Date Added: Jun 2009
A secure voting machine design must withstand new attacks devised throughout its multi-decade service lifetime. This paper gives a case study of the long-term security of a voting machine, the Sequoia AVC Advantage, whose design dates back to the early 80s. The AVC Advantage was designed with promising security features: its software is stored entirely in read-only memory and the hardware refuses to execute instructions fetched from RAM. Nevertheless, it demonstrates that an attacker can induce the AVC Advantage to misbehave in arbitrary ways - including changing the outcome of an election - by means of a memory cartridge containing a specially-formatted payload.