APU/GPGPU-BASED SECURITY - AMDdeveloper.amd.com/wordpress/media/2013/06/2061_final.pdf · 9 |...

APU/GPGPU-BASED SECURITY

SOLUTIONS

Vikenty Frantsev

ALTELL

CEO

3 | APU/GPGPU-Based Security Solutions June 2011

ALTELL: KEY FACTS

Core business: IT security, software development, network appliances design & manufacturing

Founded: Year 2006

Vertical markets served: telecommunications; financial &

banking institutions; insurance companies; medicine; federal & municipal authorities

Partnership with AMD started in 2008

Current engagements:

– Embedded: RTOS, routers based on G34 CPUs – offered in Europe

– IBV (Independent BIOS Vendor) – UEFI BIOS for Ontario & G34

– OpenCL library development for AMD


ALTELL: CORE IP

• ALTELL has extensive expertise in network & security

• ALTELL has a software stack for a complete secure computer system (Secure BIOS,

Virtualization Suite, seOS RTOS, Network & Crypto Libraries, seOS OS)

Secure BIOS with Virtualization capabilities - ensures security and control at boot, prevents

intrusions, allows isolation of secure and non secure machines

Virtualization environment – isolates secure and non-secure machines, prevents intrusions

Microkernel based operating system (RTOS for network appliances) - guarantees security of I/O,

prevents intrusions

Encryption and security tools – crypto libraries, DPI, DLP, antivirus, antispam, packet routing etc –

guarantees security of received/transmitted data


PRESENT

• Only small part of data is encrypted

• Large segments of corporate and

personal data is transferred over

open channels

• No encryption for majority of video

and voice data

CHALLENGES

• Network speed and capacity

• Computational overhead associated

with encryption (especially on the client side)

• Cost – ASIC-based solutions

FUTURE

• All data is encrypted

• Video and voice data transferred over secure ,

encrypted channels

OPPORTUNITIES

• GPGPU and Fusion development

• Broadband - WiMax, LTE, etc.

• Development of OpenCL, CUDA

EVOLUTION OF COMPUTER/DATA SECURITY


NEW MARKET - CLIENT SECURITY

Past Now Future

Limited personal/business data are

stored on a mobile computer.

Limited connectivity to public

network. Security treats are not

fully understood

Significant amount of personal/business data

is stored on a mobile computer and remote

servers. Pervasive connectivity to public

networks. Growing need for secure

communications and data protection on a

client device

Majority of personal/business data is

stored on remote servers. Pervasive

connectivity to public networks. Secure

communications and data protection are

a must

Desktop/Laptop equipped with a

CPU/GPU combination

GPUs are becoming more and more

power efficient, enabling their use as

security processors

0.5 Gb/sec

Device equipped with a Fusion APU. The

GPU cores of an APU are used as

security/network processors

AMD Fusion (2011), Intel Sandy Bridge

(2011),Apple A4 SGX543

Desktop/laptop equipped with a

CPU

Encryption done by the CPU –

VPN at 2 Mb/sec. Antivirus SW is

run on the CPU

Antivirus SW, VPN Antivirus, antispam SW, growing acceptance

of the unified threat management (UTM)

concept – encryption, packet inspection,

attack prevention – growing security SW

market

UTM is a must. Pervasive use of security

software – encryption, DPI, DLP etc

Security

needs

Hard

ware

S

oft

ware

We target these segments in the client space

Technology enablers


DATA ENCRYPTION SOLUTIONS

Data are partially encrypted

Legal issues & prohibitions;

export/import regulations

Proprietary hardware-based crypto

solutions; often incompatible with each other.

Despite their high-performance, HW-based

solutions cannot be upgraded. Highly priced.

Software-based solutions can be upgraded,

but cannot compete with specialized ASICs.

All data are encrypted

Transition to digital document flow

& digitally signed documents

ALTELL’s solution utilizes the advantages of

Fusion architecture with the help of OpenCL

framework. Using task-based and data-based

parallelism, ALTELL’s solution drastically

speeds up all crypto operations, beating even

hardware-based solutions and network

processors.

