T-Dre

Abstract: We present a hardware trusted computing base (TCB) aimed at Direct Recording Voting Machines (T-DRE), with novel design features concerning vote privacy, device verifiability, signed-code execution and device resilience. Our proposal is largely compliant with the VVSG (Voluntary Voting System Guidelines), while also strengthening some of its reccomendations. To the best of our knowledge, T-DRE is the first architecture to employ multi-level, certification-based, hardware-enforced privileges to the running soft… Show more

“…Verifications can be made throughout the device lifetime in order to ensure that the hardware has not been altered between successive utilizations. One of the verification schemes proposed in Gallo et al (2009) was the Time-Based One Time Verification Code (TOTV), and a variation of this verification scheme is used in the Brazilian electronic voting machines (Gallo et al, 2010). Even when the CID is not implemented, it is possible to detect hardware trojans through a number of countermeasures (Karri et al, 2010), for instance: to check the RTL code of the I/O unit for changes in the I/O protocol; to perform exhaustive memory testing; to analyze the side-channels; to check exhaustively for resource utilization changes; to communicate periodically with the device, even after its deployment; to skew clocks and observe the IC transient behavior; to scale dynamically the supply voltage while checking for transient characteristics; to do the concurrent detection for soft errors; to use path delay fingerprints (Jin & Makris, 2008).…”

“…Several countermeasures are described in standards FIPS140-2, level 4 (Federal Information Processing Standards, 2001) andFIPS 140-3, level 4 (Federal Information Processing Standards, 2009). Some of the possible countermeasures are (Gallo et al, 2010;Agrawal et al, 2003;Federal Information Processing Standards, 2001: the implementation of constant-duration cryptographic operations to mitigate timing analysis attacks; to filter and to stabilize the power supply and to decouple all external communication connectors to mitigate attacks based on power variation; to involve circuit boards in inviolable coatings (e.g., resins); the use of electromagnetic shielding to reduce the power of compromising electromagnetic emanations; the frequent redefinition of cryptographic keys; the deletion of cryptographic keys and other critical data if the SDR casing is opened or tampered with.…”

Classes of Attacks for Tactical Software Defined Radios

“…Verifications can be made throughout the device lifetime in order to ensure that the hardware has not been altered between successive utilizations. One of the verification schemes proposed in Gallo et al (2009) was the Time-Based One Time Verification Code (TOTV), and a variation of this verification scheme is used in the Brazilian electronic voting machines (Gallo et al, 2010). Even when the CID is not implemented, it is possible to detect hardware trojans through a number of countermeasures (Karri et al, 2010), for instance: to check the RTL code of the I/O unit for changes in the I/O protocol; to perform exhaustive memory testing; to analyze the side-channels; to check exhaustively for resource utilization changes; to communicate periodically with the device, even after its deployment; to skew clocks and observe the IC transient behavior; to scale dynamically the supply voltage while checking for transient characteristics; to do the concurrent detection for soft errors; to use path delay fingerprints (Jin & Makris, 2008).…”

“…Several countermeasures are described in standards FIPS140-2, level 4 (Federal Information Processing Standards, 2001) andFIPS 140-3, level 4 (Federal Information Processing Standards, 2009). Some of the possible countermeasures are (Gallo et al, 2010;Agrawal et al, 2003;Federal Information Processing Standards, 2001: the implementation of constant-duration cryptographic operations to mitigate timing analysis attacks; to filter and to stabilize the power supply and to decouple all external communication connectors to mitigate attacks based on power variation; to involve circuit boards in inviolable coatings (e.g., resins); the use of electromagnetic shielding to reduce the power of compromising electromagnetic emanations; the frequent redefinition of cryptographic keys; the deletion of cryptographic keys and other critical data if the SDR casing is opened or tampered with.…”

Classes of Attacks for Tactical Software Defined Radios

FORTUNA—A framework for the design and development of hardware-based secure systems

Electronic Voting: A Review and Taxonomy