Here are five questions I’d like answers to following the COMELEC (Commission on Elections) source code review that’s supposed to have started on October 1, 2015.
1) How are the Smartmatic vote counting machines built? What are the capabilities of the embedded processor? Does it run an embedded operating system, or is it running “bare metal” code?
2) Did COMELEC arrange that results of the source code review – importantly, findings of code defects that affect the integrity of system operation – get forwarded to the manufacturer for field software update?
3) Is there a way to verify that the version of firmware (loaded into processor flash memory) corresponds to the release version of the software being reviewed?
Another way to ask this question is this: Do the code audit teams have access to the compilers and firmware update tools used by the manufacturer, to install firmware binaries into the device? Note that if the VCMs are not field-reprogrammable, then the usefulness of findings of a code audit are extremely limited. If there are any serious defects and there is no way to update the firmware, then manual procedures need to be put in place to work around those defects.
More seriously, if there is no way to verify that the source code corresponds to the installed firmware, then this source code review is being held for show only. It would then be, at best, a disingenuous attempt to demonstrate transparency without guaranteeing that what the auditors are shown correspond to the program that is actually running in the vote count machines. The same principle applies to the software that runs elsewhere in the vote tabulation system.
4) How is the system designed to mitigate the effect of attacks on data transmission? Is the code designed to deal with denial of service attacks on the “result transmission service provider?” For example, will the system be able to deal with cell phone signal jamming? Is there provision to securely transport ballot data on physical media (memory card, or printout) in the event that an attacker attempts to jam wireless data transfer?
5) How is data integrity secured at the transport and protocol layer? Does the software use known-good versions of encryption libraries, for example? Did they use appropriate encryption key sizes for symmetric encryption, and how do they secure those keys? Or did the manufacturer cook up their own data encryption algorithms?
The results of the code review audit should include answers to these basic questions. Otherwise – well, naglolokohan lang tayo na may saysay ang code review na ito.