• Markus Kucera
  • Michael Vetter
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 38)


This paper describes the security implications of FPGAs to the Trusted Computing Base of Embedded Systems. It gives an overview of different FPGA architectures and discusses the security measures and shortcoming of modern FPGAs. Furthermore, it shows how an attacker can exploit these shortcomings and integrate rootkit-like code inside the FPGA. After a discussion on possible countermeasures, a description on the different ways a rootkit can be deployed into the FPGA is given.


Security FPGA Rootkits Trusted computing 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Instat, FPGA shipments to reach $2.75 bln by 2010, 2006 (09.10.2008)
  2. 2.
    T. Wollinger and C. Paar, How secure Are FPGAs in cryptographic applications? (long version),FPL 2004: Proceedings Field Programmable Logic and Applications, 2004, pp. 707–711.Google Scholar
  3. 3.
    J.W. Lockwood et al., An Extensible, System-On-Programmable- Chip Content-Aware Internet Firewall, Field Programmable Logic and Applications (FPL), 2003.Google Scholar
  4. 4.
    R.J. Anderson, Security engineering (Wiley, Indianapolis, 2008).Google Scholar
  5. 5.
    Trusted Computing Group, (accessed 09.10.2008).
  6. 6.
    J. Heasman, "Implementing and Detecting an ACPI Rootkit,", (09.10.2008).
  7. 7.
    J. Heasman, Implementing and Detecting a PCI Rootkit, (accessed 09.10.2008).
  8. 8.
    G. Hoglund and J. Butler, Rootkits (Addison-Wesley, Upper Saddle River, 2006).Google Scholar
  9. 9., (accessed 09.10.2008).
  10. 10.
    T. Kean, Cryptographic rights management of FPGA intellectual property cores, FPGA ’02: Proceedings of the 2002 ACM/SIGDA tenth international symposium on Fieldprogrammable gate arrays, ACM Press, 2002, pp. 113–118.Google Scholar
  11. 11.
    K. Chapman, Low Cost Design Authentication for Spartan-3E FPGAs, Xilinx Inc.Google Scholar
  12. 12.
    C. Baetoniu and S. Sheth, “XAPP780: FPGA IFF copy protection using Dallas Semiconductor/Maxim DS2432 Secure EEPROM,” Xilinx Inc., 2005.Google Scholar
  13. 13.
    K. Chapman, Reading Spartan-3A Device DNA,Xilinx Inc.Google Scholar
  14. Altera Corp, FPGA design security solution using MAX II devices, Altera Corp., 2004.Google Scholar
  15. 15.
    S.B. Ors, E. Oswald and B. Preneel, Power-analysis attacks on an FPGA – first experimental results, Cryptographic Hardware and Embedded Systems Workshop 2003.Google Scholar
  16. 16.
    S. Mangard, E. Oswald and T. Popp, Power Analysis Attacks (Springer Science+Business Media, LLC, 2007).Google Scholar
  17. 17.
    C.W. Tseng, Lock Your Designs with the Virtex-4 SecuritySolution, XCell Journal, vol. 52Google Scholar
  18. 18.
    Xilinx,Virtex-5 FPGA Configuration User Guide, Xilinx.Google Scholar
  19. 19.
    Altera Corp., Protecting Intellectual Property through FPGA Design Security, 09.10.2008).
  20. 20.
    H.Wu,The Misuse of RC4 in Microsoft Word and Excel", (09.10.2008).
  21. 21.
    G. Hoglund and G. McGraw, Exploiting software (Addison-Wesley, Boston, 2004).Google Scholar
  22. 22.
    G. Hoglund, A $*$REAL$*$ NT Rootkit, patching the NT Kernel, 09.10.2008).
  23. 23.
    S. Drimer, Authentication of FPGA Bitstreams: Why and How, Applied Reconfigurable Computing, Springer, 2007, pp. 73–84.Google Scholar
  24. 24.
    G. Crow, Advanced Security Schemes for Spartan-3A/3AN/3A DSP FPGAs, (09.10.2008).
  25. 25.
    C. Kao, Benefits of Partial Reconfiguration; XCell Journal, vol. 55, 2005.Google Scholar
  26. 26.
    M. Hübner and J. Becker, “Tutorial on Macro Design for Dynamic and Partially Reconfigurable Systems”,RC-Education 2006, 2006.Google Scholar
  27. 27.
    Xilinx Inc.Spartan-3 Generation Configuration User Guide, 2006.Google Scholar
  28. 28.
    M. Schumacher, Security patterns (Wiley, Chichester,2006).Google Scholar
  29. 29.
    M. Kucera and M. Vetter, A Generic Framework to Enforce Access Control in FPGAs with Dynamic Reconfiguration, Software Engineering and Applications, ActaPress, 2007.Google Scholar
  30. 30.
    W.S.G. Gosset, “Atmel AT40k/94k Configuration Format Documentation,”2005, (accessed 09.10.2008).
  31. 31.
    A. Megacz, “A library and platform for FPGA bitstream Manipulation,” Field- Programmable Custom Computing Machines Symposium, 2007, pp. 45–54.Google Scholar
  32. 33.
    J. Note and E. Rannaud, From the bitstream to the netlist, Departement d‘informatique Ecole Normale Superieure, 2007.Google Scholar
  33. 33.
    K. Nohl, D. Evans and H. Plötz, Reverse-Engineering a Cryptographic RFID Tag, USENIX Security Symposium, 2008.Google Scholar
  34. 34.
    S. Mangard, E. Oswald and T. Popp, Power analysis attacks,(Springer, Boston,2007).Google Scholar
  35. 35.
    Xilinx Inc, Chipscope pro, (accessed 09.10.2008).
  36. 36.
    I. Hadizc, S. Udani and M.S. Smith, FPGA Viruses, Lecture Notes in Computer Science, vol. 1673, 1999, pp. 291–300.Google Scholar
  37. 37.
    R. Lemos, “World of Warcraft hackers using Sony BMG rootkit,” 2005, (accessed 09.10.2008). K. Thompson, Reflections on Trusting Trust, Communications of the. ACM, vol. 27, no. 8, 1984, pp. 761–763.
  38. 38.
    K. Thompson, Reflections on Trusting Trust, Communications of the. ACM, vol. 27, no. 8, 1984, pp. 761–763Google Scholar
  39. 39.
    A. One, Smashing The Stack For Fun And Profit, Phrack, vol. 7, no. 49, 1996, 09.10.2008)
  40. 40.
    J. Williams and N. Bergmann, Embedded Linux as a platform for dynamically selfreconfiguring systems-on-chip, (09.10.2008),

Copyright information

© Springer Science+Business Media B.V. 2009

Authors and Affiliations

  • Markus Kucera
    • 1
  • Michael Vetter
    • 1
  1. 1.University of Applied Sciences RegensburgRegensburgGermany

Personalised recommendations