APU/GPGPU-BASED SECURITY
SOLUTIONS
Vikenty Frantsev
ALTELL
CEO
3 | APU/GPGPU-Based Security Solutions June 2011
ALTELL: KEY FACTS
Core business: IT security, software development, network appliances design & manufacturing
Founded: Year 2006
Vertical markets served: telecommunications; financial &
banking institutions; insurance companies; medicine; federal & municipal authorities
Partnership with AMD started in 2008
Current engagements:
– Embedded: RTOS, routers based on G34 CPUs – offered in Europe
– IBV (Independent BIOS Vendor) – UEFI BIOS for Ontario & G34
– OpenCL library development for AMD
4 | APU/GPGPU-Based Security Solutions June 2011
ALTELL: CORE IP
• ALTELL has extensive expertise in network & security
• ALTELL has a software stack for a complete secure computer system (Secure BIOS,
Virtualization Suite, seOS RTOS, Network & Crypto Libraries, seOS OS)
Secure BIOS with Virtualization capabilities - ensures security and control at boot, prevents
intrusions, allows isolation of secure and non secure machines
Virtualization environment – isolates secure and non-secure machines, prevents intrusions
Microkernel based operating system (RTOS for network appliances) - guarantees security of I/O,
prevents intrusions
Encryption and security tools – crypto libraries, DPI, DLP, antivirus, antispam, packet routing etc –
guarantees security of received/transmitted data
5 | APU/GPGPU-Based Security Solutions June 2011
PRESENT
• Only small part of data is encrypted
• Large segments of corporate and
personal data is transferred over
open channels
• No encryption for majority of video
and voice data
CHALLENGES
• Network speed and capacity
• Computational overhead associated
with encryption (especially on the client side)
• Cost – ASIC-based solutions
FUTURE
• All data is encrypted
• Video and voice data transferred over secure ,
encrypted channels
OPPORTUNITIES
• GPGPU and Fusion development
• Broadband - WiMax, LTE, etc.
• Development of OpenCL, CUDA
EVOLUTION OF COMPUTER/DATA SECURITY
6 | APU/GPGPU-Based Security Solutions June 2011
NEW MARKET - CLIENT SECURITY
Past Now Future
Limited personal/business data are
stored on a mobile computer.
Limited connectivity to public
network. Security treats are not
fully understood
Significant amount of personal/business data
is stored on a mobile computer and remote
servers. Pervasive connectivity to public
networks. Growing need for secure
communications and data protection on a
client device
Majority of personal/business data is
stored on remote servers. Pervasive
connectivity to public networks. Secure
communications and data protection are
a must
Desktop/Laptop equipped with a
CPU/GPU combination
GPUs are becoming more and more
power efficient, enabling their use as
security processors
0.5 Gb/sec
Device equipped with a Fusion APU. The
GPU cores of an APU are used as
security/network processors
AMD Fusion (2011), Intel Sandy Bridge
(2011),Apple A4 SGX543
Desktop/laptop equipped with a
CPU
Encryption done by the CPU –
VPN at 2 Mb/sec. Antivirus SW is
run on the CPU
Antivirus SW, VPN Antivirus, antispam SW, growing acceptance
of the unified threat management (UTM)
concept – encryption, packet inspection,
attack prevention – growing security SW
market
UTM is a must. Pervasive use of security
software – encryption, DPI, DLP etc
Security
needs
Hard
ware
S
oft
ware
We target these segments in the client space
Technology enablers
7 | APU/GPGPU-Based Security Solutions June 2011
DATA ENCRYPTION SOLUTIONS
Data are partially encrypted
Legal issues & prohibitions;
export/import regulations
Proprietary hardware-based crypto
solutions; often incompatible with each other.
Despite their high-performance, HW-based
solutions cannot be upgraded. Highly priced.
Software-based solutions can be upgraded,
but cannot compete with specialized ASICs.
All data are encrypted
Transition to digital document flow
& digitally signed documents
ALTELL’s solution utilizes the advantages of
Fusion architecture with the help of OpenCL
framework. Using task-based and data-based
parallelism, ALTELL’s solution drastically
speeds up all crypto operations, beating even
hardware-based solutions and network
processors.
