August 13, 2009
A team of computer scientists from University of California-San Diego, the University of Michigan, and Princeton University used an attack based on "return-oriented programming" to turn a Sequoia AVC Advantage e-voting machine against itself and shift votes from one candidate to another.
The attack doesn't require any new code, either: "The attacker reuses short snippets of the existing system and recombines them in such a way that the computation they perform is exactly the computation he wants to carry out," he says.
The researchers exploited a buffer-overflow vulnerability in the Sequoia voting machine, which has built-in defenses against code injection into its RAM. "This is exactly the defense that our use of return-oriented programming defeats," Schacham says.
61 queries taking 0.0092 seconds, 133 records returned.
Powered by Minx 1.1.6c-pink.