Voting machine hack demonstrates "Return-oriented Programming"
In a recent paper a six person research team with members from Princeton, University of Michigan and University of California, San Diego, describe how they approached subverting a high security Direct recording Electronic (DRE) voting machine. The machine in question, the Sequoia AVC Advantage, uses a consistent Harvard architecture where there is a strict separation of data and code. In this case the only executable code is held in ROM and any attempt to execute injected code in RAM triggers a non-maskable interrupt (NMI) error. Despite this, the research team managed to make the voting machine execute their code. According to the team "An attacker with access to the machine the night before an election can use our techniques to affect the outcome of an election by replacing the election program with another [...] that adds, removes, or changes votes as the attacker wishes".
The researchers used a clever trick to achieve this. In the existing code, they searched for short code sequences that end in a RET instruction. The RET instructions retrieves an address from the stack and jumps to this address. Using an ingeniously crafted stack consisting of the addresses of suitable code snippets, the researchers can recreate almost arbitrary programs. They created the required stack with a conventional buffer overflow in the existing program code. The program's next RET instruction consequently triggers a series of RETs which eventually executes the code that manipulates the election result according to the attackers wishes. The researchers have called their ingenious exploit technique "Return-oriented Programming".
- Can DREs Provide Long-Lasting Security?, research paper by Checkoway, Halderman, Feldman, Felten, Kantor and Shacham.