The IT Law Wiki


Firmware (also called ROM chip)

is applied to computer programs that are stored in a type of memory (a ROM) that can in general only be read, not erased or changed easily. Firmware are chips that contain information beyond the minimum necessary to turn on the computer. They contain attributes of both hardware and software. Like hardware, they are integral to the machine as a form of circuitry through which electric current passes directly. But, like software, they do serve as repositories for computer instructions in object code. Firmware is used both for protection and for higher speed.[1]
[the] combination of a hardware device and computer instructions and/or computer data that reside as read-only software on the hardware device.[2]
[s]oftware that is embedded in a hardware device that allows reading and executing the software, but does not allow modification, e.g., writing or deleting data by an end user.[3]

Operating system[]

Some firmware may be part of the operating system (OS) kernel (i.e., the core of a computer OS that provides basic services for all other parts of the OS) and may execute in privileged mode. In some cases, firmware provides an interface to the rest of the OS so that the system can operate the device. In other instances, firmware is executed during the computer’s boot process (i.e., when the OS is loaded into the computer’s main memory or random access memory) — for example, the Basic Input/Output System (BIOS), which executes before the OS is loaded. Other firmware resides on peripheral devices, allowing the OS to use the devices effectively.

Security issues[]

Malicious firmware that has unrestricted access to system components (e.g., if it is part of the OS kernel) has considerable potential to cause harm, introduce backdoor access (an undocumented way of gaining access to a computer, program, or service), install new software, or modify existing software. If the underlying hardware and firmware cannot be trusted, then the OS and application security mechanisms also cannot be trusted.

One notable example of an attack against firmware is the Chernobyl virus (also referred to as the CIH virus, after the author’s initials); first discovered in Taiwan in June 1998, it destroys a system’s flash BIOS, resulting in lost data.


  1. U.S. Copyright Office, Compendium of Copyright Office Practices II, §326 (1984). See also DSC Com. Corp. v. DGI Tech., Inc., 898 F. Supp. 1183, 1186, 37 U.S.P.Q.2d (BNA) 1496 (N.D. Tex. 1995) (full-text); In re Bradley, 600 F.2d 807, 810 n.3, 202 U.S.P.Q. (BNA) 480 (C.C.P.A. 1979) (full-text), aff’d sub nom. Diamond v. Bradley, 450 U.S. 381, 209 U.S.P.Q. (BNA) 97 (1981) (full-text).
  2. SMC Standard SMC-S-012 (“Software Development Standard for Space Systems”) (June 13, 2008).
  3. The Smart Grid and Cybersecurity: Regulatory Policy and Issues, at 8 n.34.

See also[]