APU-based solution can be upgraded

CURRENT FUTURE


EXISTING CRYPTO SOLUTIONS

The competitive landscape of crypto market:

– Hardware-based solutions

Pro: High performance; crypto operations are

isolated from OS

Cons: High cost of ownership; non-upgradable

– Software-based solutions

Pro: Upgradable; low cost of ownership; can be implemented anywhere

Cons: Slow; SW crypto modules can be compromised


NEEDS AND SOLUTIONS

Facts

Use of x86 for certain tasks bears prohibitive computational cost

There is a customer driven need in hardware flexibility (programmability) at low cost

Solutions

Intel – instructions integrated on the die – AES encryption (up to 200 Mb/sec on Xeon CPUs), FPGA

combined with an x86 processor on a board

Apple, AMD, NVidia - GPGPU (OpenCL, CUDA, Apple A4 SGX543 )

AMD – Fusion architecture


VISION

The Fusion architecture offers customers a powerful, low cost and energy efficient programmable

device

The GPU part of an APU can be used for variety of tasks such as security, compression, networking,

video etc

Fusion architecture creates many new possibilities in existing markets and will create new applications

and markets

We believe that there will be an explosive demand in SW for heterogeneous architectures


WHY IS SECURITY THE APPLICATION OF CHOICE?

Market perception of the Fusion concept is that it is mostly limited to graphics and HPC

These markets are limited to gaming enthusiasts and HPC specialists

Using Fusion concept for security provides ways to expand the Fusion appeal to the mainstream

consumer, commercial enterprise and embedded markets

We believe that there are mutual benefits for AMD in the security space

Network & security IP gives us a significant advantage over competitors in time-to-market


OPPORTUNITIES

Fusion technology (or CPU/GPU combination) enables development of cost efficient programmable security/network

systems using GPU as a security/network co-processor

Fusion security systems can provide up to 250% speed improvement and more than 1000% performance/$ improvement

over existing systems based on specialty silicon

Markets

Embedded/network security – GPGPU/Fusion based security systems can become a pervasive alternative to existing

specialized hardware solutions. Fusion systems implemented on standard silicon can offer significant cost and

performance advantages. These systems offer unparalleled flexibility and could offer a competitive edge in several large

regional markets (China, Russia, Brazil, ME). A GPU core in this case serves as an efficient and programmable

network/security co-processor (100 M TAM, est)

Enterprise and consumer client market –Fusion architecture will create a new market for security solutions on the

client side of the computer business. Existing HW and SW systems are not well suited for client applications due to

performance and cost restrictions. Fusion systems developed on standard silicon provide a fast and cost efficient solution

for the space. (1 B TAM, est)

Server market - GPGPU/Fusion security approach can be used with any CPU/GPU combination. This is a significant

opportunity in the server (cloud server) (200 M TAM, est)


OPENCL SOLUTION: USAGE SCENARIOS

GPGPU can be used in telecommunication devices and servers for wide range of applications:

Fast packet processing that can be used for high load firewall appliances. For example, 10G link will

lose 10% of bandwidth with 10 FW rules and about 50% of bandwidth with only 50 rules. CPU has to

deal with large amount of packets, that should be processed. Packet processing requires quite simple

checks with limited branches, and this task suits very well to OpenCL and GPGPU.

Data compression/decompression. For high load devices, with many incoming and outgoing requests,

data compression becomes a bottle neck. Data compression can be used in VPN tunnels, network

services (www servers, etc.), content inspection software (IDS/IPS, antivirus, antispam).

Data encryption and decryption is widely used in network devices and appliances, as well as in

network servers. With accelerated connection speed growth encryption speed becomes an issue.

Turning GPU into cryptoprocessor can provide a solution suitable to the whole market (network, server

and client)


Deep packet inspection that can be used in IPS/IDS (Intrusion Prevention/Detection Systems) . Nowadays, IPS/IDS performance leaves much to be desired, due to high-speed connections and a lot of traffic generated by users, while packet inspection is a very resource-hungry & consuming task (typically, it requires pattern matching against huge database of signatures). GPGPU and OpenCL can speed up packet inspection up to 3x at least.

Antivirus protection. Again, like in deep packet inspection case, antivirus protection requires pattern matching against database of virus signatures, viruses, trojan horses and other scumware.

