INNOVATE

How Do We Test and Audit an Online Voting System?

Ensuring security and integrity

Online voting systems, like any other software system, are susceptible to having bugs and security weaknesses. In software coding there are procedures devoted to producing high quality code with a minimum number of issues. This is known as Secure Software Development Lifecycle (S-SDLC). This is especially important in online voting systems, which could be considered critical systems and where availability, reliability and security must be guaranteed to the highest extent during the whole electoral process. A S-SDLC typically comprises all the phases of the lifecycle of a software (Requirements gathering, Design, Development, Test, Deployment and Maintenance) and defines the security measures required to produce a secure software from the beginning. In this post we focus on the testing of the software, as well as the audit of it.

The testing of an online voting system consists of four types of testing:

Unit testing

Tests written by developers during the development of the code. Each of these tests validates one specific functionality of the code. The percentage of lines of code that is validated with this method is the code coverage.

QA testing

Tests conducted by QA (Quality Assurance) engineers to validate the behavior of the application, which can be both at a functional and non-functional level, and that are not based on the knowledge of the internal implementation of the application, but on the knowledge of their Application Programming Interfaces (APIs).

Security testing

Tests conducted by security analysts to find security bugs or weaknesses usually based on well-known guides such as the OWASP Testing Guide or the more recent OWASP Web Security Testing Guide. There are different types of tests that can be conducted:

• Manual review of the security functionalities and security architecture.
• Static application security testing (SAST), which commonly makes use of automatic tools to find possible security weaknesses while inspecting the source code of the application. Usually, a security analyst has to evaluate the findings and discard the false positives.
• Dynamic application security testing (DAST) tests the application when it is deployed and running. It can be based on manual testing or make use of automatic tools for less complex cases.
• Software composition analysis (SCA) conducts an analysis to find dependencies with security vulnerabilities.
• Penetration testing simulates an attack that a hacker could do to the system once it is deployed and ready to use. In this case a security analyst tries to exploit a security vulnerability or system misconfiguration to compromise the system. All the successful attacks have to be reported and remediated or mitigated.

Protocol testing

Tests conducted by experts in online voting protocols (e.g. researchers, engineers and/or security analysts), which ensure the correctness of the cryptographic voting protocol implemented. These can be based on:

• Manual code review of the online voting protocol, related cryptographic operations, and security sensitive controls related to the protocol.
• Dynamic application security testing (DAST) comprises tests adapted to the business logic of an online voting system, which cover different phases of the election process. An example of such a test can be to simulate a voter trying to cast two votes in an election where every voter is restricted to a single vote.

In addition to the testing conducted by the owners of the software, it is highly recommended to carry out an audit of the system with external auditors not related to the system vendor or developers. Depending on the scope of the audit, the auditors are provided with some or all the following elements:

Code

In this case the auditors can do manual or even automatic reviews of the code, depending on the type of access provided to the code.

Documentation

This might include specification documents of the cryptographic protocol, of the Zero-Knowledge Proofs used, of the mapping between the specification and the code, audit guides and, even, security proofs to formally demonstrate that the security requirements are satisfied.

Deployed testing system

This enables the auditors to conduct dynamic analysis and/or penetration testing against the system.

Support

This is direct contact with the personnel that has implemented or designed the system in order to resolve the auditors’ questions or doubts.

All of these mechanisms ensure that an online voting system software that is well designed offers outstanding levels of security and reliability. However, this has to be accompanied by a good design of the system and cryptographic voting protocol, as well as the capacity of the system to be universally verifiable.

This article was written by Jordi Cucurull (PhD), Cryptography Researcher at Scytl.