Gwern Branwen asks the deceptively simple question "How many computers are in your computer?"
Having defined "computer" as "a Turing-complete device which can be programmed in a usefully general fashion with little or no code running on the 'official' computer," Branwen enumerates the crazily large number of systems in your phone, laptop or server that qualify — which may seem like a mere exercise.
But that's where the other half of Branwen's definition comes in: a computer "is computationally powerful enough to run many programs from throughout computing history and which can be exploited by an adversary for surveillance, exfiltration, or attacks against the rest of the system."
In other words, every one of these computers is a potential weak point in your "computer"'s security.
For a lot of people, BadUSB was a wake-up call on this, and then Bloomberg's controversial story about tiny backdoor chips in server hardware came as an important reminder about all the ways that a computer can be compromised.
But Branwen's list goes so far beyond these components as to be dizzying and somewhat demoralizing. Attacks on any of these "Turing-complete device[s] which can be programmed in a usefully general fashion" represent a huge blind spot in contemporary computer security.
You might think you have just the one large CPU occupying pride of place on your motherboard, and perhaps the GPU too, but the computational power available goes far beyond just the CPU/GPU, for a variety of reasons: transistors and processor cores are so cheap now that it often makes sense to use a separate core for realtime or higher performance, for security guarantees, to avoid having to burden the main OS with a task, for compatibility with an older architecture or existing software package, because a DSP or core can be programmed faster than a more specialized ASIC can be created, or because it was the quickest possible solution to slap down a small CPU and they couldn’t be bothered to shave some pennies. Further, many of these components can be used as computational elements even if they were not intended to be or hide that functionality. (For example, I believe I’ve read that the Commodore 64’s floppy drive’s CPU was used as a source of spare compute power & defeating copy-protection schemes.)
How many computers are in your computer? [Gwern Branwen]
(via Four Short Links)