MyOOPS開放式課程
請加入會員以使用更多個人化功能
來自全球頂尖大學的開放式課程,現在由世界各國的數千名義工志工為您翻譯成中文。請免費享用!
課程來源:TED
     

  

Ralph Langner談21世紀電子武器Stuxnet揭密

Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon

 

Photo of three lions hunting on the Serengeti.

講者:Ralph Langner

2011年3月演講,2011年3月在TED上線

 

翻譯:洪曉慧

編輯:朱學恆

簡繁轉換:洪曉慧

後製:洪曉慧

字幕影片後制:謝旻均

 

影片請按此下載

MAC及手持裝置版本請按此下載

閱讀中文字幕純文字版本

 

關於這場演講

Stuxnet電腦蠕蟲於2010年首次被發現,帶來了令人費解的謎團。除了它不尋常且高度複雜的編碼以外,還隱藏著一個更令人不安的謎團:它的攻擊目標。Ralph Langner及其團隊協助破解Stuxnet編碼,找出這個數位彈頭的最終攻擊目標-以及其幕後源頭。經使用電腦數位鑑識方法深入檢視後,他解釋了其運作原理。

 

關於Ralph Langner

Ralph Langner是德國控制系統的安全顧問。他對Stuxnet惡意軟體的分析受到全球矚目。

 

為什麼要聽他演講

Ralph Langner為獨立網路安全公司Langner的領導者,專營控制系統-監控和調控其他設備的電子裝置,如生產設備。這些裝置與運作我們城市和國家的基礎設施有密切關係,這使它們逐漸成為一場新興且具高度複雜型態的電子戰爭攻擊目標。自2010年起,當Stuxnet電腦蠕蟲首次現身時,Langner堅決地投身於這個戰場。

 

身為致力於解碼這個神秘程式的一份子,Langner和他的團隊分析Stuxnet的數據結構,並找出他認為其最終的攻擊目標:運行於核工廠離心機的控制系統軟體-特別是伊朗的核工廠。Langner進一步分析,發現Stuxnet可能的幕後源頭,並於TED2011演講中透露這個秘密。

 

Ralph Langner的英語網上資料

網站:Langner

 

[TED科技‧娛樂‧設計]

已有中譯字幕的TED影片目錄(繁體)(簡體)。請注意繁簡目錄是不一樣的。

 

Ralph Langner談21世紀電子武器Stuxnet揭密

Stuxnet電腦蠕蟲背後的想法其實很簡單,我們不希望伊朗造出原子彈,他們發展核武器的主要資產是納坦茲的濃縮鈾工廠,你們看到的灰色方塊是即時控制系統,現在,如果我們設法破壞控制速度和閥門的驅動系統,我們事實上可以使離心機產生很多問題。這些灰色方塊無法執行Windows軟體,兩者是完全不同的技術,但如果我們設法將一個有效的Windows病毒放進一台筆電裡,由一位機械工程師操作,設定這個灰色方塊,那麼我們就可以著手進行了,這就是Stuxnet大致背景。

 

因此,我們從Windows釋放程式開始,讓病毒載體進入灰色方塊中,破壞離心機,延遲伊朗的核計畫,任務完成,很簡單,對吧?我想說明我們是如何發現這個的,當我們在半年前開始研究Stuxnet時,對這個東西的攻擊目標一無所知,唯一瞭解的是它在Windows的部份非常、非常複雜,釋放程式部份使用多個零日漏洞,它似乎想要做些什麼,用這些灰色方塊,這些即時控制系統,因此,這引起我們的注意,我們開始了一個實驗計畫,我們用Stuxnet感染我們的系統並審視結果,然後一些非常有趣的事發生了。Stuxnet表現得像隻白老鼠,不喜歡我們的乳酪,聞一聞,但不想吃。這根本沒道裡。之後,我們用不同口味的乳酪進行實驗,我意識到,哦,這是一個直接攻擊,完全直接的。釋放程式在這些灰色方塊中有效的潛伏著,如果它發現了一個特定程式組態,甚至是它正試圖感染的程式,它都會確實針對這個目標執行,如果沒發現,Stuxnet就不起作用。

