There are many steps than must be taken for a voting system to be certified by the EAC. One of the most important of these steps is the process of creating a trusted build. But what is the trusted build and why is it required?
Firstly, we should define what a build is. Software is typically written by programmers in a human-readable programming language. This is referred to as source code. This code needs to be transformed into a format that can be executed by a computer, known as machine code. This process of transforming, or compiling, source code into executable machine code is known as a software build.
A trusted build is a build that is performed with several security and verification measures to a such an extent that the executable machine code can confidently be shown to be a faithful and authentic representation of the source code.
Before the trusted build process is started, it is required that an EAC accredited voting system testing laboratory (VSTL) receive the source code from the voting system manufacturer, and perform a review of the code, verifying it’s compliant with all applicable VVSG requirements.
Following the source code review, the VSTL is required to obtain all necessary commercial off the shelf software, such as operating systems and anti-virus programs, from trusted third party sources. These executables get incorporated into the voting system trusted build. These items are confirmed to be unmodified from their third-party source by verifying their file signatures, also referred to as hash codes.
The trusted build process is then conducted by the VSTL. It consists of three distinct steps:
- A build environment is created. This environment is constructed and controlled by the VSTL, but the voting system manufacturer may observe the process. This environment is a computer that has been completely erased with a Department of Defense or NIST approved method.
- The VSTL reviewed manufacturer source code for the voting system as well as the pre-built dependencies are placed in the build environment. File signatures of the source code modules are checked to verify the code is unchanged from the code that was previously reviewed prior to the trusted build. File signatures are also produced for the created executable code and installation media.
- The VSTL then installs the executable code on the voting system hardware, producing file signatures on each voting system file. This is the voting system configuration that is tested by the VSTL against VVSG requirements.
The purpose of performing the trusted build is to show that the source code – as examined, tested, and approved – was used to create the executable code and demonstrate that no additional elements have been introduced into the software build for the system. The trusted build is the origin of the chain of custody for software components of the voting system.
This process creates a chain of evidence allowing election officials to verify that their voting system software matches the version tested by the VSTLs and certified by the EAC, and unauthorized code has not been introduced into the system.