We perform the first automated security analysis of the actual JavaScript implementation of the Helios voting client, a state-of-the-art, web-based, open-audit voting system that is continuously being deployed for real-life elections. While its concept has been exhaustively analyzed by the security community, we actively analyze its actual JavaScript implementation. Automatically ascertaining the security of a large-scale JavaScript implementation comes with major technical challenges. By creating a sequence of program transformations, we overcome these challenges, thereby making the Helios JavaScript client accessible to existing static analysis techniques. We then automatically analyze the transformed client using graph slicing, reducing an approximately 7 million node graph representing the information flow of the client’s implementation to a handful of potentially harmful flows, each individually consisting of less than 40 nodes. Our interpretation of this analysis results in the exposure of two thus far undiscovered vulnerabilities affecting the live version of Helios: a serious cross-site scripting attack leading to arbitrary script execution and a browser-dependent execution path that results in ballots being sent in plaintext. These attacks can be mitigated with minor adaptations to Helios. Moreover, our program transformations result in a version of Helios with fewer external dependencies and, accordingly, a reduced attack surface.
Proceedings of the 31st Annual ACM Symposium on Applied Computing - SAC 2016
2016-04-04
2019-07-18 12:10:26