Ralph Langner: 破解21世紀數碼武器Stuxnet

===========
http://dotsub.com/view/919a6aa7-b5f0-4583-aba7-12e082a39b1c
Ralph Langner: 破解21世紀數碼武器Stuxnet
拉爾夫蘭納：破解Stuxnet，一個 21世紀的數碼武器
Stuxnet电脑蠕虫背后的思想 其实非常简单。 我们不希望伊朗得到核武器。 他们用于开发核武器的主要设备 是纳坦兹的铀浓缩设施。 各位看到的灰盒子 是实时控制系统。 如果我们设法侵入这些 控制驱动器的速度和值的系统中， 我们实际上可以用离心机 造成很多问题。 这个灰盒子不能运行Windows软件； 它们用的是完全不同的技术。 但如果我们设法 把一个Windows病毒 放到一名 设备工程师用于配置 这个灰盒子的笔记本上， 然后我们就可以开始行动了。 这就是Stuxnet背后的阴谋。
那么我从一个Windows注入器开始。 它携带的病毒传播到灰盒子， 破坏离心机， 伊朗核项目延迟 -- 任务完成。 很容易，是吧？ 我想告诉大家我们是如何发现这些的。 当六个月前我们开始研究Stuxnet时， 我们对它的目的一无所知。 唯一知道的是， 它的Windows部分，注入器部分非常非常复杂， 使用了多重零时差漏洞。 它似乎想要对 这些灰盒子，这些实时控制系统做些什么。 这引起了我们的注意， 我们启动了一个实验室项目， 用Stuxnet感染我们的环境， 并进行了仔细的检查。 接着一些非常有趣的事发生了。 Stuxnet表现的像只 不喜欢起司的大白鼠 -- 冷冷的看着起司，但并不想吃。 我有些不理解。 而在我们实验了各种不同的起司之后， 我意识到，这是一个定向攻击。 它完全是定向的。 如果找到了特定的配置， 注入器就会 主动潜入灰盒子里， 即使它正试图感染的实际的程序 也在干着同样的事儿。 如果没有找到，Stuxnet什么也不做。
这确实引起了我的注意， 我们开始昼夜不停的 对这点进行研究， 因为我觉得我们还不知道它的目标呢。 目标也许是，打个比方， 一座美国发电厂， 或德国的化工厂。 因此我们最好尽快找出它的目标。 我们提取并反编译了 攻击代码， 发现它包含两个数字炸弹 -- 一个小些的和一个大些的。 而我们也发现，它们是被了解所有内幕信息的人 非常专业制作出来的。 他们了解所要攻击的 目标的所有细节。 他们甚至知道操作员鞋子的号码。 他们知道一切。
如果各位曾经听说过，Stuxnet的注入器 复杂且是高科技的， 让我告诉各位： 这远超过我们 曾经见过的技术。 在这儿各位能看到实际的攻击代码的片段。 我们在讨论 -- 大约1万5千行代码。
如果你有听说Stuxnet滴管是复杂的，高科技，让我告诉你：是火箭的有效载荷的科学。它的高于一切，我们曾经见过的方式。在这里，你看到这个实际的攻击代码示例。我们谈论的是 - 约15000行代码轮。看起来很像旧式的汇编语言。而且我想告诉您我们如何能够利用这个代码意义了。所以，我们要找的是首先是系统功能调用，因为我们知道他们做什么。
然后，我们正在寻找定时器和数据结构试图与之相关的现实世界和 - 潜在的现实世界的目标。因此我们需要理论，目标，我们可以证明或反驳。为了得到目标的理论，我们记住，这绝对铁杆破坏，它必须是一个高价值目标，这是最有可能设在伊朗，因为这正是大部分的感染报告。现在，你不觉得在这方面的几千目标。它基本上可以归结为对布什尔核电站的纳坦兹燃料浓缩厂。
