Newly proposed Congressional legislation would require the US to conduct security reviews for connected vehicles built by automakers from China and “other countries of concern.” Rep. Elissa Slotkin (D-MI) introduced the bill on Wednesday.
Software is easy. It’s the hardware backdoors that are hard to find, and those have been being built for at least a decade. They were pretty simple to start; I can’t imagine what they’re capable of hiding in 5nm process chips.
The hardware backdoors are pretty difficult to find… but I object to your statement that software is easy. The obfuscated C contest is a wonderful demonstration.
You know the best way to analyze a submission to the OCCC? Compile it, then run the result through a disassembler. You get back far more readable code than the source.
But you’re right; reading code isn’t easy; I meant relatively. If you have government-level resources and can hire a bunch of experienced software developers to review source code, armed with a bunch if static analysis tools (<cough>NSA), you have a decent chance of finding malicious code in software. I know of no similar tools (and the automated software analysis tools are the important factor) for finding backdoors in hardware.
Software is easy. It’s the hardware backdoors that are hard to find, and those have been being built for at least a decade. They were pretty simple to start; I can’t imagine what they’re capable of hiding in 5nm process chips.
The hardware backdoors are pretty difficult to find… but I object to your statement that software is easy. The obfuscated C contest is a wonderful demonstration.
You know the best way to analyze a submission to the OCCC? Compile it, then run the result through a disassembler. You get back far more readable code than the source.
But you’re right; reading code isn’t easy; I meant relatively. If you have government-level resources and can hire a bunch of experienced software developers to review source code, armed with a bunch if static analysis tools (<cough>NSA), you have a decent chance of finding malicious code in software. I know of no similar tools (and the automated software analysis tools are the important factor) for finding backdoors in hardware.