In the first part of the series, we considered the Concept-of-Operations, identifying the system domain and its primary objectives. We also considered the objectives of a Bad Actor who desires to abuse the system. Finally, we brought requirements into the model. Now we will go ahead and start designing the system, following those requirements. We will design the hardware; we will design the software, and we will also design the system operation, how these components all work together, for example, the logistics of moving information and material between system components. This work will be modeled, in the SysML model and in various hardware and software design environments, as shown in Figure 1.

Figure 1 Total System Model Architecture

We begin with logistics as process and system behavior. In Figure 2, we have a SysML sequence diagram with a step-by-step breakdown of all of the transfers that must occur between the different actors and parts in the system in order to carry out an election. This happens to be the first part of the logistics model, the Election Setup process, that involves many of the parts of the system: the county officials, the county central server, voter registration database, the precinct officials, the precinct central computer the direct recording electric machine. Notice the voter hasn’t shown up because this is the pre-voting setup stage, but the model includes additional diagrams like this to map out the actual voting and the vote aggregation and tabulation parts of the process.

Figure 2 Sequence Diagram in MagicDraw SysML – first phase of elections operations

In a sequence diagram, the horizontal arrows (messages) are read from the top down. The first message, the first transfer of information or materials, is the physical movement of the voting machines from the custody of the county officials to the precinct officials. The second is that a county official is going to create a ballot template, or a set of ballot templates specialized for each precinct, on the county central server. Then the ballot templates are transferred to the precinct officials. Later, the appropriate voter rolls are distributed, and so forth. Each step in the process is captured in a formalized manner in this sequence diagram, from setup to final vote totals.

Figure 3 Internal Block Diagram for Election Domain in MagicDraw SysML

To double check this process, we have created a structural connectivity diagram, the SysML internal block diagram in Figure 3, that describes the distribution channels between the users and parts of the system. These might be physical media, such as paper tape or flash memory cards, or electronic information transfer. The nature of each channel is captured in an association block, which types each of the connectors in the figure. Each message from the sequence diagrams is allocated to the structural channel that carries it, which insures that there are no gaps in the process and makes it easier to investigate possible vulnerabilities later.

In the models which will be published with the final installments of the series, the complete set of diagrams for the hypothetical election logistics will be included. Before that, we have further aspects of system design and analysis to explore, starting with DRE hardware and software design.

Related Posts:

• MBSE for Electronic Voting System Security (MagicDraw) – Part 1
• MBSE for Electronic Voting System Security (MagicDraw) – Part 2
• MBSE for Electronic Voting System Security (MagicDraw) – Part 3 (this post)
• MBSE for Electronic Voting System Security (MagicDraw) – Part 4 
• MBSE for Electronic Voting System Security (MagicDraw) – Part 5
• MBSE for Electronic Voting System Security (MagicDraw) – Part 6

Tweet