Can DREs Provide Long-Lasting Security? The Case of Return-Oriented
Programming and the AVC Advantage 

A secure voting machine design must withstand new attacks devised
throughout its multi-decade service lifetime.  In this paper, we give
a case study of the longterm security of a voting machine, the Sequoia
AVC Advantage, whose design dates back to the early 80s.  The AVC
Advantage was designed with promising security features: its software
is stored entirely in read-only memory and the hardware refuses to
execute instructions fetched from RAM. Nevertheless, we demonstrate
that an attacker can induce the AVC Advantage to misbehave in
arbitrary ways—including changing the outcome of an election—by means
of a memory cartridge containing a specially-formatted payload. Our
attack makes essential use of a recently-invented exploitation
technique called return-oriented programming, adapted here to the Z80
processor. In return-oriented programming, short snippets of benign
code already present in the system are combined to yield malicious
behavior. Our results demonstrate the relevance of recent ideas from
systems security to voting machine research, and vice versa. We had no
access either to source code or documentation beyond that available on
Sequoia's web site. We have created a complete vote-stealing
demonstration exploit and verified that it works correctly on the
actual hardware.