PGP source code

Ken Brown k.brown at ccs.bbk.ac.uk
Tue, 04 Sep 2001 10:58:06 +0100 

It would, of course, be possible to insert traps into microcode. Not
even difficult, this is the sort of thing that microcode does. The hard
part is keeping it secret.

The reason I don't *really* believe this (well, I assign it a very low
truth value) is the same as the reason no-one ought to believe the
conspiracy theories about the moon landings. The number of people
involved in the conspiracy would be so huge they would be impossible to
control. I'm sure many thousands of designers and engineers and
programmers and technical authors and other people must have taken part
in planning, design, walkthroughs, testing, quality control, debugging &
so on on the *86/Pentium family of CPUs & their microcode. And much of
the process has to be repeated with every revision, which is something
that goes on more or less continuously. After 30 years of the chip
family there must have been tens or possibly even hundreds of thousands
involved.  And there have never been zero Intel CPU competitors, and
sometimes 3 or 4, all of whom would have to be in on the act. The chance
of someone not in on the conspiracy saying "what is this thing for?" is
almost total.

Now IBM on the other hand... I could believe almost anything about
IBM...

Ken Brown


lists@notatla.demon.co.uk wrote:
> 
> From: "Owen Lewis" <oml@eloka.demon.co.uk>
> 
> > So the logic of this dictates that Uncle Sam (etc) lean on INTEL, AMD etc to
> > make certain amendments to the microcode that will cause serious weakening
> > of ciphertexts created using their processors? Said weakness only being
> > exploitable *if* you know what the effect of the microcode amendment is?
> >
> > Sounds like a plan to me. I wonder if he's thought of it? Probably. Which is
> > not the same thing as saying that he's done it. Anyone with knowledge of
> > microcode care to speculate on an approach to how this might be done or why
> > it can't be done?
> 
> My guess is that other features than crypto would be the target here.
> 
> I wrote on another list 2 years ago:
> 
> > Pure speculation, but what if copying a certain 256-bit string caused the
> > program counter to pick up execution after that string ?  Then practically
> > every program would have an exploitable buffer overflow detectable and
> > useable only by those with the secret key.
> >
> > Combine that with disabling protected memory in the processor and all
> > those overflows are remote root exploits, perhaps triggered by a single
> > ICMP packet.
> 
> Assuming that Intel can be coerced, and that a leak proving the backdoor can
> be avoided with high confidence, there's no reason I can see why it can't be
> done.