AMD platform security processor Arvind chandrasekar Director – amd

Security landscape – today in the cyberspace Unsecured objects - the weakest link India ranks  high in the list of countries targeted.  India is rated number 2 in the attacks on mobile devices – Kapersky report. Number of Web sites being hacked on the increase from vested interests.  Government owned websites are specifically targeted. Cross-border cyber attacks on the rise. Military installations are now targeted directly due to the sensitive nature of data available. Increased usage of Social Media  due to young demographic work force in the country. Increasing usage of Cloud for data storage  by individuals and enterprises. Lower costs driving storage on the interweb. Weakness in the human element involved  in the  security loop. Lack of password control.

Today’s security Challenges Mobility (seamless client to cloud) More devices and data per person, centralized data repositories, subsidized platforms, controlled user experience, metering/licensing, consumer data protection Consumerization of IT (BYOD) Personally owned devices employed in enterprise environments, protection of corporate information, address regulation and compliance requirements “A recent survey completed by Gartner indicates that CIOs fully expect to support up to three mobile operating systems by 2012 and that 20% of devices will be employee-owned by that year.“ Source http://softwarestrategiesblog.com/category/platform-as-a-service/ Operation Aurora: On January 14, 2010 McAfee Labs identified a zero-day vulnerability in Microsoft Internet Explorer that was used as an entry point for Operation Aurora to exploit Google and at least 20 other companies. Microsoft has since issued a security bulletin and patch. Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts Stuxnet: Stuxnet is a Windows computer worm discovered in July 2010 that targets industrial software and equipment.[1] While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems,  and the first to include a programmable logic controller (PLC) rootkit. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes.Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices. Different variants of Stuxnet targeted five Iranian organisations,with the probable target widely suspected to be uranium enrichment infrastructure in Iran; Symantec noted in August 2010 that 60% of the infected computers worldwide were in Iran.Siemens stated on November 29 that the worm has not caused any damage to its customersbut the Iran nuclear program, which uses embargoed Siemens equipment procured clandestinely, has been damaged by Stuxnet.[Kaspersky Labs concluded that the sophisticated attack could only have been conducted "with nation-state support"and it has been speculated that Israel may have been involved. Night Dragon: Starting in November 2009, coordinated covert and targeted cyberattacks have been conducted against global oil, energy, and petrochemical companies. These attacks have involved social engineering, spearphishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations. We have identified the tools, techniques, and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China.

Today’s security Challenges Cloud computing (separation & transparency) Multi-tenancy and lack of control, with Governance, Risk & Compliance driving separation technologies and the need for transparency and accountability in the cloud to support mission critical workloads Advanced Persistent Threats (APTs) Advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government Operation Aurora on Google Stuxnet worm targeting Iranian nuclear sites Night Dragon targeting energy companies Flame targeting PCs in the Middle East Operation Aurora: On January 14, 2010 McAfee Labs identified a zero-day vulnerability in Microsoft Internet Explorer that was used as an entry point for Operation Aurora to exploit Google and at least 20 other companies. Microsoft has since issued a security bulletin and patch. Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts Stuxnet: Stuxnet is a Windows computer worm discovered in July 2010 that targets industrial software and equipment.[1] While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems,  and the first to include a programmable logic controller (PLC) rootkit. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes.Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices. Different variants of Stuxnet targeted five Iranian organisations,with the probable target widely suspected to be uranium enrichment infrastructure in Iran; Symantec noted in August 2010 that 60% of the infected computers worldwide were in Iran.Siemens stated on November 29 that the worm has not caused any damage to its customersbut the Iran nuclear program, which uses embargoed Siemens equipment procured clandestinely, has been damaged by Stuxnet.[Kaspersky Labs concluded that the sophisticated attack could only have been conducted "with nation-state support"and it has been speculated that Israel may have been involved. Night Dragon: Starting in November 2009, coordinated covert and targeted cyberattacks have been conducted against global oil, energy, and petrochemical companies. These attacks have involved social engineering, spearphishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations. We have identified the tools, techniques, and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China.

Security starts in hardware Security starts at the root of a system Anything short of that allows an attacker to interpose the bootstrap process and enables BIOS/firmware viruses and other Advanced Persistent Threats (APTs) Security needs to be anchored within the hardware so that it cannot be circumvented Security needs to be an active and dynamic component of the system Security functions change over time or per market segment (e.g. consumer, commercial or Cloud servers) You should be able to add security functions to your platform at manufacturing time, install time or even later

The security ecosystem today is fragmented Difficult for a security ISVs to anchor their solutions in hardware Partial solutions exists for different operating systems but depend on many complex layers The hardware ecosystem is very fragmented with many proprietary solutions These proprietary solutions rarely allow ISV extensions We need more flexible solutions … In the transition, mention that such a solution exists in ARM’s trustzone ecosystem but that it is constrained today to cell phone platforms and some tablets.

