|

 
|
| | Name : | Ron Crane | Organization : | N/A | Post Date : | 9/30/2005 |
| Section : | .20.1.3.1.4 | Page no. : | | Line no.: | | Comment : | 8b.
b. While Vol. II, §1.3.1.4 says that
the test lab also witnesses the build of the executable system to ensure that
the qualified executable release is built from the tested components
an unscrupulous vendor could manipulate this process to inject malware into the build,
particularly because the Guidelines do not require anyone else to build the system and to compare what was built against what the vendor sent to the "software repository".
Further, an unscrupulous vendor could modify its compiler, linker, etc., to inject malware into the voting application.13 Since the Guidelines do not require the vendor to submit the
compiler, linker, etc., for escrow by the "software repository", they do nothing to prevent this. | |
|
|