所以我告诉我的助手，“给我所有的客户基础离心机和电厂的专家名单。”而我打电话给他们，并挑选，努力满足他们与我们在代码和数据中发现其专业的大脑。而且运行得很好。所以我们能够联想到小与转子控制数字弹头。转子是离心机内移动，那黑色物体，你看到的一部分。如果你操纵这个转速时，实际上是能够破解的转子，最终甚至有离心机爆炸。我们也看到的是，这次袭击的目标是真的要慢慢和爬行 - 显然在努力推动维修工程师疯狂，他们将不能够迅速想出解决办法。
大数字弹头 - 我们通过观察数据和数据结构非常密切在这个镜头。因此，例如，数字164真正站出来的代码，你不能忽视它。我开始研究如何将这些离心机实际上是建在纳坦兹的结构，发现他们在所谓级联，每个拥有164台离心机级联的科学文献。所以这是有道理的，这是一个比赛。
它甚至好转。伊朗的这些离心机细分为15个，什么叫，阶段。你猜怎么着，我们在攻击代码中发现？一个几乎相同的结构。所以，再一次，这是一个真正的好比赛。这给了我们什么，我们看的非常高的信心。现在不要误会我在这里，它不是那样的。这些成果已获得了真正的苦役几个星期。我们经常去逼到了死胡同，只好恢复。
无论如何，我们找到了这两个数字弹头实际上针对同一个目标，而是从不同的角度。小弹头正在一级联，和纺纱了转子和减缓下来，而大弹头交谈六瀑布和操纵阀。因此，在一切，我们非常有信心，我们其实已确定的目标是什么。这是纳坦兹，这是唯一的纳坦兹。因此，我们不必担心其他目标可能是由Stuxnet击中。
这里有一些非常酷的东西，我们看到 - 真的打掉了我的袜子了。那边是灰色的方块，在上面你看到的离心机。现在，这是什么东西所做的是它拦截来自传感器的输入值 - 从压力传感器和振动传感器，比如说， - 它提供了合法的代码，它仍然是在攻击运行假输入数据。而作为一个事实上，这个假的输入数据实际上是事先录制的Stuxnet。因此，这就像从好莱坞在抢劫过程中，观察预先录制的视频相机与美联储的电影。这很酷吧？
这里的想法显然不只是傻瓜在控制室的操作员。它实际上是更加危险和攻击性。这样做是为了规避数字安全系统。我们需要数字安全系统，其中一人的经营者不能采取行动够快。所以举例来说，某电厂，当你的​​大蒸汽轮机超速得到太多，你必须打开一毫秒内释放阀。显然，这不能由一个人操作。因此，这是我们需要数字安全系统。而当他们受到损害，那么真正的坏事情都可能发生。您的工厂可以炸毁。而且，无论您的操作，也没有你的安全系统会注意到这一点。这是可怕的。
但它变得更糟。这是非常重要的，就是我要说的话。想一想。这种攻击是通用的。它没有做任何事情的细节，与离心机，以提炼浓缩铀。因此，它的工作以及，例如，在一个发电厂或一个汽车制造厂。这是通用的。而你没有 - 作为攻击 - 你不必交付U盘这个有效载荷，正如我们所看到的情况下，它的Stuxnet。你也可以使用传统的蠕虫传播技术。张开它尽可能宽。如果你这样做，你最后得到的是一种大规模杀伤性网络武器。这后果是我们必须面对的。因此，不幸的是，这类攻击的目标最大的号码写在中东。他们在美国，欧洲和日​​本。因此，所有的绿地，这些都是你的目标丰富的环境。我们要面对的后果，我们最好现在开始准备。
谢谢。
（鼓掌）
克里斯安德森：我有一个问题。拉尔夫，它已经相当广泛报道，摩萨德人想当然地认为是背后的主体。那是你的看法？
拉尔夫兰纳：好的，你真的想听到了吗？是啊。好的。我的看法是，摩萨德是参与，但是，领导力不是以色列。因此，背后的主导力量，它是网络的超级大国。只有一个，那就是美国 - 幸好，幸好。因为如果不这样，我们的问题甚至会更大。
克里斯安德森：感谢吓唬我们这些还活着一大跳的样子。谢谢拉尔夫。

