On Mon, 4 Jan 1999 16:19:17 -0600 John Payson writes: > >Address/data scrambling is sometimes a useful means of simplifying >a board layout. Unscrambling the bus is trivial using a continuity >tester, however. Even when a continuity tester is not available >and the address/data buses are fully encrypted, the system may be >compromised if all reads/writes are encrypted independently (as is >the case in non-caching CPU's). |I'm sure if you wanted to buy enough of them and were willing to pay |enough for them, you could get the manufacturer to scramble the |data/address lines in the chip between the pins and the die. What would be the point of that? Given a hex file that was scrambled by a permutation of address and data wires, I could probably unravel it in less than an hour if I had a little bit of background on what it was (e.g. what CPU, etc.) Without such background I could try different assumptions until I found one that worked. If you were to have the manufacturer change the instruction decode logic somewhat, decoding would be correspondingly harder. If you added a few new instructions which had no equivalent on the original CPU, it could be made much more difficult for any would-be cracker who didn't have data on the new instructions. In both cases, how- ever, if the hacker has access to the CPU itself (as opposed to just the ROM) things become much easier, since he can write code to test out what the different instructions do. [note: In the case of address/data scrambling, someone with access to the CPU need only put a NOP (all zeroes) on the data bus and watch the order of the wiggling address pins. Unraveling the data bus is a tiny bit harder, but not much).] Incidentally, I believe Ford's 68HCxx-based engine controllers use a slightly-altered instruction set. From what I heard, this was to keep cost down (eliminate any unnecessary instruction logic) but I suspect it was also to discourage reverse-engineering since a scanning electron microscope can easily read out masked rom contents. It would sure take a lot more ingenuity to figure that one out than was demonstrated by the guys who were caught playing around in our dumpsters. :) Many of the more serious security risks stem not from high-tech att- acks (though Microsoft's lax attitude about their customer's security is deplorable) but from low-tech ones; a security audit firm hired by a major corporation tried an amazingly simple blunt approach: call up employees, claim to be the IT department, and ask for their passwords. An amazing percentage of employees willingly gave their passwords to a complete stranger!