AMD PLATFORM SECURITY PROCESSOR ARVIND CHANDRASEKAR DIRECTOR – AMD

AMD PLATFORM SECURITY PROCESSORARVIND CHANDRASEKAR

DIRECTOR – AMD

2| BRIEFING TO INDIAN ARMY| CONFIDENTIAL

SECURITY LANDSCAPE – TODAY IN THE CYBERSPACE

India ranks high in the list of countries targeted. India is rated number 2 in the attacks on mobile devices – Kapersky report.

Number of Web sites being hacked on the increase from vested interests. Government owned websites are specifically targeted. Cross-border cyber attacks on the rise.

Military installations are now targeted directly due to the sensitive nature of data available.

Increased usage of Social Media due to young demographic work force in the country. Increasing usage of Cloud for data storage by individuals and enterprises. Lower costs

driving storage on the interweb. Weakness in the human element involved in the security loop. Lack of password

control.

UNSECURED OBJECTS - THE WEAKEST LINK


TODAY’S SECURITY CHALLENGES

Mobility (seamless client to cloud)‒ More devices and data per person,

centralized data repositories, subsidized platforms, controlled user experience, metering/licensing, consumer data protection

Consumerization of IT (BYOD)‒ Personally owned devices employed in

enterprise environments, protection of corporate information, address regulation and compliance requirements

2010 20200

5

10

15

20

25Internet-Connected Devices Per Person

Internet Connected Devices (Bil-lions)World Population (Billions)

Source: IMS research report;World population estimates

0.7 devices per person

2.9 devices per person

“A recent survey completed by Gartner indicates that CIOs fully expect to support up to three mobile operating systems by 2012 and that 20% of devices will be employee-owned by that year.“ Source http://softwarestrategiesblog.com/category/platform-as-a-service/

http://softwarestrategiesblog.com/category/platform-as-a-service/


TODAY’S SECURITY CHALLENGES

Cloud computing (separation & transparency)

‒ Multi-tenancy and lack of control, with Governance, Risk & Compliance driving separation technologies and the need for transparency and accountability in the cloud to support mission critical workloads

Advanced Persistent Threats (APTs)‒ Advanced and normally clandestine means

to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government

• Operation Aurora on Google• Stuxnet worm targeting Iranian nuclear sites• Night Dragon targeting energy companies• Flame targeting PCs in the Middle East


Security starts at the root of a system‒ Anything short of that allows an attacker to

interpose the bootstrap process and enables BIOS/firmware viruses and other Advanced Persistent Threats (APTs)

Security needs to be anchored within the hardware so that it cannot be circumvented

Security needs to be an active and dynamic component of the system‒ Security functions change over time or per

market segment (e.g. consumer, commercial or Cloud servers)

‒ You should be able to add security functions to your platform at manufacturing time, install time or even later

SECURITY STARTS IN HARDWARE


THE SECURITY ECOSYSTEM TODAY IS FRAGMENTED

Difficult for a security ISVs to anchor their solutions in hardware

Partial solutions exists for different operating systems but depend on many complex layers

The hardware ecosystem is very fragmented with many proprietary solutions

These proprietary solutions rarely allow ISV extensions

We need more flexible solutions …


AMD ADOPTING ARM TRUSTZONE

Relationship between ARM & AMD‒ AMD is adding an ARM embedded microcontroller with ARM TrustZone technology to some of its

SOCs as a security foundation

This is designed to provide a consistent security foundation that is beneficial for whole-system security and end-to-end protection across heterogeneous environments

‒ Shared goal of promoting hardware, software, and services ecosystem based on ARM TrustZone technology

What does this mean for the industry?‒ AMD and ARM together provide scale and breadth of products‒ Broad ecosystem based on adoption of TrustZone technology and open industry-standards across

all types of computing platforms


THE TRUSTZONE ECOSYSTEM

The TrustZone ecosystem is based on open industry standards such as GlobalPlatform‒ Standard APIs to security services, certification

programs, and protection profiles‒ Proven secure isolation kernels exists such as

those produced by Trusted Logic Mobility/Gemalto (now Trustonic)

Enables ISVs to develop secure applications and be portable across a wide range of solutions

AMD’s security technology maintains portability, even at the application binary interface (ABI) level, for trusted applications

