National Security and the PC

Every PC you use contains code you can neither audit nor trust - worse, in most cases you cannot find out from public sources where the code came from or who is ultimately responsible for it.

The best thing about being an intellectual right-winger is that I am, of course, always right -something that can't generally be said for everyone. In particular it can't be said for a guy named Lewis Page whose report: DARPA looking to verify imported military chips, on the Register starts off like this:

DARPA*, the mad-as-a-bottle-of-crisps Pentagon warboffinry operation, has struck again - this time awarding a $13m contract to the University of Southern California to develop technology which will ensure that imported integrated circuits (ICs) used by the US military are trustworthy.

As he notes, the material he's using to express his ignorance came from an earlier report blogged on the Aviation Week site by Catherine MacRae Hockmuth. That report gives more information and cites original sources, quoting, for example, this bit, apparently from a 2005 report:

These trends have raised concerns regarding U.S. weapons systems reliance on high-performance ICs and the potential vulnerabilities of these systems caused by malicious manipulation of hardware and software processes that could render them inoperable at some future time. This situation is true for some ICs currently in use, such as Application Specific Integrated Circuits (ASIC), and for commercial-off-the-shelf (COTS) configurable parts, such as Field Programmable Gate Arrays (FPGA). Furthermore, protecting intellectual property and military secrets is problematic because these are often embedded in the design of ICs, and the manufacturer in the fabrication process often needs the details of the designs.

I hadn't previously seen this report - but the relevance to PC security should be obvious. Commercially available Intel based personal computers are built with components whose contents you can neither audit nor trust. Do you know, for example, everything the software on your PC NIC card does? How about that cute little Chinese made router/modem your cable company just installed in your home? If your graphics card is supposed to have 128 "processors" in its array, can you prove that one of them doesn't have a few extra circuits? If you run any hypervisor or other virtualization toolset, can you prove that it isn't running as one instance of another?

I don't think you can - and I'm very glad to see some serious people worrying about this because the bottom line is simple: if any programmable component of any network connected device in your business is untrustworthy, then so is your whole network.