FPGAs for Trusted Cloud Computing

Similar documents

Secure Cloud Storage and Computing Using Reconfigurable Hardware

FPGA Accelerator Virtualization in an OpenPOWER cloud. Fei Chen, Yonghua Lin IBM China Research Lab

Seeking Opportunities for Hardware Acceleration in Big Data Analytics

High-Density Network Flow Monitoring

FPGA Acceleration using OpenCL & PCIe Accelerators MEW 25

CFD Implementation with In-Socket FPGA Accelerators

Hardware Security Modules for Protecting Embedded Systems

Technical Challenges for Big Health Care Data. Donald Kossmann Systems Group Department of Computer Science ETH Zurich

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

Keywords Cloud Computing, CRC, RC4, RSA, Windows Microsoft Azure

Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions

Cloud: Where are we now? Gerald Gerry Seaman Cloud Marketing Manager Intel - Data Center Group Enterprise High Performance Group

Networking Virtualization Using FPGAs

Xeon+FPGA Platform for the Data Center

Data Center and Cloud Computing Market Landscape and Challenges

Cloud Terminal: Secure Access to Sensitive Applications from Untrusted Systems

IoT Security Concerns and Renesas Synergy Solutions

Confidentio. Integrated security processing unit. Including key management module, encryption engine and random number generator

Horst Görtz Institute for IT-Security

CRYPTOGRAPHY AS A SERVICE

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

Verfahren zur Absicherung von Apps. Dr. Ullrich Martini IHK,

Cloud Data Center Acceleration 2015

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

Cloud Computing through Virtualization and HPC technologies

Cut Network Security Cost in Half Using the Intel EP80579 Integrated Processor for entry-to mid-level VPN

CoProcessor Design for Crypto- Applications using Hyperelliptic Curve Cryptography

How to Drop your Anchor

Property Based TPM Virtualization

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

SALSA Flash-Optimized Software-Defined Storage

Akuda Labs. Leverages Peak Hosting s Operations-as-a-Service Managed Hosting Solution to Process Big Data Analytics 500 Faster without Big Costs

PLATFORM ENCRYPTlON ARCHlTECTURE. How to protect sensitive data without locking up business functionality.

IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

Zadara Storage Cloud A

Alliance Key Manager Solution Brief

Dell Cloud Services. Services

Capstone Overview Architecture for Big Data & Machine Learning. Debbie Marr ICRI-CI 2015 Retreat, May 5, 2015

Accelerate Cloud Computing with the Xilinx Zynq SoC

Enabling Security in ProASIC 3 FPGAs with Hardware and Software Features

NEW HORIZON COLLEGE OF ENGINEERING, BANGALORE CLOUD COMPUTING ASSIGNMENT Explain any six benefits of Software as Service in Cloud computing?

Management by Network Search

Secure Network Communications FIPS Non Proprietary Security Policy

CSE543 Computer and Network Security Module: Cloud Computing

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

EDA385 Embedded Systems Design. Advanced Course

Lightweight Cryptography. Lappeenranta University of Technology

RAID. RAID 0 No redundancy ( AID?) Just stripe data over multiple disks But it does improve performance. Chapter 6 Storage and Other I/O Topics 29

NCTA Cloud Architecture

Security Protocols/Standards

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Best Practises for LabVIEW FPGA Design Flow. uk.ni.com ireland.ni.com

Key & Data Storage on Mobile Devices

Before we can talk about virtualization security, we need to delineate the differences between the

Secure Hardware PV018 Masaryk University Faculty of Informatics

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Application Security: Threats and Architecture

Flash Use Cases Traditional Infrastructure vs Hyperscale

SOFTWARE-DEFINED: MAKING CLOUDS MORE EFFICIENT. Julian Chesterfield, Director of Emerging Technologies

HANIC 100G: Hardware accelerator for 100 Gbps network traffic monitoring

Oracle Database Reliability, Performance and scalability on Intel Xeon platforms Mitch Shults, Intel Corporation October 2011

Secure Cloud Computing with FlexCloud

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

AppliedMicro Trusted Management Module

IBM Platform Computing Cloud Service Ready to use Platform LSF & Symphony clusters in the SoftLayer cloud

Security Design.

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Embedded Virtualization & Cyber Security for Industrial Automation HyperSecured PC-based Control and Operation

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Network Security. Chapter 9 Integrating Security Services into Communication Architectures

Secure Services and Quality Testing SST. Security Engineering Privacy by Design Trusted Solutions. Mario Hoffmann. for Service Ecosystems

Technical Brief Distributed Trusted Computing

How To Teach A Cyber Security Course

SimpliVity OmniStack with Vormetric Transparent Encryption

AN OFFLINE CAPTURE THE FLAG-STYLE VIRTUAL MACHINE FOR CYBER SECURITY EDUCATION

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

The Engine for Digital Transformation in the Data Center

Driving Datacenter Change

Intel Ethernet and Configuring Single Root I/O Virtualization (SR-IOV) on Microsoft* Windows* Server 2012 Hyper-V. Technical Brief v1.

