Ryan W. Gardner

Coercion Resistant End-to-end Voting

End-to-end voting schemes have shown considerable promise for allowing voters to verify that tallies are accurate. At the same time, the threat of coercion has generally been considered only when voting devices are honest, and in many schemes, voters can be forced or incentivized to cast votes of an adversarys choice. In this paper, we examine the issue of voter coercion and identify one example method for coercing voters in a scheme by Benaloh. To address such attacks, we present a formal definition of coercion resistance for end-to-end voting. We then present a new scheme, extended from Benalohs, that is provably coercion resistant. In addition to providing accuracy and coercion resistance, our scheme emphasizes ease-of-use for the voter.

Detecting Code Alteration by Creating a Temporary Memory Bottleneck

We develop a new technique whereby a poll worker can determine whether the software executing on electronic voting machines on election day has been altered from its factory version. Our generalized approach allows a human, using a known challenge-response pair, to detect attacks that involve modification or replacement of software on a computer based on the time it takes the computer to provide a correct response to a challenge. We exploit the large difference between main memory access times and cache memory access or CPU clock cycle times to significantly increase the time required to compute the right response when the software has been changed.

Securing medical records on smart phones

There is an inherent conflict between the desire to maintain privacy of ones medical records and the need to make those records available during an emergency. To satisfy both objectives, we introduce a flexible architecture for the secure storage of medical records on smart phones. In our system, a person can view her records at any time, and emergency medical personnel can view the records as long as the person is present (even if she is unconscious). Our solution allows for efficient revocation of access rights and is robust against adversaries who can access the phones storage offline.

Are Patched Machines Really Fixed

Updating and patching has become a ubiquitous part of software maintenance, with particular importance to security. Its especially crucial when the systems in question perform vital functions and security compromises might yield drastic consequences. Unfortunately, updates intended to remediate security problems are sometimes incomplete, are flawed, or introduce new vulnerability themselves. The authors present several examples of such instances in a widely used electronic voting system, a device for which security is critical. A central lesson of the study is that evaluating a systems security by examining changes between revisions is insufficient; you must evaluate and analyze the system as a whole.

Designing for audit: a voting machine with a tiny TCB

Thoroughly auditing voting machine software has proved to be difficult, and even efforts to reduce its complexity have relied on significant amounts of external code. We design and implement a device that allows a voter to confirm and cast her vote while trusting only 1,034 lines of ARM assembly. The system, which we develop from scratch, supports visually (and hearing) impaired voters and ensures the privacy of the voter as well as the integrity of the tally under some common assumptions. We employ several techniques to increase the readability of our code and make it easier to audit.

Protecting Patient Records from Unwarranted Access

Securing access to medical information is vital to protecting patient privacy. However, Electronic Patient Record (EPR) systems are vulnerable to a number of inside and outside threats. Adversaries can compromise EPR client machines to obtain a variety of highly sensitive information including valid EPR login credentials, without detection. Furthermore, medical staff can covertly view records of their choosing for personal interest or more malicious purposes. In particular, we observe that the lack of integrity measurement and auditability in these systems creates a potential threat to the privacy of patient information. We explore the use of virtualization and trusted computing hardware to address these problems. We identify open problems and encourage further research in the area.