（鼓掌）
--------------------------
The idea behind the Stuxnet computer worm is actually quite simple. We don't want Iran to get the Bomb. Their major asset for developing nuclear weapons is the Natanz uranium enrichment facility. The gray boxes that you see, these are real-time control systems. Now if we manage to compromise these systems that control drive speeds and valves, we can actually cause a lot of problems with the centrifuge. The gray boxes don't run Windows software; they are a completely different technology. But if we manage to place a good Windows virus on a notebook that is used by a machines engineer to configure this gray box, then we are in business. And this is the plot behind Stuxnet.

So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed -- mission accomplished. That's easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems. So that got our attention, and we started a lab project where we infected our environment with Stuxnet and checked this thing out. And then some very funny things happened. Stuxnet behaved like a lab rat that didn't like our cheese -- sniffed, but didn't want to eat. Didn't make sense to me. And after we experimented with different flavors of cheese, I realized, well, this is a directed attack. It's completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program that it's trying to infect is actually running on that target. And if not, Stuxnet does nothing.

So that really got my attention, and we started to work on this nearly around the clock, because I thought, well, we don't know what the target is. It could be, let's say for example, a U.S. power plant, or a chemical plant in Germany. So we better find out what the target is soon. So we extracted and decompiled the attack code, and we discovered that it's structured in two digital bombs -- a smaller one and a bigger one. And we also saw that they are very professionally engineered by people who obviously had all insider information. They knew all the bits and bites that they had to attack. They probably even know the shoe size of the operator. So they know everything.

And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It's way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about -- round about 15,000 lines of code. Looks pretty much like old-style assembly language. And I want to tell you how we were able to make sense out of this code. So what we were looking for is first of all is system function calls, because we know what they do.

And then we were looking for timers and data structures and trying to relate them to the real world -- to potential real world targets. So we do need target theories that we can prove or disprove. In order to get target theories, we remember that it's definitely hardcore sabotage, it must be a high-value target, and it is most likely located in Iran, because that's where most of the infections had been reported. Now you don't find several thousand targets in that area. It basically boils down to the Bushehr nuclear power plant and to the Natanz fuel enrichment plant.

So I told my assistant, "Get me a list of all centrifuge and power plant experts from our client base." And I phoned them up and picked their brain in an effort to match their expertise with what we found in code and data. And that worked pretty well. So we were able to associate the small digital warhead with the rotor control. The rotor is that moving part within the centrifuge, that black object that you see. And if you manipulate the speed of this rotor, you are actually able to crack the rotor and eventually even have the centrifuge explode. What we also saw is that the goal of the attack was really to do it slowly and creepy -- obviously in an effort to drive maintenance engineers crazy, that they would not be able to figure this out quickly.

The big digital warhead -- we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can't overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, it was a match.

And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure. So again, that was a real good match. And this gave us very high confidence for what we were looking at. Now don't get me wrong here, it didn't go like this. These results have been obtained over several weeks of really hard labor. And we often went into just a dead-end and had to recover.

Anyway, so we figured out that both digital warheads were actually aiming at one and the same target, but from different angles. The small warhead is taking one cascade, and spinning up the rotors and slowing them down, and the big warhead is talking to six cascades and manipulating valves. So in all, we are very confident that we have actually determined what the target is. It is Natanz, and it is only Natanz. So we don't have to worry that other targets might be hit by Stuxnet.

Here's some very cool stuff that we saw -- really knocked my socks off. Down there is the gray box, and on the top you see the centrifuges. Now what this thing does is it intercepts the input values from sensors -- so for example, from pressure sensors and vibration sensors -- and it provides legitimate code, which is still running during the attack, with fake input data. And as a matter of fact, this fake input data is actually prerecorded by Stuxnet. So it's just like from the Hollywood movies where during the heist, the observation camera is fed with prerecorded video. That's cool, huh?

The idea here is obviously not only to fool the operators in the control room. It actually is much more dangerous and aggressive. The idea is to circumvent a digital safety system. We need digital safety systems where a human operator could not act quick enough. So for example, in a power plant, when your big steam turbine gets too over speed, you must open relief valves within a millisecond. Obviously, this cannot be done by a human operator. So this is where we need digital safety systems. And when they are compromised, then real bad things can happen. Your plant can blow up. And neither your operators nor your safety system will notice it. That's scary.

But it gets worse. And this is very important, what I'm going to say. Think about this. This attack is generic. It doesn't have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don't have -- as an attacker -- you don't have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That's the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They're in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments. We have to face the consequences, and we better start to prepare right now.

Thanks.

(Applause)

Chris Anderson: I've got a question. Ralph, it's been quite widely reported that people assume that Mossad is the main entity behind this. Is that your opinion?

Ralph Langner: Okay, you really want to hear that? Yeah. Okay. My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that's the United States -- fortunately, fortunately. Because otherwise, our problems would even be bigger.

CA: Thank you for scaring the living daylights out of us. Thank you Ralph.

(Applause)