Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf ·...
Transcript of Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf ·...
![Page 1: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/1.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science
M. S. Raunak, B. Chen, A. Elssamadisy,L. A. Clarke and L. J. OsterweilUniversity of Massachusetts, Amherst
Definition and Analysisof Election Processes
![Page 2: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/2.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 2
Importance of Election Processes
Election is the basis of democracy Some recent elections have been
quite controversial Thai election, Apr 2006 Azerbaijan election, 2005 Ukraine presidential election, 2004 US presidential elections
Ohio in 2004, Florida in 2000
Related work and our focus
![Page 3: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/3.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 3
Relevance to Software Processes
Election is an important process withmany agents and complex details
Process analysis techniques can beused to identify vulnerabilities like: Process errors Security violations due to mistakes,
fraud, collusion etc. Demonstrates an important
application of software processimprovement to another domain
![Page 4: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/4.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 4
Process
Agent
Our Approach and Tools
ProcessProperty
Static Analysis
AgentAgent
PropertyProperty
Verification orCounter Example
Add propertyand/or
change process
LittleJIL
LittleJIL Propel
FLAVERS
Process
![Page 5: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/5.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 5
Our Approach (cont..)
Process
Agent
ProcessProperty
Static Analysis
AgentAgent
PropertyProperty
Verification orCounter Example
Change Processand/or Property
LittleJIL
LittleJIL Propel
FLAVERS
Process
![Page 6: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/6.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 6
The Election Process We Studied
A simplified election process One DRE machine every precinct One position up for election Two candidates (A and B)
Creation of ‘Statement of Results’ Two copies of SoR by two poll workers
State level aggregation Validation of precinct level reporting Creation of statewide summary
![Page 7: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/7.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 7
The Election Process in LittleJIL
![Page 8: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/8.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 8
Conduct of Election Process
![Page 9: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/9.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 9
Canvass of Election ProcessArtifacts and Resources
Artifact Flows
Orthogonal agent behavior
![Page 10: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/10.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 10
Property Specification: An Example
If two SoRs mismatch, the incorrect SoRgets detected and corrected beforegetting added to the Statewide Summary.
Transition labels in the property FSAcorresponds to events in the process
![Page 11: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/11.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 11
Process steps and property labels
Match SoR1 with SoR2 Succeeds
Match SoR1 with SoR2 Fails
Correct Incorrect SoR
0 1Match SoR1 with SoR2 Succeeds
2
3
Match SoR1with SoR2 Fails
CorrectIncorrect SoR
Add to Statewide Summary
![Page 12: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/12.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 12
Analysis of Frauds
Model two different poll workersthat perform ‘Prepare SoR’ step One honest and one dishonest
FLAVERS analyzer evaluates allpossible traces through the processdefinition Verifies if property holds in all traces If not, produces a counterexample
Need for automated analysis
![Page 13: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/13.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 13
Step through an analysis example
0 1Match SoR1 with SoR2 Succeeds
2
3
Match SoR1with SoR2 Fails
CorrectIncorrect SoR
Add to Statewide Summary
![Page 14: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/14.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 14
Step through an analysis example
0 1Match SoR1 with SoR2 Succeeds
2
3
Match SoR1with SoR2 Fails
CorrectIncorrect SoR
Add to Statewide Summary
![Page 15: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/15.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 15
Observations
The described property verifiesresistance to some fraudulent behaviors Catches one honest and one dishonest
This property will not detect twocolluding poll workers for this process
Need additional properties and/or amodified process The process should now verify the existing
and the additional property Incremental process improvement
![Page 16: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/16.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 16
Example of an Additional Property
An SoR will never get added to the‘Statewide Summary’ if it isdifferent from the Machine_Total
Catches frauds with two colluding pollworkers May require changes in the process
The new process is verified againstboth the properties Increased resistance to frauds
![Page 17: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/17.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 17
Conclusion
There is more to election than just thevoting machine
No process will defend against all possiblekinds of fraud Needs to be guided by cost effectiveness
Need a systematic study of processimprovement Our approach shows a promising direction Demonstrates an important application of
software process improvement to anotherdomain
![Page 18: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/18.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 18
Future Work
Model real world election processes Likely to be large and complicated Expected to have a lot of parallelism and
exceptional flows Develop an ontology of election processes
and fraudulent behaviors Identify most commonly occurring security
vulnerabilities (fraud patterns) Properties representing prevalent fraudulent
behaviors Pattern of resistant processes
![Page 19: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/19.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 19
Thank you!
![Page 20: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/20.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 20
Extra Slide 0:Our Approach and Tools
Develop a rigorous discipline of electionprocess improvement: Define an election process with appropriate level
of details using LittleJIL Add different (possibly malicious) agents
Define security policies using PROPEL Properties that we want to be satisfied
by an election process Identify vulnerabilities using FLAVERS
Verify the properties or identify where inthe process the properties fail
Improve the process or strengthen theproperty
Iterate
![Page 21: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/21.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 21
Extra Slide 0.1:Modeling Artifacts and Agents
Artifact and resource information isattached to the step interfaces
Artifact flow is bound to the edges Separation of coordination and
computation Agent behavior is orthogonal For this study, agents have been
modeled using Little-JIL
![Page 22: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/22.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 22
Extra Slides 1:A Dishonest Agent (Cont.)
![Page 23: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/23.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 23
Extra Slide 2:Agent Behavior (in Little-JIL)
![Page 24: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/24.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 24
Extra Slides 3:Tools and Techniques Used
Use Little-JIL process language formodeling elections Enrich the model with resource declarations
and artifact definition and flow Define agent behavior
Model security properties using PROPEL Properties as Finite State Automaton
Verify the properties using FLAVERSanalysis tool
Iteratively change process and/orproperties to improve election process
![Page 25: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/25.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 25
Extra Slide 4:Little-JIL Overview
Visual coordination language Rigorous semantics
Hierarchical decomposition of tasks (steps) Rich exception handling with scoping Separation of Coordination and computation
Capability of defining agent behavior Declaration and flow definition of artifacts Orthogonal treatment of resource definitions
agents and other resources
![Page 26: Definition and Analysis of Election Processeslaser.cs.umass.edu/techreports/06-19slides.pdf · Definition and Analysis of Election Processes. UNIVERSITY OF MASSACHUSETTS, ... ElectionAnalysis_May18_2006.ppt](https://reader031.fdocuments.net/reader031/viewer/2022030423/5aab9d407f8b9ac55c8c185d/html5/thumbnails/26.jpg)
UUNIVERSITY OF NIVERSITY OF MMASSACHUSETTSASSACHUSETTS, A, AMHERST MHERST •• Department of Computer Science Department of Computer Science 26
Extra Slide 5:Little-JIL Step Structure
Step Name
Interface BadgePrerequisite
BadgePost requisite
Badge
Control Flow badge
Sub Step
Parameter
Exception Handler Badge
Handler Step
Continuation Badge
ReactionBadge