APU-based solution can be upgraded
CURRENT FUTURE
8 | APU/GPGPU-Based Security Solutions June 2011
EXISTING CRYPTO SOLUTIONS
The competitive landscape of crypto market:
– Hardware-based solutions
Pro: High performance; crypto operations are
isolated from OS
Cons: High cost of ownership; non-upgradable
– Software-based solutions
Pro: Upgradable; low cost of ownership; can be implemented anywhere
Cons: Slow; SW crypto modules can be compromised
9 | APU/GPGPU-Based Security Solutions June 2011
NEEDS AND SOLUTIONS
Facts
Use of x86 for certain tasks bears prohibitive computational cost
There is a customer driven need in hardware flexibility (programmability) at low cost
Solutions
Intel – instructions integrated on the die – AES encryption (up to 200 Mb/sec on Xeon CPUs), FPGA
combined with an x86 processor on a board
Apple, AMD, NVidia - GPGPU (OpenCL, CUDA, Apple A4 SGX543 )
AMD – Fusion architecture
10 | APU/GPGPU-Based Security Solutions June 2011
VISION
The Fusion architecture offers customers a powerful, low cost and energy efficient programmable
device
The GPU part of an APU can be used for variety of tasks such as security, compression, networking,
video etc
Fusion architecture creates many new possibilities in existing markets and will create new applications
and markets
We believe that there will be an explosive demand in SW for heterogeneous architectures
11 | APU/GPGPU-Based Security Solutions June 2011
WHY IS SECURITY THE APPLICATION OF CHOICE?
Market perception of the Fusion concept is that it is mostly limited to graphics and HPC
These markets are limited to gaming enthusiasts and HPC specialists
Using Fusion concept for security provides ways to expand the Fusion appeal to the mainstream
consumer, commercial enterprise and embedded markets
We believe that there are mutual benefits for AMD in the security space
Network & security IP gives us a significant advantage over competitors in time-to-market
12 | APU/GPGPU-Based Security Solutions June 2011
OPPORTUNITIES
Fusion technology (or CPU/GPU combination) enables development of cost efficient programmable security/network
systems using GPU as a security/network co-processor
Fusion security systems can provide up to 250% speed improvement and more than 1000% performance/$ improvement
over existing systems based on specialty silicon
Markets
Embedded/network security – GPGPU/Fusion based security systems can become a pervasive alternative to existing
specialized hardware solutions. Fusion systems implemented on standard silicon can offer significant cost and
performance advantages. These systems offer unparalleled flexibility and could offer a competitive edge in several large
regional markets (China, Russia, Brazil, ME). A GPU core in this case serves as an efficient and programmable
network/security co-processor (100 M TAM, est)
Enterprise and consumer client market –Fusion architecture will create a new market for security solutions on the
client side of the computer business. Existing HW and SW systems are not well suited for client applications due to
performance and cost restrictions. Fusion systems developed on standard silicon provide a fast and cost efficient solution
for the space. (1 B TAM, est)
Server market - GPGPU/Fusion security approach can be used with any CPU/GPU combination. This is a significant
opportunity in the server (cloud server) (200 M TAM, est)
13 | APU/GPGPU-Based Security Solutions June 2011
OPENCL SOLUTION: USAGE SCENARIOS
GPGPU can be used in telecommunication devices and servers for wide range of applications:
Fast packet processing that can be used for high load firewall appliances. For example, 10G link will
lose 10% of bandwidth with 10 FW rules and about 50% of bandwidth with only 50 rules. CPU has to
deal with large amount of packets, that should be processed. Packet processing requires quite simple
checks with limited branches, and this task suits very well to OpenCL and GPGPU.
Data compression/decompression. For high load devices, with many incoming and outgoing requests,
data compression becomes a bottle neck. Data compression can be used in VPN tunnels, network
services (www servers, etc.), content inspection software (IDS/IPS, antivirus, antispam).
Data encryption and decryption is widely used in network devices and appliances, as well as in
network servers. With accelerated connection speed growth encryption speed becomes an issue.
Turning GPU into cryptoprocessor can provide a solution suitable to the whole market (network, server
and client)
14 | APU/GPGPU-Based Security Solutions June 2011
Deep packet inspection that can be used in IPS/IDS (Intrusion Prevention/Detection Systems) . Nowadays, IPS/IDS performance leaves much to be desired, due to high-speed connections and a lot of traffic generated by users, while packet inspection is a very resource-hungry & consuming task (typically, it requires pattern matching against huge database of signatures). GPGPU and OpenCL can speed up packet inspection up to 3x at least.
Antivirus protection. Again, like in deep packet inspection case, antivirus protection requires pattern matching against database of virus signatures, viruses, trojan horses and other scumware.
Packet routing. Core/border routers have to deal with thousands and millions records of gateways, reducing the speed of network in case of routers’ low performance. OpenCL applications should improve the situation.
