APU/GPGPU-BASED SECURITY SOLUTIONS Vikenty Frantsev ALTELL CEO
ALTELL: KEY FACTS Core business: IT security, software development, network appliances design & manufacturing Founded: Year 2006 Vertical markets served: telecommunications; financial & banking institutions; insurance companies; medicine; federal & municipal authorities Partnership with AMD started in 2008 Current engagements: Embedded: RTOS, routers based on G34 CPUs offered in Europe IBV (Independent BIOS Vendor) UEFI BIOS for Ontario & G34 OpenCL library development for AMD 3 APU/GPGPU-Based Security Solutions June 2011
ALTELL: CORE IP Secure BIOS with Virtualization capabilities - ensures security and control at boot, prevents intrusions, allows isolation of secure and non secure machines Virtualization environment isolates secure and non-secure machines, prevents intrusions Microkernel based operating system (RTOS for network appliances) - guarantees security of I/O, prevents intrusions Encryption and security tools crypto libraries, DPI, DLP, antivirus, antispam, packet routing etc guarantees security of received/transmitted data ALTELL has extensive expertise in network & security ALTELL has a software stack for a complete secure computer system (Secure BIOS, Virtualization Suite, seos RTOS, Network & Crypto Libraries, seos OS) 4 APU/GPGPU-Based Security Solutions June 2011
EVOLUTION OF COMPUTER/DATA SECURITY PRESENT Only small part of data is encrypted Large segments of corporate and personal data is transferred over open channels No encryption for majority of video and voice data FUTURE All data is encrypted Video and voice data transferred over secure, encrypted channels CHALLENGES Network speed and capacity Computational overhead associated with encryption (especially on the client side) Cost ASIC-based solutions OPPORTUNITIES GPGPU and Fusion development Broadband - WiMax, LTE, etc. Development of OpenCL, CUDA 5 APU/GPGPU-Based Security Solutions June 2011
Software Hardware Security needs NEW MARKET - CLIENT SECURITY Technology enablers Past Now Future Limited personal/business data are stored on a mobile computer. Limited connectivity to public network. Security treats are not fully understood Significant amount of personal/business data is stored on a mobile computer and remote servers. Pervasive connectivity to public networks. Growing need for secure communications and data protection on a client device Majority of personal/business data is stored on remote servers. Pervasive connectivity to public networks. Secure communications and data protection are a must Desktop/laptop equipped with a CPU Encryption done by the CPU VPN at 2 Mb/sec. Antivirus SW is run on the CPU Desktop/Laptop equipped with a CPU/GPU combination GPUs are becoming more and more power efficient, enabling their use as security processors 0.5 Gb/sec Device equipped with a Fusion APU. The GPU cores of an APU are used as security/network processors AMD Fusion (2011), Intel Sandy Bridge (2011),Apple A4 SGX543 Antivirus SW, VPN Antivirus, antispam SW, growing acceptance of the unified threat management (UTM) concept encryption, packet inspection, attack prevention growing security SW market UTM is a must. Pervasive use of security software encryption, DPI, DLP etc We target these segments in the client space 6 APU/GPGPU-Based Security Solutions June 2011
DATA ENCRYPTION SOLUTIONS CURRENT FUTURE Data are partially encrypted All data are encrypted Legal issues & prohibitions; export/import regulations Proprietary hardware-based crypto solutions; often incompatible with each other. Despite their high-performance, HW-based solutions cannot be upgraded. Highly priced. Transition to digital document flow & digitally signed documents ALTELL s solution utilizes the advantages of Fusion architecture with the help of OpenCL framework. Using task-based and data-based parallelism, ALTELL s solution drastically speeds up all crypto operations, beating even hardware-based solutions and network processors. Software-based solutions can be upgraded, but cannot compete with specialized ASICs. APU-based solution can be upgraded 7 APU/GPGPU-Based Security Solutions June 2011
EXISTING CRYPTO SOLUTIONS The competitive landscape of crypto market: Hardware-based solutions Pro: High performance; crypto operations are isolated from OS Cons: High cost of ownership; non-upgradable Software-based solutions Pro: Upgradable; low cost of ownership; can be implemented anywhere Cons: Slow; SW crypto modules can be compromised 8 APU/GPGPU-Based Security Solutions June 2011
