...

...

On 2013/07/19 at 06:01, SAVIOCvs@aol.com wrote:

I developed a voting system (see _www.SAVIOC.com_ (http://www.SAVIOC.com) ) that uses ordinary old PCs, yet is more transparent and trustworthy than anything else in use today. All software, including the operating system (FreeDOS) boots from a floppy that can be verified by hash code. The PC never uses the hard drive, and doesn't even need one. Trustworthiness comes from people with different interests being able to prevent each other from doing anything fraudulent. I think the only significant potential vulnerability is that someone with physical access to the machines could install a malicious BIOS. Learning about the OpenBIOS project gave me hope of overcoming that vulnerability.

(1) Is my hope justified? Can a PC be booted from a floppy that completely replaces the native BIOS in RAM, and then loads FreeDOS? (Can the possibility of a malicious BIOS be made a non-issue?)

If all answers are YES, then the remaining very basic questions become important.

Perhaps this is a digression, but why a floppy? If you're using old hardware, that's fine, but at some point you probably want to use modern hardware, and I don't know of a modern hardware system that comes with a floppy drive, anymore. Furthermore, my many years of experience with floppy disks tells me that they are unreliable - very prone to failures of a variety of types (dirty heads, physical damage to the medium, etc.). Many of these types of failures mean mis-reads, which means bad checksums and failures in the security model you're trying to implement. If you're looking for something compatible with very old hardware - hardware that does not support booting from USB flash drives - I'd recommend finding some older IDE flash chips (disk on chip) that you can use, instead. These are probably pretty cheap, now, and should give you the capacity and reliability that you won't get with floppy disks.

(2) Roughly how much space on the floppy would be required?

You can build the OpenBIOS tree and see how large the binary is. I don't remember off the top of my head, so I can't tell you. Many modern BIOS implementations are several MB - I believe 8MB is the average BIOS size (not openBIOS, just BIOS in general), with some as large as 12MB. This presents another problem when using floppies...you'd need multiple ones.

(3) What downloads would I need? OpenBIOS AND OpenFirmware AND OpenBOOT? Anything else?

Probably just OpenBIOS.

(4) How are they downloaded? http://www.openfirmware.info/index.php/Downloads displays a page beginning, "This page has been deleted." All other links that imply the possibility of downloading reach a page headlined, "The page cannot be displayed".

SVN check-out of the current source tree and build. Decently modern versions are also included with Qemu, IIRC.

-Nick

-------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.

On Fri, Jul 19, 2013 at 08:01:22AM -0400, SAVIOCvs@aol.com wrote:

I developed a voting system (see _www.SAVIOC.com_ (http://www.SAVIOC.com) ) that uses ordinary old PCs, yet is more transparent and trustworthy than anything else in use today. All software, including the operating system (FreeDOS) boots from a floppy that can be verified by hash code. The PC never uses the hard drive, and doesn't even need one. Trustworthiness comes from people with different interests being able to prevent each other from doing anything fraudulent. I think the only significant potential vulnerability is that someone with physical access to the machines could install a malicious BIOS. Learning about the OpenBIOS project gave me hope of overcoming that vulnerability.

(1) Is my hope justified? Can a PC be booted from a floppy that completely replaces the native BIOS in RAM, and then loads FreeDOS? (Can the possibility of a malicious BIOS be made a non-issue?)

If all answers are YES, then the remaining very basic questions become important.

(2) Roughly how much space on the floppy would be required? (3) What downloads would I need? OpenBIOS AND OpenFirmware AND OpenBOOT? Anything else? (4) How are they downloaded? http://www.openfirmware.info/index.php/Downloads displays a page beginning, "This page has been deleted." All other links that imply the possibility of downloading reach a page headlined, "The page cannot be displayed".

I suspect that someone could write a BIOS that implemented a full hypervisor and then booted your code in a virtual machine. You probably won't have any way to detect that if it is done well. There are some methods used to detect being in a VM guest, but I believe most of them are there by design to help out the software when it needs to know.

Of course if you could make sure that isn't the case, you have the problem that you can't do address remapping (which you would need to replace the BIOS code) unless you are in 386 protected mode, so now youa ren't just replacing the BIOS, you are actually running code with your freedos running in virtual86 mode under whatever your replacement is. To some extent you are essentially implementing a hypervisor/virtual machine at that point, and of course virtual machines provide their own BIOS for the guest being booted. I don't know if you can fit a virtual machine on a floppy.