 

所以這真的引起了我的注意,我們開始進行這方面的工作,幾乎日以繼夜,因為我想,好吧,我們不知道它的目標是什麼,很可能的,比方說美國的發電廠,或德國的化工廠,所以我們最好儘快找出目標。因此,我們抽出攻擊代碼並進行反編譯,我們發現它的結構由兩個數位炸彈組成,一個較小、一個較大。我們也看到,這是非常專業的設計,由顯然知道所有內幕資訊的人編寫,他們知道所有必需攻擊的位元和位元組,搞不好他們還知道控制員的鞋子尺寸,因此他們什麼都知道。

 

如果你曾聽過Stuxnet的釋放程式,是複雜、高科技的,讓我跟你們說明一下。病毒本身是很高科技沒錯,比我們曾見過的任何編碼都高深,這是這個實際攻擊代碼的樣本,我們談論的是大概15,000行的代碼,看起來很像舊式的組合語言。我想告訴你們的是,我們如何能夠理解這段代碼,所以,我們首先要尋找的是系統的函數調用,因為我們知道它們的作用是什麼。

 

然後,我們尋找時間控制器和資料結構,試圖將其與真實世界連結起來,尋找現實世界中的潛在目標,因此我們必需進行目標推測,以便確認或排除。為了找到推測目標,我們想到,它必定具有絕對破壞性,必定是一個高價值目標,最可能設置在伊朗,因為這是大部份感染發生的地點。在這區域內你不會找到幾千個目標,基本上範圍可以縮小為布什爾核電廠及納坦茲濃縮鈾工廠。

 

所以我告訴我的助手,「列出我們客戶中所有離心機和核電廠專家的名單」,我打電話給他們,聽取他們的意見,努力用我們在代碼和資料中的發現與他們的專業知識做對照。這很有效,因此,我們找出了這個小數位彈頭與轉子控制的關聯,轉子是離心機內部的運轉零件,就是你們看到的這個黑色物體,如果控制這個轉子的速度,事實上你就能使轉子損壞,甚至最後使離心機爆炸。我們也看到了這次攻擊的目標,實際上進行的相當緩慢、低調,顯然為了達成目標,快把維修工程師逼瘋了,因為他們無法迅速找出答案。

 

這個大數位彈頭-我們做過嘗試,非常仔細檢查資料和資料結構,因此,例如數字164在這些代碼中確實很突出,你不能忽視它。我開始研究科學文獻,這些離心機如何在納坦茲組建,並找出它們的結構,就是所謂的層級。每個層級由164台離心機組成,這就說的通了,與我們的結果匹配。

 

而它甚至更有幫助。這些在伊朗的離心機細分為15種所謂的等級,你猜我們在攻擊代碼中發現什麼?一個幾乎相同的結構。所以,同樣的,這與結果完美匹配,就我們所尋找的東西來說,這給了我們相當大的信心。別誤解我的意思,不是像這樣彈指之間,為了獲致這些成果,歷經幾星期相當艱苦的奮鬥,我們常常走進死胡同,必需重新來過。

 

總之,我們找到了這兩個數位彈頭,實際上是針對同一個目標,但從不同角度。小彈頭對準一個層級,讓轉子加速旋轉然後急遽減速,而大彈頭影響六個層級並操縱閥門,總之,我們非常有信心,我們已經確認目標是什麼,是納坦茲,就只有納坦茲。因此,我們不必擔心其他目標可能被Stuxnet攻擊。

 

我們看到一些非常酷的東西,真的讓我印象深刻。下方是灰色方塊,頂端你們看到的是離心機,這些東西所做的是攔截來自感測器的輸入值,例如,來自壓力感測器和振動感測器的,它提供正常代碼,在攻擊中依然執行,用的是假的輸入資料。事實上,這個假的輸入資料是Stuxnet事先錄製的,因此,這就像來自好萊塢電影的搶劫過程中,監視器被放入預錄的影片,酷吧?