Performance Oriented Management System for Reconfigurable Network Appliances

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Secure web transactions system

Architekturen und Einsatz von FPGAs mit integrierten Prozessor Kernen. Hans-Joachim Gelke Institute of Embedded Systems Professur für Mikroelektronik

Distributed and Cloud Computing

Certifying Program Execution with Secure Processors

Daniel Meier, May 2011

Proposal for Virtual Private Server Provisioning

Infrastructure Matters: POWER8 vs. Xeon x86

ESPRESSO: An Encryption as a Service for Cloud Storage Systems

Intel Identity Protection Technology (IPT)

Department of Computer Science Better than Native: Using Virtualization to Improve Compute Node Performance

IoT Security Platform

Entrust Smartcard & USB Authentication

Storage XenMotion: Live Storage Migration with Citrix XenServer

FIPS Security Policy. for Motorola, Inc. Motorola Wireless Fusion on Windows CE Cryptographic Module

USB Portable Storage Device: Security Problem Definition Summary

Harvesting Developer Credentials in Android Apps

Control your corner of the cloud.

Transcription:

FPGAs for Trusted Cloud Computing

Traditional Servers Datacenter Cloud Servers Datacenter Cloud Manager Client Client Control Client Client Control 2

Existing cloud systems cannot offer strong security guarantees Cloud administrator access liability Availability & co-tenancy malware & sidechannel attacks Cloud administrators have full access! 3

Existing cloud systems cannot offer strong security guarantees Cloud administrator access liability Availability & co-tenancy malware & sidechannel attacks Cloud is open to everyone! 4

Network bandwidth/ latency CPU time Storage allotment/ latency Minimum uptime Security 5

1% to 10% of information/transactions deal with sensitive data Isolate only sensitive computations on trusted compute nodes Client Application Unsecured Part Secured Part 6

Independent administration Management!= full access Cloud operator is not part of root of trust Physically secure High performance Generality Flexibility 7

Independent administration Physically secure Store keys Decrypt & authenticate binaries and data Execute application exactly as prescribed High performance Generality Flexibility 8

Independent administration Physically secure High performance Generality Flexibility 9

Requirements Independent administration Physically secure High performance Generality Flexibility X Platform Options Commodity servers Local/cloud hybrids High security commodity servers Secure co-processors Homomorphic crypto Dedicated hardware HSMs FPGAs 10

Requirements Independent administration Physically secure High performance Generality Flexibility X X X Platform Options Commodity servers Local/cloud hybrids High security commodity servers Secure co-processors Homomorphic crypto Dedicated hardware HSMs FPGAs 11

Requirements Independent administration Physically secure High performance Generality Flexibility X X Platform Options Commodity servers Local/cloud hybrids High security commodity servers Secure co-processors Homomorphic crypto Dedicated hardware HSMs FPGAs 12

Requirements Independent administration Physically secure High performance Generality Flexibility X X Platform Options Commodity servers Local/cloud hybrids High security commodity servers Secure co-processors Homomorphic crypto Dedicated hardware HSMs FPGAs 13

Requirements Independent administration Physically secure High performance Generality Flexibility Platform Options Commodity servers Local/cloud hybrids High security commodity servers Secure co-processors Homomorphic crypto Dedicated hardware HSMs FPGAs 14

FPGA Platform Board Dedicated FPGA Resources Key Mem. Boot. Logic Programmable Logic Region 15

Trusted Authority Bitstream Key FPGA Platform Board FPGA Key Mem. Boot. Logic 16

Untrusted Cloud Machine FPGA Platform Board FPGA Key Mem. 8x PCIe Boot. Logic 17

Trusted Authority Bitstream Key Untrusted Cloud Machine Platform Memory FPGA Platform Board FPGA Key Mem. Boot. Logic Customer Application Customer 18

Untrusted Cloud Machine FPGA Platform Board FPGA Key Mem. Encrypted & Signed Bitstream Boot. Logic 19

Untrusted Cloud Machine FPGA Platform Board FPGA Key Mem. Encrypted & Signed Bitstream Boot. Logic Client Application Client Application Request Loaded Application 20

Remove TA involvement? Trusted Authority Bitstream Key Customer Application Customer Remove per FPGA bitstream? Untrusted Cloud Machine Platform Memory FPGA Platform Board FPGA Key Mem. Boot. Logic 21

Sensitive vs. non-sensitive data Client App Data Stream Sensitive Data? Results Data Mining 22

Sensitive vs. non-sensitive data Separate, tokenize & encrypt sensitive fields Trusted Computing Node Client App Results Data Stream Bulk Cloud Servers Data Mining Non-Sensitive Plaintext Identify sensitive fields Tokenized Data Anonymization 23

PCI-Express Controller Prototype cloud server & FPGA architecture Untrusted Cloud Servers Session Key Exch. Infrastructure RSA & SHA FPGA privatek fb Client App Data Transfer Data Mining sessionk fb User Application Sensitive Plaintext AES & AES SHA Non-Sensitive Plaintext Encrypted & Tokenized Data 24

On an ML605 (V6 LX 240T) LUTs FF BRAM DSP Full system 18.1% 9% 6.9% 0.5% Infrastructure (RSA, SHA, PCIe, DDR3) Tokenization (AES, AES + SHA) 14.8% 8.6% 5.2% 0.5% 3.3% 0.3% 0.7% 0.0% 25

On an ML605 (V6 LX 240T) 200MHz clock Initiate 13+ RSA secure session key exchanges per second Decrypt AES at 572MB/s Tokenize with SHA-256 at 12MB/s Gb Ethernet is 125MB/s 1-10% of the incoming data was sensitive 26

Security is paramount to the cloud Existing server are insufficient FPGAs provide native support for secure boot and secure operation This represents a brand new market for FPGAs 27