Different security solutions for alternate segments‒ E.g., Consumer: mobile payments, password

vaults, anti-malware, content protection‒ E.g., Commercial: asset protection, document

control, bring-your-own-device protection

Hardware Platform

Rich OS Application Environment

Rich OS

GlobalPlatformTEE Client API

Trusted Execution Environment

Trusted CoreEnvironment

GlobalPlatformTEEInternalAPI

TrustedFunctions

Payment Corporate

GlobalPlatformTEE Functional APIThe image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.GlobalPlatform

TEE Functional API

Client Applications

GlobalPlatform TEE Client API

TrustedApplication

DRM

TrustedApplication

Payment

TrustedApplicationCorporate

HW Keys, Secure Storage,Trusted UI (Keypad, Screen),

Crypto accelerators,NFC controller,

Secure Element, etc.

HW SecureResources

EnvironmentTrusted Core Trusted

Functions

GlobalPlatformTEE Internal

TEE Kernel

API

Source: GlobalPlatform


AMD’S SECURITY FEATURE ROADMAP

CoreSecurity

Secure PlatformEnablement

Today 2014 2015

Trusted Platform Moduleand

Secure Kernel Initalization

Virtualization extensionsand

2nd gen. I/O Virtualization

AES Instructions

Platform Security Processor with fixed security

functions introduction

Cryptography acceleration for AES, RSA, ECC, SHA,

TRNG

Secure boot capabilities

Platform Security Processor enabled on all 2015 APUs

TrustZone ecosystem enablement

Identity protection, anti-theft, etc. in hardware

Secure PlatformDeployment


Platform Security Foundational support‒ Trusted Execution Environment‒ Secure boot‒ Cryptographic acceleration‒ TPM functionality

Client solutions enablement‒ 3rd party solutions – e.g., payments, anti-theft,

identity management, data protection, anti-malware, content protection, bring-your-own-device

End-to-end / client-to-cloud‒ 3rd party solutions – e.g., vertical solutions, policy

enforcement, integrity monitoring, audit & asset management, virtual HSM

PLATFORM SECURITY PROCESSOR USE CASES

Platform Security Processor HW

Boot ROM code (HW)

Security kernel

Secure boot TPM 2.0

Client-targeted solutions(e.g., mobile payments, data protection,

identity mgmt., antimalware, content)

End-to-end / client-to-cloud (e.g., policy enforcement, integrity monitoring,

asset mgmt., virtual HSM)

Crypto handlers

Platform Differentiation

TEE Baseline


SUMMARY

Changes in the landscape are prompting changes on both sides, attackers and security layers.

Mobility & consumerisation of IT have led to many open/unsecured interfaces to the network which can be leveraged maliciously.

Clouds leading to interconnected storage allow for loopholes which may be exploited if not secured.

The largest share of issues stem from the lack of secure operating environments.

AMD is deploying Trustzone on some of its SoC to build a stronger security foundation at a micro-processor level.

It is always easier to stem attacks at the Physical layer than at the Application Layer (OSI).

For the first time a hardware based mass-market solution will be available for Cybersecurity based Trusted Execution Environments.


DISCLAIMER & ATTRIBUTION

The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions and typographical errors.

The information contained herein is subject to change and may be rendered inaccurate for many reasons, including but not limited to product and roadmap changes, component and motherboard version changes, new model and/or product releases, product differences between differing manufacturers, software changes, BIOS flashes, firmware upgrades, or the like. AMD assumes no obligation to update or otherwise correct or revise this information. However, AMD reserves the right to revise this information and to make changes from time to time to the content hereof without obligation of AMD to notify any person of such revisions or changes.

AMD MAKES NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE CONTENTS HEREOF AND ASSUMES NO RESPONSIBILITY FOR ANY INACCURACIES, ERRORS OR OMISSIONS THAT MAY APPEAR IN THIS INFORMATION.

AMD SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL AMD BE LIABLE TO ANY PERSON FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN, EVEN IF AMD IS EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

ATTRIBUTION

© 2014 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo and combinations thereof are trademarks of Advanced Micro Devices, Inc. in the United States and/or other jurisdictions. SPEC is a registered trademark of the Standard Performance Evaluation Corporation (SPEC). Other names are for informational purposes only and may be trademarks of their respective owners.

THANK YOU

THANK YOUARVIND CHANDRASEKAR

Documents

AMD PLATFORM SECURITY PROCESSOR ARVIND CHANDRASEKAR DIRECTOR – AMD