Data Loss Prevention. Content inspection & pattern matching used by modern DLP systems require substantial computational power. Typically general-purpose CPUs are used for this purpose. DLP performance can be improved by offloading CPU and processing the data with GPGPU.
OPENCL SOLUTION: USAGE SCENARIOS
15 | APU/GPGPU-Based Security Solutions June 2011
SOLUTION BASED ON OpenCL / GPGPU
GPGPU
FUSION
Data Storage
Data Transfer OpenCL
Security
libraries
A Fusion based system utilizes computational power of GPGPU or Fusion architecture, enabling ultra-fast
crypto & security operations. Effectively, it turns an APU/GPGPU into a programmable security
(co)processor. This approach overcomes problems of pure hardware (our solution is cost efficient and
programmable) or pure software solutions (our solution is fast and energy efficient)
16 | APU/GPGPU-Based Security Solutions June 2011
PROPOSED SUITE OF DEVTOOLS & SW STACKS
FUSION / GPGPU
Linux, Windows, iOS, etc.
Software Development Kit for OpenCL
(OS, Tools, Libraries, Drivers, APIs)
Software Stacks
and Libraries
HW Solutions
Operating
Systems
SDKs
• Crypto
• Compression
• TCP
• IP
• SSL
• SSL VPN
• IPSec/IKE
•Secure BIOS
• Antivirus
• Antispam
• Wireless security
• IDS/IPS
17 | APU/GPGPU-Based Security Solutions June 2011
DEVELOPMENT STAGES
Implementation of: AES/ hash function / random number generator / Open SSL
TLS / IPSec / other cryptographic algorithms
Regular expressions / Deep packet inspection / Compression/Decompression
AV / AS / IPS-IDS solutions
18 | APU/GPGPU-Based Security Solutions June 2011
MULTICORE X86 CRYPTO SOLUTION
Solution utilizes the computation power of Multicore architecture, allowing ultra-fast crypto operations to be
performed. During encryption/decryption operations, data is processed in several parallel streams, allowing
high performance to be achieved without specialized ASICs. IPsec AES 128 ECB 6 Gbit/s performance on
Dual Opteron 12 Cores.
19 | APU/GPGPU-Based Security Solutions June 2011
OpenCL CRYPTO SOLUTION
Kernel Space Driver
GPU
20 | APU/GPGPU-Based Security Solutions June 2011
PROOF OF CONCEPT
Block Size (Byte)
AES encryption CPU only,
Gbit/s
AES encryptionGPU
, Gbit/s
SHA-256 rate , CPU only,
Gbit/s
SHA-256 rate, GPU,
Gbit/s
3DES encryption
CPU , Gbit/s
3DES encryption
GPU , Gbit/s
512 0.52 0.06 0.13 0.59 0.16 1.64 1024 0.54 0.14 0.14 0.85 0.17 1.64 4096 0.54 0.73 0.14 1.51 0.17 1.83
16384 0.54 1.48 0.14 1.67 0.17 2.01 32768 0.54 2.7 0.14 1.81 0.17 2.54
Prototype encryption system working on a GPU. The preliminary results are :
In this test the measured quantity was the time required to encrypt one block with the AES 128 and
3DES with CBC algorithms and hash-function calculation. The start time was taken as the time
EVP_CIpherUpdate() was called, the end time was the time of return from this routine. The hardware
was an AMD Phenom™ II 810 2.6 GHz/2Gb memory & HD5770 GPU combination. Optimization of the
system and its implementation on true Fusion silicon is expected to bring encryption rate to 2Gbps (AMD
Ontario). Larger improvements are expected for AMD Llano based systems.
21 | APU/GPGPU-Based Security Solutions June 2011
Client Network Server
Products
End Customers
OEMs
Enterprise
Consumers
OEMs
Enterprise
OEMs
Enterprise
PRODUCTS & TARGET CUSTOMERS
OpenCL Security Library
Regular expressions / Deep packet inspection/ Compression/Encryption
BIOS GPGPU
Encryption/VPN
Module
OpenCL
Network
Library
Security Suite:
AV / AS / IPS-IDS solutions
22 | APU/GPGPU-Based Security Solutions June 2011
Customers - OEMs, Enterprise, Consumers
Revenue generation
OEMs pay royalties for the BIOS security module
Enterprise and consumer clients pay license fees for use of
the GPGPU/Fusion security SW
Products
Target hardware
Full HD secure video/computing terminal
Secure laptop with encryption and Antivirus scanning – Ontario
Secure tablet
CLIENT PLAN
OpenCL Security Library
Regular expressions / Deep
packet inspection/
Compression/Encryption
BIOS GPGPU
Encryption/VPN
Module
Security Suite:
AV / AS / IPS-IDS solutions
23 | APU/GPGPU-Based Security Solutions June 2011
APU / GPGPU ANTIVIRUS SOLUTION
Kaspersky Lab
Trend Micro
Symantec
…
OpenCL-optimized engine.
