[E-voting] Re: Submission latest - verifying an EPROM

John Bernard Lambe icte-jlambe at johnlambe.com
Thu Mar 18 18:08:55 GMT 2004


>If there's a hardware expert here, can they comment on whether a
>checksum can be obtained by an external diagnostic device that reads
>the ROM on the chip?
>If so, that's an independent check. Of course it means the unit cannot
>then be sealed. So do you trust the sealer or the accuracy and
coverage >of the tester?
I'm not a hardware expert, but it could be removed from the machine and
inserted into a device which enables a PC (or any type of computer) to
read it, then that computer could read its contents and compare it to
another copy or check a checksum.
A hardware device could be built for the specific purpose of checking a
checksum of an EPROM or comparing two EPROMs. I don't know whether such
a device already exists.

A custom circuit could be built to defeat this test.
It would outwardly appear to be a standard EPROM package but would in
fact be a more complicated circuit (and it would include a tiny amount
of static RAM to hold a state).
When 'read', it could give different values depending on whether it had
received a 'trigger'.
One set of values would be what the same as the genuine software. The
other would be the tampered software.
The trigger would a certain sequence of accesses to addresses:
When the software on this chip is being run, addresses would be
accessed (by the processor) in a certain pattern, for example not
accessing the last word of an unconditional branch instruction,
immediately followed by the word immediately after it (actually that
depends on the processor's pipline but the priciple still works).
When it is being verified or copied, the pattern would be different -
most likely accessing every word on the chip sequence, including space
that is unused.

A more sophisticated analysis tool might distinguish such a device from
the genuine one by differences in latencies or other electrical
properties (different potential difference between certain pins?).
But these could probably also be countered by a better (and more
expensive) fake chip.


=====
John Lambe
---------------------------------------------------------------------
Phone (mobile): +353 86 2895286
Phone:          +353 1 4905842  
Address:        64 Brighton Road, Rathgar, Dublin 6, Ireland    
Email:          jlambe at johnlambe.com




More information about the E-voting mailing list