[galvanist]

For some hardware attacks, like transistor-level dopant mask swaps, there isn’t any reliable way to detect them, not even optical inspection (because the layout is unchanged) nor functional testing (because passing BIST and external benchmark results can be faked). See the paper from UMass: https://people.umass.edu/gbecker/BeckerChes13.pdf

Since the “detection” I’m referring to is already extremely difficult before the chip even leaves the legitimate chip manufacturer’s facility, what hope could someone have of opening a modern IXP-scale router and determining if any of the zillion chips inside has been trojaned by double-0-mailman?

[tptacek]

I think we're operating from the assumption that the fab is itself not compromised; if you think it might be, you're right, all is lost. But I think we're converging on the same point: all is lost anyways.

[droopyEyelids]

I know you're a noted security researcher but it seems like you're write about security as if it were a binary "secure or insecure".

How do your comments in this thread relate to the fact that nothing can ever be perfect, and different degrees of sophistication in security can only ever reduce the probability of an attacker's success, or the percentage of attackers that make it through everything?