On Voting Machine Design for Verification and Testability


March 19, 2010


Sanjit A. Seshia


University of California, Berkeley


I will present an approach for the design and analysis of an electronic voting machine based on a novel combination of formal verification and systematic testing by humans. The system was designed specifically to enable verification and testing. In our architecture, the voting machine is a finite-state transducer that implements the bare essentials required for an election. We formally specify how each component of the machine is intended to work and formally verify that an implementation of our design meets this specification. However, it is more challenging to verify that the composition of these components will behave as a voter would expect, because formalizing human expectations is difficult. We show how systematic testing by humans can be used to address this issue, and in particular to verify that the machine will behave correctly on Election Day. I will conclude with some observations on what we learned from this project and some thoughts on how the ideas might generalize.


Sanjit A. Seshia

Sanjit A. Seshia is an assistant professor in the Department of Electrical Engineering and Computer Sciences at the University of California, Berkeley. He received an M.S. and a Ph.D. in Computer Science from Carnegie Mellon University, and a B.Tech. in Computer Science and Engineering from the Indian Institute of Technology, Bombay. His research interests are in dependable computing and computational logic, with a current focus on applying automated formal methods to problems in computer security, electronic design automation, and program analysis. He has received a Presidential Early Career Award for Scientists and Engineers (PECASE), an Alfred P. Sloan Research Fellowship, and the School of Computer Science Distinguished Dissertation Award at Carnegie Mellon University.