NEEDS AND SOLUTIONS Facts Use of x86 for certain tasks bears prohibitive computational cost There is a customer driven need in hardware flexibility (programmability) at low cost Solutions Intel instructions integrated on the die AES encryption (up to 200 Mb/sec on Xeon CPUs), FPGA combined with an x86 processor on a board Apple, AMD, NVidia - GPGPU (OpenCL, CUDA, Apple A4 SGX543 ) AMD Fusion architecture 9 APU/GPGPU-Based Security Solutions June 2011
VISION The Fusion architecture offers customers a powerful, low cost and energy efficient programmable device The GPU part of an APU can be used for variety of tasks such as security, compression, networking, video etc Fusion architecture creates many new possibilities in existing markets and will create new applications and markets We believe that there will be an explosive demand in SW for heterogeneous architectures 10 APU/GPGPU-Based Security Solutions June 2011
WHY IS SECURITY THE APPLICATION OF CHOICE? Market perception of the Fusion concept is that it is mostly limited to graphics and HPC These markets are limited to gaming enthusiasts and HPC specialists Using Fusion concept for security provides ways to expand the Fusion appeal to the mainstream consumer, commercial enterprise and embedded markets We believe that there are mutual benefits for AMD in the security space Network & security IP gives us a significant advantage over competitors in time-to-market 11 APU/GPGPU-Based Security Solutions June 2011
OPPORTUNITIES Fusion technology (or CPU/GPU combination) enables development of cost efficient programmable security/network systems using GPU as a security/network co-processor Fusion security systems can provide up to 250% speed improvement and more than 1000% performance/$ improvement over existing systems based on specialty silicon Markets Embedded/network security GPGPU/Fusion based security systems can become a pervasive alternative to existing specialized hardware solutions. Fusion systems implemented on standard silicon can offer significant cost and performance advantages. These systems offer unparalleled flexibility and could offer a competitive edge in several large regional markets (China, Russia, Brazil, ME). A GPU core in this case serves as an efficient and programmable network/security co-processor (100 M TAM, est) Enterprise and consumer client market Fusion architecture will create a new market for security solutions on the client side of the computer business. Existing HW and SW systems are not well suited for client applications due to performance and cost restrictions. Fusion systems developed on standard silicon provide a fast and cost efficient solution for the space. (1 B TAM, est) Server market - GPGPU/Fusion security approach can be used with any CPU/GPU combination. This is a significant opportunity in the server (cloud server) (200 M TAM, est) 12 APU/GPGPU-Based Security Solutions June 2011
OPENCL SOLUTION: USAGE SCENARIOS GPGPU can be used in telecommunication devices and servers for wide range of applications: Fast packet processing that can be used for high load firewall appliances. For example, 10G link will lose 10% of bandwidth with 10 FW rules and about 50% of bandwidth with only 50 rules. CPU has to deal with large amount of packets, that should be processed. Packet processing requires quite simple checks with limited branches, and this task suits very well to OpenCL and GPGPU. Data compression/decompression. For high load devices, with many incoming and outgoing requests, data compression becomes a bottle neck. Data compression can be used in VPN tunnels, network services (www servers, etc.), content inspection software (IDS/IPS, antivirus, antispam). Data encryption and decryption is widely used in network devices and appliances, as well as in network servers. With accelerated connection speed growth encryption speed becomes an issue. Turning GPU into cryptoprocessor can provide a solution suitable to the whole market (network, server and client) 13 APU/GPGPU-Based Security Solutions June 2011