Packet routing. Core/border routers have to deal with thousands and millions records of gateways, reducing the speed of network in case of routers’ low performance. OpenCL applications should improve the situation.

Data Loss Prevention. Content inspection & pattern matching used by modern DLP systems require substantial computational power. Typically general-purpose CPUs are used for this purpose. DLP performance can be improved by offloading CPU and processing the data with GPGPU.

OPENCL SOLUTION: USAGE SCENARIOS


SOLUTION BASED ON OpenCL / GPGPU

GPGPU

FUSION

Data Storage

Data Transfer OpenCL

Security

libraries

A Fusion based system utilizes computational power of GPGPU or Fusion architecture, enabling ultra-fast

crypto & security operations. Effectively, it turns an APU/GPGPU into a programmable security

(co)processor. This approach overcomes problems of pure hardware (our solution is cost efficient and

programmable) or pure software solutions (our solution is fast and energy efficient)


PROPOSED SUITE OF DEVTOOLS & SW STACKS

FUSION / GPGPU

Linux, Windows, iOS, etc.

Software Development Kit for OpenCL

(OS, Tools, Libraries, Drivers, APIs)

Software Stacks

and Libraries

HW Solutions

Operating

Systems

SDKs

• Crypto

• Compression

• TCP

• IP

• SSL

• SSL VPN

• IPSec/IKE

•Secure BIOS

• Antivirus

• Antispam

• Wireless security

• IDS/IPS


DEVELOPMENT STAGES

Implementation of: AES/ hash function / random number generator / Open SSL

TLS / IPSec / other cryptographic algorithms

Regular expressions / Deep packet inspection / Compression/Decompression

AV / AS / IPS-IDS solutions


MULTICORE X86 CRYPTO SOLUTION

Solution utilizes the computation power of Multicore architecture, allowing ultra-fast crypto operations to be

performed. During encryption/decryption operations, data is processed in several parallel streams, allowing

high performance to be achieved without specialized ASICs. IPsec AES 128 ECB 6 Gbit/s performance on

Dual Opteron 12 Cores.


OpenCL CRYPTO SOLUTION

Kernel Space Driver

GPU


PROOF OF CONCEPT

Block Size (Byte)

AES encryption CPU only,

Gbit/s

AES encryptionGPU

, Gbit/s

SHA-256 rate , CPU only,

Gbit/s

SHA-256 rate, GPU,

Gbit/s

3DES encryption

CPU , Gbit/s

3DES encryption

GPU , Gbit/s

512 0.52 0.06 0.13 0.59 0.16 1.64 1024 0.54 0.14 0.14 0.85 0.17 1.64 4096 0.54 0.73 0.14 1.51 0.17 1.83

16384 0.54 1.48 0.14 1.67 0.17 2.01 32768 0.54 2.7 0.14 1.81 0.17 2.54

Prototype encryption system working on a GPU. The preliminary results are :

In this test the measured quantity was the time required to encrypt one block with the AES 128 and

3DES with CBC algorithms and hash-function calculation. The start time was taken as the time

EVP_CIpherUpdate() was called, the end time was the time of return from this routine. The hardware

was an AMD Phenom™ II 810 2.6 GHz/2Gb memory & HD5770 GPU combination. Optimization of the

system and its implementation on true Fusion silicon is expected to bring encryption rate to 2Gbps (AMD

Ontario). Larger improvements are expected for AMD Llano based systems.


Client Network Server

Products

End Customers

OEMs

Enterprise

Consumers

OEMs

Enterprise

OEMs

Enterprise

PRODUCTS & TARGET CUSTOMERS

OpenCL Security Library

Regular expressions / Deep packet inspection/ Compression/Encryption

BIOS GPGPU

Encryption/VPN

Module

OpenCL

Network

Library

Security Suite:



Customers - OEMs, Enterprise, Consumers

Revenue generation

OEMs pay royalties for the BIOS security module

Enterprise and consumer clients pay license fees for use of

the GPGPU/Fusion security SW

Products

Target hardware

Full HD secure video/computing terminal

Secure laptop with encryption and Antivirus scanning – Ontario

Secure tablet

CLIENT PLAN


Regular expressions / Deep

packet inspection/

Compression/Encryption

BIOS GPGPU

Encryption/VPN

Module

Security Suite:



APU / GPGPU ANTIVIRUS SOLUTION

Kaspersky Lab

Trend Micro

Symantec

…

OpenCL-optimized engine.

