None of which can tell you that the hardware isn’t doing something different, for sure. Code audits don’t mean much if the code you’re given isn’t what you’re running.
Still don’t tell you what is inside of a chip. This is a known big area of concern, and is one of the reasons why the US military requires chips be made domestically for sensitive equipment.
1) With node sizes getting down to 5-7nm, it’s out of reach for standard X-ray technology.
2) Lets say you use some cutting edge technology like x-Ray tomography [1]. Now how do you read this back out and know what each circuit is doing? You could compare to a ref design, but maybe that ref design already has the backdoor in it?
3) How you get from VDHL/Verilog/hardware spec to chip is a proprietary, difficult, and computationally intense process that is anything but open and even if it were, require extreme computing and specialized technical talent to understand the final chip layout vs the input
4) Even if you could do that, the shear complexity of the code could have things hidden “in plain sight” by exploiting non-obvious features, such as all the side-channel timing attacks common on Intel chips these days.
5) Even if you had that down, you’d have to have someone like AT&T opening up hundreds or thousands of these machines, removing all the chips, hoping that no damage occurs and your imaging technology can read through the chip packaging, and imagine them one by one and ultimately compare to some reference.
Needless to say, this is not a realistic endeavor. We’re talking state-level espionage with resources and motivation. You have to control the supply chain, and hope your own supply chain isn’t compromised itself.
While reasonable, this is a pretty pessimistic point of view. With X-ray images, the attacker has much less flexibility to change the hidden backdoors. You do not have to check every single machine, like no one ever checks every single line of code. It is enough if people randomly check the X-ray images and whenever someone finds anything suspicious, it will get into the news. This is how open source works.
Yes, having a state as enemy is a loosing game, but if we take every possibility to make their life harder, it will shift the game significantly. Giving up never help anyone.
If x ray doesnt work, try some other stuff, infrared, led, radioactive, ect. Could even try something as simple as attach multimeter leads to the pins.