OPENCL SOLUTION: USAGE SCENARIOS Deep packet inspection that can be used in IPS/IDS (Intrusion Prevention/Detection Systems). Nowadays, IPS/IDS performance leaves much to be desired, due to high-speed connections and a lot of traffic generated by users, while packet inspection is a very resource-hungry & consuming task (typically, it requires pattern matching against huge database of signatures). GPGPU and OpenCL can speed up packet inspection up to 3x at least. Antivirus protection. Again, like in deep packet inspection case, antivirus protection requires pattern matching against database of virus signatures, viruses, trojan horses and other scumware. Packet routing. Core/border routers have to deal with thousands and millions records of gateways, reducing the speed of network in case of routers low performance. OpenCL applications should improve the situation. Data Loss Prevention. Content inspection & pattern matching used by modern DLP systems require substantial computational power. Typically general-purpose CPUs are used for this purpose. DLP performance can be improved by offloading CPU and processing the data with GPGPU. 14 APU/GPGPU-Based Security Solutions June 2011
SOLUTION BASED ON OpenCL / GPGPU GPGPU FUSION OpenCL Security libraries Data Storage Data Transfer A Fusion based system utilizes computational power of GPGPU or Fusion architecture, enabling ultra-fast crypto & security operations. Effectively, it turns an APU/GPGPU into a programmable security (co)processor. This approach overcomes problems of pure hardware (our solution is cost efficient and programmable) or pure software solutions (our solution is fast and energy efficient) 15 APU/GPGPU-Based Security Solutions June 2011
PROPOSED SUITE OF DEVTOOLS & SW STACKS Software Stacks and Libraries Crypto Compression TCP IP SSL SSL VPN IPSec/IKE Secure BIOS Antivirus Antispam Wireless security IDS/IPS SDKs Operating Systems HW Solutions Software Development Kit for OpenCL (OS, Tools, Libraries, Drivers, APIs) Linux, Windows, ios, etc. FUSION / GPGPU 16 APU/GPGPU-Based Security Solutions June 2011
DEVELOPMENT STAGES Implementation of: AES/ hash function / random number generator / Open SSL TLS / IPSec / other cryptographic algorithms Regular expressions / Deep packet inspection / Compression/Decompression AV / AS / IPS-IDS solutions 17 APU/GPGPU-Based Security Solutions June 2011
MULTICORE X86 CRYPTO SOLUTION Solution utilizes the computation power of Multicore architecture, allowing ultra-fast crypto operations to be performed. During encryption/decryption operations, data is processed in several parallel streams, allowing high performance to be achieved without specialized ASICs. IPsec AES 128 ECB 6 Gbit/s performance on Dual Opteron 12 Cores. 18 APU/GPGPU-Based Security Solutions June 2011
OpenCL CRYPTO SOLUTION Kernel Space Driver GPU 19 APU/GPGPU-Based Security Solutions June 2011
PROOF OF CONCEPT Prototype encryption system working on a GPU. The preliminary results are : AES encryption CPU only, Gbit/s AES encryptiongpu, Gbit/s SHA-256 rate, CPU only, Gbit/s SHA-256 rate, GPU, Gbit/s 3DES encryption CPU, Gbit/s 3DES encryption GPU, Gbit/s Block Size (Byte) 512 0.52 0.06 0.13 0.59 0.16 1.64 1024 0.54 0.14 0.14 0.85 0.17 1.64 4096 0.54 0.73 0.14 1.51 0.17 1.83 16384 0.54 1.48 0.14 1.67 0.17 2.01 32768 0.54 2.7 0.14 1.81 0.17 2.54 In this test the measured quantity was the time required to encrypt one block with the AES 128 and 3DES with CBC algorithms and hash-function calculation. The start time was taken as the time EVP_CIpherUpdate() was called, the end time was the time of return from this routine. The hardware was an AMD Phenom II 810 2.6 GHz/2Gb memory & HD5770 GPU combination. Optimization of the system and its implementation on true Fusion silicon is expected to bring encryption rate to 2Gbps (AMD Ontario). Larger improvements are expected for AMD Llano based systems. 20 APU/GPGPU-Based Security Solutions June 2011
PRODUCTS & TARGET CUSTOMERS Products Client Network Server OpenCL Security Library Regular expressions / Deep packet inspection/ Compression/Encryption BIOS GPGPU Encryption/VPN Module OpenCL Network Library OEMs Enterprise Consumers Security Suite: AV / AS / IPS-IDS solutions End Customers OEMs Enterprise OEMs Enterprise 21 APU/GPGPU-Based Security Solutions June 2011
CLIENT PLAN Products OpenCL Security Library Regular expressions / Deep packet inspection/ Compression/Encryption Customers - OEMs, Enterprise, Consumers Security Suite: AV / AS / IPS-IDS solutions BIOS GPGPU Encryption/VPN Module Revenue generation OEMs pay royalties for the BIOS security module Enterprise and consumer clients pay license fees for use of the GPGPU/Fusion security SW Target hardware Full HD secure video/computing terminal Secure laptop with encryption and Antivirus scanning Ontario Secure tablet 22 APU/GPGPU-Based Security Solutions June 2011
