A Hijacker’s Guide to the LPC Bus

  • Johannes Winter
  • Kurt Dietrich
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7163)


In this paper, we analyze the communication mechanism of trusted platform modules via the low-pin-count bus. While the trusted platform module is considered to be tamper resistant, the communication channel between this module and the rest of the trusted platform turns out to be comparatively insecure. It has been shown that passive attacks can be mounted on the TPM and its bus communication with fairly inexpensive equipment, however, similar active attacks have not been reported, yet. We tackle this problem and show how the communication on the LPC bus can be actively manipulated with simple and inexpensive equipment. Moreover, we show how our manipulation can be used to circumvent the chain of trust provided by trusted platforms.


Clock Cycle Address Space Trusted Platform Module Direct Memory Access Frame Signal 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AMD: Amd64 architecture programmer’s manual. System programming, vol. 2 (2007),, publication No. 24593; Revision 3.14
  2. 2.
    Chen, L., Ryan, M.: Attack, Solution and Verification for Shared Authorisation Data in TCG TPM. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 201–216. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Cihula, J., Wei, J., Wang, S.: Trusted Boot (2007),
  4. 4.
    Corp., I.: Intel trusted execution technology. software development guide (2008),, document Number: 315168-005
  5. 5.
    Grawrock, D.: Dynamics of a Trusted Platform: A Building Block Approach. Intel Press (2009)Google Scholar
  6. 6.
    TCG Group, TPM Working Group: TPM Main Part 1 Design Principles (July 9, 2007), Specification available online at:, specification version 1.2 Level 2 Revision 103
  7. 7.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)CrossRefGoogle Scholar
  8. 8.
    Intel: Intel Low Pin Count (LPC) Interface Specification, revision 1.1 (August 2002),
  9. 9.
    Intel: Intel i/o controller hub 10 (ich10) family datasheet (October 2008)Google Scholar
  10. 10.
    Kauer, B.: OSLO: improving the security of trusted computing. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pp. 16:1–16:9. USENIX Association, Berkeley (2007), Google Scholar
  11. 11.
    Krautheim, F., Phatak, D., Sherman, A.: Introducing the Trusted Virtual Environment Module: A New Mechanism for Rooting Trust in Cloud Computing. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 211–227. Springer, Heidelberg (2010),, doi:10.1007/978-3-642-13869-0_14CrossRefGoogle Scholar
  12. 12.
    Lawson, N.: TPM hardware attacks (part 2), Blog posting archived at:
  13. 13.
    Avnet electronics marketing: Spartan-3e evaluation kit from avnet, Product folder available online at:, product annoncement of ADS-XLX-SP3E-EVL100 board in Xilinx Xcell Journal Issue #53
  14. 14.
    McCune, J.M., Parno, B.J., Perrig, A., Reiter, M.K., Isozaki, H.: Flicker: an execution infrastructure for tcb minimization. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems, Eurosys 2008, pp. 315–328. ACM, New York (2008), CrossRefGoogle Scholar
  15. 15.
    Pirker, M., Toegl, R., Gissing, M.: Dynamic Enforcement of Platform Integrity. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 265–272. Springer, Heidelberg (2010),, doi:10.1007/978-3-642-13869-0_18CrossRefGoogle Scholar
  16. 16.
    Schellekens, D., Preneel, B., Kursawe, K.: Analyzing trusted platform communication,
  17. 17.
    Sparks, E.R.: A Security Assessment of Trusted Platform Modules. Tech. rep., Department of Computer Science, Dartmouth College, Hanover, NH 03755, USA (June 28, 2007)Google Scholar
  18. 18.
    Sparks, E.R., et al.: TPM Reset Attack,
  19. 19.
    Tarnovsky, C.: Hacking the Smartcard Chip, presentation archived at:
  20. 20.
    Trusted Compuring Group: TCG Specification Architecture Overview, revision 1.4 (August 2, 2007),
  21. 21.
    Trusted Computing Group: TCG PC Client Specific TPM Interface Specification (TIS), version 1.2 FINAL. For TPM Family 1.2; Level 2 (July 11, 2005),
  22. 22.
    Winter, J.: Eavesdropping Trusted Platform Module Communication (July 2009), presented at 4th European Trusted Infrastructure Summerschool (ETISS) (2009), Slides and report are available online at:

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Johannes Winter
    • 1
  • Kurt Dietrich
    • 1
  1. 1.Institute for Applied Information Processing and CommunicationsGraz University of TechnologyGrazAustria

Personalised recommendations