 

這裡的想法顯然不僅是愚弄控制室中的操作者,實際上更加危險且更具攻擊性,這個想法是規避數位安全系統。我們需要數位安全系統,當一位人類操作員的行動不夠快時,因此,例如在一座核電廠中,當一台大蒸汽渦輪機嚴重超速時,你必須在一毫秒內打開洩壓閥。顯然,一位人類操作員辦不到,因此,這就是我們需要使用數位安全系統之處。當它們被破壞,真正糟糕的事就會發生了,你的工廠會爆炸,無論你的操作員或安全系統都無法注意到這一點,這很可怕。

 

但還會更糟。我要說的這些相當重要,想想看,這種攻擊是一般性的,它沒什麼特定性,對離心機來說,還有濃縮鈾,因此,它也會作用於,例如一座核電廠或一座汽車工廠,它是通用的,你不需要-身為攻擊者,你不需要藉由USB裝置傳遞這個病毒載體,如我們在Stuxnet例子中看到的,你也可以使用傳統的蠕蟲病毒技術的來散播,盡可能傳播四方。如果你這麼做,最終它會變成具大規模破壞性的網路武器,這是我們必然會面臨的後果。所以,不幸的是,這種攻擊最大量的目標並不是在中東,而是在美國、歐洲和日本。因此,所有這些綠色區域就是遭受最多攻擊的目標,我們必須面對這個後果,我們最好現在開始做準備。

 

謝謝。

 

(掌聲)

 

Chris Anderson:我有個問題,Ralph,這件事已廣為人知,人們認為摩薩德(以色列情報機構)是幕後的主要推手,你也這麼認為嗎?

 

Ralph Langner:好,你真的想知道嗎?

 

Chris Anderson:是啊!

 

Ralph Langner:好,我的看法是,摩薩德有參與,但以色列並非領導勢力。因此,背後的主導力量是網路超級大國,只有一個,就是美國。幸好、幸好,因為如果不是這樣,我們的問題可能更大。

 

CA:謝謝你嚇壞了美國人,謝謝Ralph。

 

(掌聲)

 

以下為系統擷取之英文原文

About this talk

When first discovered in 2010, the Stuxnet computer worm posed a baffling puzzle. Beyond its unusually high level of sophistication loomed a more troubling mystery: its purpose. Ralph Langner and team helped crack the code that revealed this digital warhead's final target -- and its covert origins. In a fascinating look inside cyber-forensics, he explains how.

About Ralph Langner

Ralph Langner is a German control system security consultant. He has received worldwide recognition for his analysis of the Stuxnet malware. Full bio and more links

Transcript

The idea behind the Stuxnet computer worm is actually quite simple. We don't want Iran to get the Bomb. Their major asset for developing nuclear weapons is the Natanz uranium enrichment facility. The gray boxes that you see, these are real-time control systems. Now if we manage to compromise these systems that control drive speeds and valves, we can actually cause a lot of problems with the centrifuge. The gray boxes don't run Windows software; they are a completely different technology. But if we manage to place a good Windows virus on a notebook that is used by a machines engineer to configure this gray box, then we are in business. And this is the plot behind Stuxnet.

So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed -- mission accomplished. That's easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems. So that got our attention, and we started a lab project where we infected our environment with Stuxnet and checked this thing out. And then some very funny things happened. Stuxnet behaved like a lab rat that didn't like our cheese -- sniffed, but didn't want to eat. Didn't make sense to me. And after we experimented with different flavors of cheese, I realized, well, this is a directed attack. It's completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program that it's trying to infect is actually running on that target. And if not, Stuxnet does nothing.

So that really got my attention, and we started to work on this nearly around the clock, because I thought, well, we don't know what the target is. It could be, let's say for example, a U.S. power plant, or a chemical plant in Germany. So we better find out what the target is soon. So we extracted and decompiled the attack code, and we discovered that it's structured in two digital bombs -- a smaller one and a bigger one. And we also saw that they are very professionally engineered by people who obviously had all insider information. They knew all the bits and bites that they had to attack. They probably even know the shoe size of the operator. So they know everything.

And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It's way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about -- round about 15,000 lines of code. Looks pretty much like old-style assembly language. And I want to tell you how we were able to make sense out of this code. So what we were looking for is first of all is system function calls, because we know what they do.

