Abstract
This paper describes the security implications of FPGAs to the Trusted Computing Base of Embedded Systems. It gives an overview of different FPGA architectures and discusses the security measures and shortcoming of modern FPGAs. Furthermore, it shows how an attacker can exploit these shortcomings and integrate rootkit-like code inside the FPGA. After a discussion on possible countermeasures, a description on the different ways a rootkit can be deployed into the FPGA is given.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Instat, FPGA shipments to reach $2.75 bln by 2010, 2006 http://www.instat.com/press.asp?Sku=IN0603187SI&ID=1674 (09.10.2008)
T. Wollinger and C. Paar, How secure Are FPGAs in cryptographic applications? (long version),FPL 2004: Proceedings Field Programmable Logic and Applications, 2004, pp. 707–711.
J.W. Lockwood et al., An Extensible, System-On-Programmable- Chip Content-Aware Internet Firewall, Field Programmable Logic and Applications (FPL), 2003.
R.J. Anderson, Security engineering (Wiley, Indianapolis, 2008).
Trusted Computing Group,https://www.trustedcomputinggroup.org/home (accessed 09.10.2008).
J. Heasman, "Implementing and Detecting an ACPI Rootkit,", www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Heasman.pdf (09.10.2008).
J. Heasman, Implementing and Detecting a PCI Rootkit, www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf (accessed 09.10.2008).
G. Hoglund and J. Butler, Rootkits (Addison-Wesley, Upper Saddle River, 2006).
rootkit.com, http://www.rootkit.com/ (accessed 09.10.2008).
T. Kean, Cryptographic rights management of FPGA intellectual property cores, FPGA ’02: Proceedings of the 2002 ACM/SIGDA tenth international symposium on Fieldprogrammable gate arrays, ACM Press, 2002, pp. 113–118.
K. Chapman, Low Cost Design Authentication for Spartan-3E FPGAs, Xilinx Inc.
C. Baetoniu and S. Sheth, “XAPP780: FPGA IFF copy protection using Dallas Semiconductor/Maxim DS2432 Secure EEPROM,” Xilinx Inc., 2005.
K. Chapman, Reading Spartan-3A Device DNA,Xilinx Inc.
Altera Corp, FPGA design security solution using MAX II devices, Altera Corp., 2004.
S.B. Ors, E. Oswald and B. Preneel, Power-analysis attacks on an FPGA – first experimental results, Cryptographic Hardware and Embedded Systems Workshop 2003.
S. Mangard, E. Oswald and T. Popp, Power Analysis Attacks (Springer Science+Business Media, LLC, 2007).
C.W. Tseng, Lock Your Designs with the Virtex-4 SecuritySolution, XCell Journal, vol. 52
Xilinx,Virtex-5 FPGA Configuration User Guide, Xilinx.
Altera Corp., Protecting Intellectual Property through FPGA Design Security,http://www.altera.com/literature/ads/fpgadesignsecurity.pdf(accessed 09.10.2008).
H.Wu,The Misuse of RC4 in Microsoft Word and Excel",http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.59.5446 (09.10.2008).
G. Hoglund and G. McGraw, Exploiting software (Addison-Wesley, Boston, 2004).
G. Hoglund, A $*$REAL$*$ NT Rootkit, patching the NT Kernel, www.phrack.com/issues.html?issue=55&id=5(accessed 09.10.2008).
S. Drimer, Authentication of FPGA Bitstreams: Why and How, Applied Reconfigurable Computing, Springer, 2007, pp. 73–84.
G. Crow, Advanced Security Schemes for Spartan-3A/3AN/3A DSP FPGAs, www.xilinx.com/support/documentation/white_papers/wp267.pdf (09.10.2008).
C. Kao, Benefits of Partial Reconfiguration; XCell Journal, vol. 55, 2005.
M. Hübner and J. Becker, “Tutorial on Macro Design for Dynamic and Partially Reconfigurable Systems”,RC-Education 2006, 2006.
Xilinx Inc.Spartan-3 Generation Configuration User Guide, 2006.
M. Schumacher, Security patterns (Wiley, Chichester,2006).
M. Kucera and M. Vetter, A Generic Framework to Enforce Access Control in FPGAs with Dynamic Reconfiguration, Software Engineering and Applications, ActaPress, 2007.
W.S.G. Gosset, “Atmel AT40k/94k Configuration Format Documentation,”2005, http://groups.google.com/group/comp.arch.fpga/msg/a90fca82aafe8e2b (accessed 09.10.2008).
A. Megacz, “A library and platform for FPGA bitstream Manipulation,” Field- Programmable Custom Computing Machines Symposium, 2007, pp. 45–54.
J. Note and E. Rannaud, From the bitstream to the netlist, Departement d‘informatique Ecole Normale Superieure, 2007.
K. Nohl, D. Evans and H. Plötz, Reverse-Engineering a Cryptographic RFID Tag, USENIX Security Symposium, 2008.
S. Mangard, E. Oswald and T. Popp, Power analysis attacks,(Springer, Boston,2007).
Xilinx Inc, Chipscope pro, http://www.xilinx.com/ise/optional_prod/cspro.htm (accessed 09.10.2008).
I. Hadizc, S. Udani and M.S. Smith, FPGA Viruses, Lecture Notes in Computer Science, vol. 1673, 1999, pp. 291–300.
R. Lemos, “World of Warcraft hackers using Sony BMG rootkit,” 2005, http://www.securityfocus.com/brief/34 (accessed 09.10.2008). K. Thompson, Reflections on Trusting Trust, Communications of the. ACM, vol. 27, no. 8, 1984, pp. 761–763.
K. Thompson, Reflections on Trusting Trust, Communications of the. ACM, vol. 27, no. 8, 1984, pp. 761–763
A. One, Smashing The Stack For Fun And Profit, Phrack, vol. 7, no. 49, 1996,http://insecure.org/stf/smashstack.html(accessed 09.10.2008)
J. Williams and N. Bergmann, Embedded Linux as a platform for dynamically selfreconfiguring systems-on-chip, (09.10.2008), URL:www.linuxdevices.com/articles/AT7708331794.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer Science+Business Media B.V.
About this chapter
Cite this chapter
Kucera, M., Vetter, M. (2009). FPGA-Rootkits. In: Martínez Madrid, N., Seepold, R.E. (eds) Intelligent Technical Systems. Lecture Notes in Electrical Engineering, vol 38. Springer, Dordrecht. https://doi.org/10.1007/978-1-4020-9823-9_19
Download citation
DOI: https://doi.org/10.1007/978-1-4020-9823-9_19
Publisher Name: Springer, Dordrecht
Print ISBN: 978-1-4020-9822-2
Online ISBN: 978-1-4020-9823-9
eBook Packages: EngineeringEngineering (R0)