementation?
There has been much recent interest in the development of electronic voting (e-voting) systems, but there remain many outstanding research challenges for software and system engineers. Software product line (SPL) techniques offer many advantages for the practical development of reliable and trustworthy e-voting systems, but the composition of system features poses significant problems that can be addressed satisfactorily only through the use of formal methods. When such systems are used in government elections then they are obliged to follow legal standards and/or recommendations written in natural language. For the formal development of e-voting systems it is necessary to build a domain model which is consistent with the legal requirements. We have already demonstrated that Event-B models can be used to verify critical requirements for e-voting system components. However, the refinement-based approach needs to be applied to the engineering of a complete e-voting system. We report on our approach, using Event-B contexts to model an e-voting ontology, and its integration with an e-voting features model tree which formally specifies the SPL. During this work, we identified the importance of making the implicit explicit in two different ways -domain experts need to explicitly model implicit knowledge, and Event-B modellers need to explicitly communicate the semantics of the formal model constructs to the domain experts. If either of these tasks is not adequately carried out then this compromises validation of the requirements model (instance of the SPL).
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.