Re: COTS

[Alex Brown <a.brown@ieee.org>]

Doug Fletcher wrote:

Susan,

 

I am forwarding the request and offer to help by you and Alex Brown to Rebecca Mercuri and Vincent Lipsio.  They have been leading efforts related to COTS along with many other aspects of voting equipment standards.  Please work with them so your offer to help can be integrated into other ongoing efforts. ...

Thank you for the opportunity to contribute at this late date.  Susan Eustis is president of WinterGreen Research (http://wintergreenresearch.com), an industry consultant and researcher for software, communication, Internet, healthcare, and energy studies, and an expert in voting machine technology.  She has put her long experience with electronic voting machines to work in her company's design of a new voting machine system.  She has asked me to help review the P1583 draft and represent WinterGreen Research in the committee.  We understand the committee's work is well along, and the draft is nearly ready for release, but we do have one concern about the current text we would like to discuss.

We are most concerned about revision locking of COTS software components of the voting machine.  P1583 draft rev 5.3.1 section 5.1 on security and confidentiality looks pretty good;  the statement of threats and required countermeasures in particular looks good.   However, the software security section (5.1.3.4) does not seem to have a specific requirement for locking the revision of any COTS software components (5.1.3.4.2).  There's a reference to firmware revision control in the software installation section above (5.1.3.4.1) that gives some language that should be specifically applied to COTS system software.  We suggest changing the first paragraph of section 5.1.3.4.2 as follows:

"5.1.3.4.2 COTS General Purpose Computer System Requirements"

"Further requirements must be applied to COTS operating systems to ensure completeness and integrity of audit data for election software.  These systems include both servers and workstations (or "PCs") including the many varieties of UNIX and Linux operating systems, and those offered by Microsoft, Apple, or other operating systems.   Other COTS supporting software components, e.g. database subsystems, software libraries, and software drivers for hardware components, may be similar in role in the election system.  Such COTS system components in any election system must be constant and unchanged throughout the life of the election system.  For each COTS system component:

• The vendor shall provide a means for verification of the COTS system component revision level, and state in the system documentation how the COTS system component version resident in the device may be verified.
• To allow the detection of altered executable code the system must be capable of verification of the integrity of its software components by means of digital signature or equivalent technology deemed acceptable by the National Institute fo Standards and Technology (NIST).
• The COTS system component may be resident permanently as firmware, provided that it has been shown to be inaccessible to activation or control by any means other than by the authorized initiation and execution of the vote-counting program, and its associated exception handlers.
• The COTS system component must be installed on a component distinct from components containing election-specific configuration data or program code, and must be unalterable from L&A testing until election certification.

"COTS operating systems are often capable of executing multiple application programs simultaneously.  Election software running on these COTS systems is vulnerable to unintended effects from other user sessions, applications, and utilities, executing on the same platform at the same time as the election software.  Programs operating at other times might also affect the election files or programs.  Simultaneous processes of concern include ..."

Please let us know how to proceed with this change request.  

-- 
Alex Brown <a.brown@ieee.org> +1 617 308 9456