APU / GPGPU ANTIVIRUS SOLUTION Process efficiencies offered by Fusion APU or GPGPU provide an opportunity to perform on-access/on-demand antivirus/antispam scanning on a client/network device. OpenCL framework opens a path to offer this solution to a broad range of hardware platforms and client devices. Advantages over traditional antivirus solutions: Up to 10x faster Extremely effective: multiple virus signatures databases ensure 99.999% reliability Option to choose virus signature databases from different vendors Kaspersky Lab Symantec Trend Micro OpenCL-optimized engine. Runs on APU/GPGPU with multiple antivirus/antispam databases. On-access scan On-demand scan 23 APU/GPGPU-Based Security Solutions June 2011
NETWORK PLAN Products OpenCL Security Library Regular expressions / Deep packet inspection/ Compression/Encryption Customers - OEMs, Enterprise Security Suite: AV / AS / IPS-IDS solutions OpenCL Network Library Revenue generation OEMs pay one time fees and royalties for the OpenCL encryption and network libraries (IP Infusion model) Enterprise clients pay license fees for use of the GPGPU/Fusion security SW Target hardware Fusion router with encryption Ontario/Llano Secure WiFi router Ontario/Llano 24 APU/GPGPU-Based Security Solutions June 2011
PERFORMANCE: CAVIUM OCTEON VS AMD LLANO (ESTIMATES) CAVIUM OCTEON CN5860 AMD Fusion Llano (projected) CPU Frequency 750 MHz 3000 MHz Number of cores 16 4 ASP, USD 850$ 100$ SSL AES-128 64B encryption 8.46 Gbps 10 Gbps IPv4 FWD Performance 20 Gbps (limited by IO) 50 Gbps IPS/IDS Performance 4.4 Gbps (limited by RLDRAM2 bandwidth) 8 Gbps Antivirus Performance 4.4 Gbps (limited by RLDRAM2 bandwidth) 8 Gbps Compression Performance 10 Gbps 16 Gbps Fusion security systems are projected to provide up to 250% speed improvement and more than 1000% performance/$ improvement over existing specialty silicon solutions 25 APU/GPGPU-Based Security Solutions June 2011
SERVER PLAN Products OpenCL Security Library Regular expressions / Deep packet inspection/ Compression/Encryption Security Suite: AV / AS / IPS-IDS solutions Customers - OEMs, Enterprise Revenue generation OEMs pay one time fees and royalties for the OpenCL encryption library Enterprise clients pay license fees for use of the GPGPU/Fusion security SW Target hardware GPGPU based secure server Opteron/GPGPU Multiple APU Volume encryption server (similar to the SeaMicro approach) Ontario/Llano 26 APU/GPGPU-Based Security Solutions June 2011
Disclaimer & Attribution The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions and typographical errors. The information contained herein is subject to change and may be rendered inaccurate for many reasons, including but not limited to product and roadmap changes, component and motherboard version changes, new model and/or product releases, product differences between differing manufacturers, software changes, BIOS flashes, firmware upgrades, or the like. There is no obligation to update or otherwise correct or revise this information. However, we reserve the right to revise this information and to make changes from time to time to the content hereof without obligation to notify any person of such revisions or changes. NO REPRESENTATIONS OR WARRANTIES ARE MADE WITH RESPECT TO THE CONTENTS HEREOF AND NO RESPONSIBILITY IS ASSUMED FOR ANY INACCURACIES, ERRORS OR OMISSIONS THAT MAY APPEAR IN THIS INFORMATION. ALL IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT WILL ANY LIABILITY TO ANY PERSON BE INCURRED FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN, EVEN IF EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. AMD, the AMD arrow logo, and combinations thereof are trademarks of Advanced Micro Devices, Inc. All other names used in this presentation are for informational purposes only and may be trademarks of their respective owners. The contents of this presentation were provided by individual(s) and/or company listed on the title page. The information and opinions presented in this presentation may not represent AMD s positions, strategies or opinions. Unless explicitly stated, AMD is not responsible for the content herein and no endorsements are implied. 27 APU/GPGPU-Based Security Solutions June 2011