The real WTF is Diebold voting machines



  • The California voting machine audits are out, and a Slashdotter pointed out a real WTF in amongst the items in the audit:

    Issue 5.2.24: AV-TSX startup code contains blatant errors.

    startup.cpp:287

    287 TCHAR name;
    288 _stprintf(&name, _T(‘‘\Storage Card\%s’’), findData.cFileName);
    289 Install(&name, hInstance);


    Here, name is not a character array but a single character in memory. The stprintf function expects its first parameter to be a character array, so the programmer had to use the & operator to get the address of name, rather than its value. The result is an obvious buffer overflow. A string that includes the filename, which could be under an attacker’s control, gets copied over whatever data resides in the memory region following name.

    That this code works at all seems purely accidental. Memory corruption occurs even when legitimate .ins files are used. An attacker who included a file with a long name or a name containing particular characters might be able to crash the program or, possibly, execute malicious code.

    This bug sheds light on the vendor’s software engineering practices, because it is a very unusual error for an experienced C++ programmer to make. Characters and character arrays are very different constructs in C++. Students using the language for the first time might confuse the two, but experienced programmers who understand basic concepts like pointers would be unlikely to confuse them. The probability that an experienced C++ programmer would make such a mistake or overlook it during even a cursory review of the code is exceptionally low. This suggests to us that after this code was written it was not reviewed by any other engineers at Diebold.


    ------------

    This WTF was brought to you by Diebold Election Systems, who were well known to be dubious before. (Not dubious enough, though, to stop Alex from listing them as a "Non-WTF Job" on his job site...)



  • @makomk said:

    This bug sheds light on the vendor’s software engineering practices, because it is a very
    unusual error for an experienced C++ programmer to make. Characters and character arrays
    are very different constructs in C++. Students using the language for the first time might
    confuse the two, but experienced programmers who understand basic concepts like pointers
    would be unlikely to confuse them. The probability that an experienced C++ programmer
    would make such a mistake or overlook it during even a cursory review of the code is
    exceptionally low. This suggests to us that after this code was written it was not reviewed
    by any other engineers at Diebold.

    Diebold's entire election systems division is an independent company that they purchased. There is a pretty good chance that they have never reviewed any of it. We're probably looking at a classic case of a startup throwing together some junk, and then it gets sold through a series of companies, each one inflating their stories of how great it is. 



  • What really boggled my mind when I read the report was the size of the entire system.

     

    Component SLOC Language(s)
    AV-OS Central Count 2.0.11.4 24K (asm, C, C++)
    AV-OS Precinct Count 1.96.6 20K (asm, C)
    AV-TSX Ballot Station 4.6.4 65K (C++)
    AV-TSX bootloader and “Wildcat” 71K (asm, C, C++)
    GEMS 1.18.24.0 116K (C++)
    Key Card Tool 4.6.1 1K (C++)
    Voter Card Encoder 1.3.2 1K (C)
    VCProgrammer 4.6.1 2K (C++)
    (total) 300K

     What on earth did they put into this system to make it grow to 300k lines of code? Yikes!



  • Well, it does fit in 640K...



  • @dhromed said:

    Well, it does fit in 640K...
    Only if each line is ~2 bytes long.



  • @ender said:

    @dhromed said:
    Well, it does fit in 640K...
    Only if each line is ~2 bytes long.

    Oeh, misread.



  • It gets better, from http://news.bbc.co.uk/2/hi/technology/6935144.stm:

    @Bill Thompson said:


    <font size="2"> Security researcher Ed Felten notes in his commentary on the work that 'Diebold claimed in 2003 that its use of hard-coded passwords was "resolved in subsequent versions of the software". </font>

    <font size="2">Yet the current version still uses at least two hard-coded passwords - one is "diebold" and another is the eight-byte sequence 1,2,3,4,5,6,7,8'
    </font>




  • I just do not get this??? I would think this would be a pretty simple thing to make. And am I right in remembering that there is no paper trail to who voted what and when? I mean that is simple logging and such, I cannot believe there are this many screw ups on really a fairly simple product.


Log in to reply