Runs on APU/GPGPU

with multiple

antivirus/antispam databases.

On-access scan

On-demand scan

Process efficiencies offered by Fusion APU or GPGPU provide an opportunity to perform

on-access/on-demand antivirus/antispam scanning on a client/network device.

OpenCL framework opens a path to offer this solution to a broad range of hardware

platforms and client devices.

Advantages over traditional antivirus solutions:

Up to 10x faster

Extremely effective: multiple virus signatures databases ensure 99.999% reliability

Option to choose virus signature databases from different vendors


Fusion router with encryption – Ontario/Llano

Secure WiFi router – Ontario/Llano

NETWORK PLAN

Customers - OEMs, Enterprise

Products



packet inspection/


OpenCL

Network

Library

Security Suite:


Revenue generation

OEMs pay one time fees and royalties for the OpenCL encryption and network libraries (IP Infusion

model)

Enterprise clients pay license fees for use of the GPGPU/Fusion security SW

Target hardware


PERFORMANCE: CAVIUM OCTEON

VS AMD LLANO (ESTIMATES)

CAVIUM OCTEON CN5860 AMD Fusion Llano

(projected)

CPU Frequency 750 MHz 3000 MHz

Number of cores 16 4

ASP, USD 850$ 100$

SSL AES-128 64B encryption 8.46 Gbps 10 Gbps

IPv4 FWD Performance 20 Gbps (limited by IO) 50 Gbps

IPS/IDS Performance 4.4 Gbps (limited by RLDRAM2 bandwidth) 8 Gbps

Antivirus Performance 4.4 Gbps (limited by RLDRAM2 bandwidth) 8 Gbps

Compression Performance 10 Gbps 16 Gbps

Fusion security systems are projected to provide up to 250% speed improvement

and more than 1000% performance/$ improvement over existing specialty silicon

solutions


GPGPU based secure server – Opteron/GPGPU

Multiple APU Volume encryption server (similar to the SeaMicro approach)

– Ontario/Llano

SERVER PLAN

Customers - OEMs, Enterprise

Products



packet inspection/


Security Suite:


Revenue generation

OEMs pay one time fees and royalties for the OpenCL encryption library

Enterprise clients pay license fees for use of the GPGPU/Fusion security SW

Target hardware


Disclaimer & Attribution The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions

and typographical errors.

The information contained herein is subject to change and may be rendered inaccurate for many reasons, including but not limited

to product and roadmap changes, component and motherboard version changes, new model and/or product releases, product

differences between differing manufacturers, software changes, BIOS flashes, firmware upgrades, or the like. There is no

obligation to update or otherwise correct or revise this information. However, we reserve the right to revise this information and to

make changes from time to time to the content hereof without obligation to notify any person of such revisions or changes.

NO REPRESENTATIONS OR WARRANTIES ARE MADE WITH RESPECT TO THE CONTENTS HEREOF AND NO

RESPONSIBILITY IS ASSUMED FOR ANY INACCURACIES, ERRORS OR OMISSIONS THAT MAY APPEAR IN THIS

INFORMATION.

ALL IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE ARE EXPRESSLY

DISCLAIMED. IN NO EVENT WILL ANY LIABILITY TO ANY PERSON BE INCURRED FOR ANY DIRECT, INDIRECT, SPECIAL

OR OTHER CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN, EVEN IF

EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

AMD, the AMD arrow logo, and combinations thereof are trademarks of Advanced Micro Devices, Inc. All other names used in

this presentation are for informational purposes only and may be trademarks of their respective owners.

The contents of this presentation were provided by individual(s) and/or company listed on the title page. The information and

opinions presented in this presentation may not represent AMD’s positions, strategies or opinions. Unless explicitly stated, AMD is

not responsible for the content herein and no endorsements are implied.

Date post:	19-Apr-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

APU/GPGPU-BASED SECURITY - AMDdeveloper.amd.com/wordpress/media/2013/06/2061_final.pdf · 9 |...

Documents