[OpenBIOS] Secure BIOS for voting?

SAVIOCvs at aol.com SAVIOCvs at aol.com
Tue Jul 23 13:35:14 CEST 2013

The three responses I've seen so far were all negative, but also puzzling  
to me.  I'll try to address the key points in the response that  is copied 
below, as well as those in the other two responses.
(1) Why floppies? -- (a) Because they are limited in storage, and  
non-electronic.  The smaller the memory, the harder it is to hide something  
malicious in it, and the easier to check it.  (b) Because they are  inexpensive.  
Any entity wishing to verify voting results needs one memory  device for 
every voting machine.
(2) Aren't floppies unreliable? -- No.  Since I started keeping track  of 
my public voting demos in 2002, I have used 992 diskettes without a single  
failure between starting voting and archiving results.  (That's not 992  
different new diskettes; each is used over and over again unless a check done at 
 startup reveals possible unreliability.)
(3) Aren't floppy drives obsolete? -- No.  USB-connected floppy drives  are 
readily available for about $15, and computers can boot from them.
(4) BIOS averages 8 MB? -- WOW!  I still don't know how big OpenBIOS  is, 
but I was hoping for something a bit closer to the 8  KB of the original IBM 
PC.  The capabilities of a  386 computer are sufficient for my voting 
system.  Is OpenBIOS really so  huge?  Does a BIOS have to be?
(5) Hypervisor?  Virtual machine?  Address remapping?   Infectious native 
BIOS? -- If a modern computer has no hard drive connected,  what happens when 
it boots from a floppy?  There is a boot sector on the  diskette (which is 
verified by hash code); doesn't that control what happens  next?  Why can't 
the floppy contents take control of the computer?  
Obviously, I'm no BIOS expert.  I'd appreciate recommendations of good  
texts or tutorials to bring me up to speed.
Chuck Gaston
In a message dated 7/19/2013 9:04:29 A.M. Eastern Daylight Time,  
Nick.Couchman at seakr.com writes:

>>> On 2013/07/19 at 06:01, <SAVIOCvs at aol.com> wrote:  
> I developed a voting system (see _www.SAVIOC.com_  
(http://www.SAVIOC.com) ) 
> that uses ordinary old PCs,  yet is  more transparent and trustworthy 
> anything else in use   today.  All software, including the operating 
> (FreeDOS)  boots from a  floppy that can be verified by hash code.  The 
> never uses the hard  drive, and doesn't even need one.   Trustworthiness 
> comes 
> from people  with different  interests being able to prevent each other 
> doing anything   fraudulent.  I think the only significant potential 
>  vulnerability is that  someone with physical access to the machines 
> install a 
> malicious  BIOS.  Learning about the  OpenBIOS project gave me hope of 
> overcoming that   vulnerability.
> (1)  Is my hope justified?   Can a PC be booted from a floppy that  
> completely replaces the  native BIOS in RAM, and then loads FreeDOS?  
> the  
> possibility of a malicious BIOS be made a non-issue?)
> If all answers are YES, then the remaining very basic questions  become  
> important.

Perhaps this is a digression, but why  a floppy?  If you're using old 
hardware, that's fine, but at some point  you probably want to use modern 
hardware, and I don't know of a modern  hardware system that comes with a floppy 
drive, anymore.  Furthermore, my  many years of experience with floppy disks 
tells me that they are unreliable -  very prone to failures of a variety of 
types (dirty heads, physical damage to  the medium, etc.).  Many of these 
types of failures mean mis-reads, which  means bad checksums and failures in 
the security model you're trying to  implement.  If you're looking for 
something compatible with very old  hardware - hardware that does not support 
booting from USB flash drives - I'd  recommend finding some older IDE flash chips 
(disk on chip) that you can use,  instead.  These are probably pretty 
cheap, now, and should give you the  capacity and reliability that you won't get 
with floppy  disks.

> (2)  Roughly how much space on the  floppy would be required?

You can build the OpenBIOS tree and see how  large the binary is.  I don't 
remember off the top of my head, so I can't  tell you.  Many modern BIOS 
implementations are several MB - I believe  8MB is the average BIOS size (not 
openBIOS, just BIOS in general), with some  as large as 12MB.  This presents 
another problem when using  floppies...you'd need multiple ones.

> (3)  What downloads  would I need?  OpenBIOS AND OpenFirmware AND  
>  Anything else?

Probably just OpenBIOS.

>  (4)  How are they downloaded?  
>  http://www.openfirmware.info/index.php/Downloads displays  a page  
> beginning, "This page has been deleted."  All other links that  imply  
> possibility 
> of downloading reach a page  headlined, "The  page cannot be displayed".

SVN  check-out of the current source tree and build.  Decently modern 
versions  are also included with Qemu,  IIRC.


This e-mail may contain  confidential and privileged material for the sole 
use of the intended  recipient.  If this email is not intended for you, or 
you are not  responsible for the delivery of this message to the intended 
recipient, please  note that this message may contain SEAKR Engineering (SEAKR) 
 Privileged/Proprietary Information.  In such a case, you are strictly  
prohibited from downloading, photocopying, distributing or otherwise using  
this message, its contents or attachments in any way.  If you have  received 
this message in error, please notify us immediately by replying to  this 
e-mail and delete the message from your mailbox.  Information  contained in this 
message that does not relate to the business of SEAKR is  neither endorsed 
by nor attributable to SEAKR.

OpenBIOS    http://openbios.org/
Mailinglist:   http://lists.openbios.org/mailman/listinfo
Free your System - May the Forth  be with you

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.openfirmware.info/pipermail/openbios/attachments/20130723/93e8ca89/attachment.html>

More information about the OpenBIOS mailing list