Runs on APU/GPGPU
with multiple
antivirus/antispam databases.
On-access scan
On-demand scan
Process efficiencies offered by Fusion APU or GPGPU provide an opportunity to perform
on-access/on-demand antivirus/antispam scanning on a client/network device.
OpenCL framework opens a path to offer this solution to a broad range of hardware
platforms and client devices.
Advantages over traditional antivirus solutions:
Up to 10x faster
Extremely effective: multiple virus signatures databases ensure 99.999% reliability
Option to choose virus signature databases from different vendors
24 | APU/GPGPU-Based Security Solutions June 2011
Fusion router with encryption – Ontario/Llano
Secure WiFi router – Ontario/Llano
NETWORK PLAN
Customers - OEMs, Enterprise
Products
OpenCL Security Library
Regular expressions / Deep
packet inspection/
Compression/Encryption
OpenCL
Network
Library
Security Suite:
AV / AS / IPS-IDS solutions
Revenue generation
OEMs pay one time fees and royalties for the OpenCL encryption and network libraries (IP Infusion
model)
Enterprise clients pay license fees for use of the GPGPU/Fusion security SW
Target hardware
25 | APU/GPGPU-Based Security Solutions June 2011
PERFORMANCE: CAVIUM OCTEON
VS AMD LLANO (ESTIMATES)
CAVIUM OCTEON CN5860 AMD Fusion Llano
(projected)
CPU Frequency 750 MHz 3000 MHz
Number of cores 16 4
ASP, USD 850$ 100$
SSL AES-128 64B encryption 8.46 Gbps 10 Gbps
IPv4 FWD Performance 20 Gbps (limited by IO) 50 Gbps
IPS/IDS Performance 4.4 Gbps (limited by RLDRAM2 bandwidth) 8 Gbps
Antivirus Performance 4.4 Gbps (limited by RLDRAM2 bandwidth) 8 Gbps
Compression Performance 10 Gbps 16 Gbps
Fusion security systems are projected to provide up to 250% speed improvement
and more than 1000% performance/$ improvement over existing specialty silicon
solutions
26 | APU/GPGPU-Based Security Solutions June 2011
GPGPU based secure server – Opteron/GPGPU
Multiple APU Volume encryption server (similar to the SeaMicro approach)
– Ontario/Llano
SERVER PLAN
Customers - OEMs, Enterprise
Products
OpenCL Security Library
Regular expressions / Deep
packet inspection/
Compression/Encryption
Security Suite:
AV / AS / IPS-IDS solutions
Revenue generation
OEMs pay one time fees and royalties for the OpenCL encryption library
Enterprise clients pay license fees for use of the GPGPU/Fusion security SW
Target hardware
27 | APU/GPGPU-Based Security Solutions June 2011
Disclaimer & Attribution The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions
and typographical errors.
The information contained herein is subject to change and may be rendered inaccurate for many reasons, including but not limited
to product and roadmap changes, component and motherboard version changes, new model and/or product releases, product
differences between differing manufacturers, software changes, BIOS flashes, firmware upgrades, or the like. There is no
obligation to update or otherwise correct or revise this information. However, we reserve the right to revise this information and to
make changes from time to time to the content hereof without obligation to notify any person of such revisions or changes.
NO REPRESENTATIONS OR WARRANTIES ARE MADE WITH RESPECT TO THE CONTENTS HEREOF AND NO
RESPONSIBILITY IS ASSUMED FOR ANY INACCURACIES, ERRORS OR OMISSIONS THAT MAY APPEAR IN THIS
INFORMATION.
ALL IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE ARE EXPRESSLY
DISCLAIMED. IN NO EVENT WILL ANY LIABILITY TO ANY PERSON BE INCURRED FOR ANY DIRECT, INDIRECT, SPECIAL
OR OTHER CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN, EVEN IF
EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
AMD, the AMD arrow logo, and combinations thereof are trademarks of Advanced Micro Devices, Inc. All other names used in
this presentation are for informational purposes only and may be trademarks of their respective owners.
The contents of this presentation were provided by individual(s) and/or company listed on the title page. The information and
opinions presented in this presentation may not represent AMD’s positions, strategies or opinions. Unless explicitly stated, AMD is
not responsible for the content herein and no endorsements are implied.