Amd adopting arm trustzone Relationship between ARM & AMD AMD is adding an ARM embedded microcontroller with ARM TrustZone technology to some of its SOCs as a security foundation This is designed to provide a consistent security foundation that is beneficial for whole-system security and end-to-end protection across heterogeneous environments Shared goal of promoting hardware, software, and services ecosystem based on ARM TrustZone technology What does this mean for the industry? AMD and ARM together provide scale and breadth of products Broad ecosystem based on adoption of TrustZone technology and open industry-standards across all types of computing platforms

the trustzone ecosystem The TrustZone ecosystem is based on open industry standards such as GlobalPlatform Standard APIs to security services, certification programs, and protection profiles Proven secure isolation kernels exists such as those produced by Trusted Logic Mobility/Gemalto (now Trustonic) Enables ISVs to develop secure applications and be portable across a wide range of solutions AMD’s security technology maintains portability, even at the application binary interface (ABI) level, for trusted applications Different security solutions for alternate segments E.g., Consumer: mobile payments, password vaults, anti-malware, content protection E.g., Commercial: asset protection, document control, bring-your-own-device protection Source: GlobalPlatform

AMD’s SECURITY FEATURE ROADMAP Core Security Secure Platform Enablement Today 2014 2015 Trusted Platform Module and Secure Kernel Initalization Virtualization extensions 2nd gen. I/O Virtualization AES Instructions Platform Security Processor with fixed security functions introduction Cryptography acceleration for AES, RSA, ECC, SHA, TRNG Secure boot capabilities Platform Security Processor enabled on all 2015 APUs TrustZone ecosystem enablement Identity protection, anti-theft, etc. in hardware Deployment Each year, the APU will improve as these features come on line. 9

Platform security processor use cases Platform Security Foundational support Trusted Execution Environment Secure boot Cryptographic acceleration TPM functionality Client solutions enablement 3rd party solutions – e.g., payments, anti-theft, identity management, data protection, anti-malware, content protection, bring-your-own-device End-to-end / client-to-cloud 3rd party solutions – e.g., vertical solutions, policy enforcement, integrity monitoring, audit & asset management, virtual HSM Platform Security Processor HW Boot ROM code (HW) Security kernel Secure boot TPM 2.0 Client-targeted solutions (e.g., mobile payments, data protection, identity mgmt., antimalware, content) End-to-end / client-to-cloud (e.g., policy enforcement, integrity monitoring, asset mgmt., virtual HSM) Crypto handlers Platform Differentiation TEE Baseline

summary Changes in the landscape are prompting changes on both sides, attackers and security layers. Mobility & consumerisation of IT have led to many open/unsecured interfaces to the network which can be leveraged maliciously. Clouds leading to interconnected storage allow for loopholes which may be exploited if not secured. The largest share of issues stem from the lack of secure operating environments. AMD is deploying Trustzone on some of its SoC to build a stronger security foundation at a micro-processor level. It is always easier to stem attacks at the Physical layer than at the Application Layer (OSI). For the first time a hardware based mass-market solution will be available for Cybersecurity based Trusted Execution Environments.

Disclaimer & Attribution The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions and typographical errors. The information contained herein is subject to change and may be rendered inaccurate for many reasons, including but not limited to product and roadmap changes, component and motherboard version changes, new model and/or product releases, product differences between differing manufacturers, software changes, BIOS flashes, firmware upgrades, or the like. AMD assumes no obligation to update or otherwise correct or revise this information. However, AMD reserves the right to revise this information and to make changes from time to time to the content hereof without obligation of AMD to notify any person of such revisions or changes. AMD MAKES NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE CONTENTS HEREOF AND ASSUMES NO RESPONSIBILITY FOR ANY INACCURACIES, ERRORS OR OMISSIONS THAT MAY APPEAR IN THIS INFORMATION. AMD SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL AMD BE LIABLE TO ANY PERSON FOR ANY DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES ARISING FROM THE USE OF ANY INFORMATION CONTAINED HEREIN, EVEN IF AMD IS EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ATTRIBUTION © 2014 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo and combinations thereof are trademarks of Advanced Micro Devices, Inc. in the United States and/or other jurisdictions. SPEC is a registered trademark of the Standard Performance Evaluation Corporation (SPEC). Other names are for informational purposes only and may be trademarks of their respective owners.

Thank YOU

THANK YOU Arvind chandrasekar