A classic paper by Ken Thompson. Today I think the most important paragraph is this: "I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect."
Keep the above in mind when thinking about the proprietary microcode and ME hardware/firmware components that are built-in to nearly all modern processors. A typical "supply chain" attack.
It's more likely that such a request would not get a meaningful response because it would never be routed to anyone with knowledge of such activities. (SAP/SAR/UNACKNOWLEDGED/WAIVED)
Many third party researchers have already found backdoors in other parts of Intel's CPUs, such as the Management Engine.
I very much suspect a well funded and motivated actor like the NSA could find mistakes in the microcode without needing to ask for a backdoor directly.
We can also get the requisite link to "David A. Wheeler’s Page on Fully Countering Trusting Trust through Diverse Double-Compiling (DDC)" out of the way: https://dwheeler.com/trusting-trust/
> The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.”
Required reading at the upper levels of a computer science undergrad curriculum maybe, but I don’t know any 12 or 14 year olds equipped to handle this paper. Your experience may vary.
Existence of this problem is often used as a defeatist argument to do nothing about software security.
1. I don't want to run any software I don't trust, and I don't want to trust anyone.
2. But it's impossible to verify anything, because even my CPU could be lying to me.
The result is that any improvement in security gets shot down, because nothing short of digging sand for silicon with your bare hands is safe from Ken Thompson.
more than half the people I knew in Computer Science that took the road of security, turned out as concerted weasels, on both sides of that "bright line" of the law. Meanwhile lots of worthy people doing worthy things are effectively in the same camp as dolts and illiterates, having nothing to do with security at all.
Keep the above in mind when thinking about the proprietary microcode and ME hardware/firmware components that are built-in to nearly all modern processors. A typical "supply chain" attack.