And then we were looking for timers and data structures and trying to relate them to the real world -- to potential real world targets. So we do need target theories that we can prove or disprove. In order to get target theories, we remember that it's definitely hardcore sabotage, it must be a high-value target, and it is most likely located in Iran, because that's where most of the infections had been reported. Now you don't find several thousand targets in that area. It basically boils down to the Bushehr nuclear power plant and to the Natanz fuel enrichment plant.

So I told my assistant, "Get me a list of all centrifuge and power plant experts from our client base." And I phoned them up and picked their brain in an effort to match their expertise with what we found in code and data. And that worked pretty well. So we were able to associate the small digital warhead with the rotor control. The rotor is that moving part within the centrifuge, that black object that you see. And if you manipulate the speed of this rotor, you are actually able to crack the rotor and eventually even have the centrifuge explode. What we also saw is that the goal of the attack was really to do it slowly and creepy -- obviously in an effort to drive maintenance engineers crazy, that they would not be able to figure this out quickly.

The big digital warhead -- we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can't overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, it was a match.

And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure. So again, that was a real good match. And this gave us very high confidence for what we were looking at. Now don't get me wrong here, it didn't go like this. These results have been obtained over several weeks of really hard labor. And we often went into just a dead-end and had to recover.

Anyway, so we figured out that both digital warheads were actually aiming at one and the same target, but from different angles. The small warhead is taking one cascade, and spinning up the rotors and slowing them down, and the big warhead is talking to six cascades and manipulating valves. So in all, we are very confident that we have actually determined what the target is. It is Natanz, and it is only Natanz. So we don't have to worry that other targets might be hit by Stuxnet.

Here's some very cool stuff that we saw -- really knocked my socks off. Down there is the gray box, and on the top you see the centrifuges. Now what this thing does is it intercepts the input values from sensors -- so for example, from pressure sensors and vibration sensors -- and it provides legitimate code, which is still running during the attack, with fake input data. And as a matter of fact, this fake input data is actually prerecorded by Stuxnet. So it's just like from the Hollywood movies where during the heist, the observation camera is fed with prerecorded video. That's cool, huh?

The idea here is obviously not only to fool the operators in the control room. It actually is much more dangerous and aggressive. The idea is to circumvent a digital safety system. We need digital safety systems where a human operator could not act quick enough. So for example, in a power plant, when your big steam turbine gets too over speed, you must open relief valves within a millisecond. Obviously, this cannot be done by a human operator. So this is where we need digital safety systems. And when they are compromised, then real bad things can happen. Your plant can blow up. And neither your operators nor your safety system will notice it. That's scary.

But it gets worse. And this is very important, what I'm going to say. Think about this. This attack is generic. It doesn't have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don't have -- as an attacker -- you don't have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That's the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They're in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments. We have to face the consequences, and we better start to prepare right now.

Thanks.

(Applause)

Chris Anderson: I've got a question. Ralph, it's been quite widely reported that people assume that Mossad is the main entity behind this. Is that your opinion?

Ralph Langner: Okay, you really want to hear that? Yeah. Okay. My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that's the United States -- fortunately, fortunately. Because otherwise, our problems would even be bigger.

CA: Thank you for scaring the living daylights out of us. Thank you Ralph.

(Applause)
 


留下您對本課程的評論
標題:
您目前為非會員,留言名稱將顯示「匿名非會員」
只能進行20字留言

留言內容:

驗證碼請輸入8 + 0 =

標籤

現有標籤:1
新增標籤:


有關本課程的討論

課程討論
1

Anonymous, 2014-09-20 18:09:36
課程討論
1
Anonymous, 2014-09-20 18:09:34
課程討論
directed 或許可譯為 "指向的" 或 "導向的".
jerry1129, 2011-05-02 10:23:15
課程討論
可惡!爆炸伊朗人命不是命啊
Anonymous, 2011-05-02 08:57:18

Creative Commons授權條款 本站一切著作係採用 Creative Commons 授權條款授權。
協助推廣單位: