Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon

311,863 views ・ 2011-03-29

TED


请双击下面的英文字幕来播放视频。

翻译人员: Felix Chen 校对人员: Angelia King
00:15
The idea behind the Stuxnet computer worm
0
15260
3000
震网电脑蠕虫背后的思想
00:18
is actually quite simple.
1
18260
2000
其实非常简单。
00:20
We don't want Iran to get the bomb.
2
20260
3000
我们不希望伊朗拥有核武器。
00:23
Their major asset for developing nuclear weapons
3
23260
3000
他们用于开发核武器的主要设备
00:26
is the Natanz uranium enrichment facility.
4
26260
4000
是纳坦兹的铀浓缩设施。
00:30
The gray boxes that you see,
5
30260
2000
各位看到的灰盒子
00:32
these are real-time control systems.
6
32260
3000
是实时控制系统。
00:35
Now if we manage to compromise these systems
7
35260
3000
如果我们设法侵入这些
00:38
that control drive speeds and valves,
8
38260
3000
控制驱动器的速度和阀门的系统中,
00:41
we can actually cause a lot of problems
9
41260
3000
我们实际上可以用离心机
00:44
with the centrifuge.
10
44260
2000
造成很多问题。
00:46
The gray boxes don't run Windows software;
11
46260
2000
这个灰盒子不能运行Windows软件;
00:48
they are a completely different technology.
12
48260
3000
它们用的是完全不同的技术。
00:51
But if we manage
13
51260
2000
但如果我们设法
00:53
to place a good Windows virus
14
53260
3000
把一个Windows病毒
00:56
on a notebook
15
56260
2000
放到一名
00:58
that is used by a maintenance engineer
16
58260
2000
设备工程师用于配置
01:00
to configure this gray box,
17
60260
3000
这个灰盒子的笔记本上,
01:03
then we are in business.
18
63260
2000
然后我们就可以开始行动了。
01:05
And this is the plot behind Stuxnet.
19
65260
3000
这就是震网病毒背后的阴谋。
01:08
So we start with a Windows dropper.
20
68260
5000
那么我从一个Windows注入器开始。
01:13
The payload goes onto the gray box,
21
73260
3000
它携带的病毒传播到灰盒子,
01:16
damages the centrifuge,
22
76260
2000
破坏离心机,
01:18
and the Iranian nuclear program is delayed --
23
78260
2000
伊朗核项目延迟 --
01:20
mission accomplished.
24
80260
2000
任务完成。
01:22
That's easy, huh?
25
82260
2000
很容易,是吧?
01:24
I want to tell you how we found that out.
26
84260
3000
我想告诉大家我们是如何发现这些的。
01:27
When we started our research on Stuxnet six months ago,
27
87260
3000
当六个月前我们开始研究震网病毒时,
01:30
it was completely unknown what the purpose of this thing was.
28
90260
3000
我们对它的目的一无所知。
01:33
The only thing that was known
29
93260
2000
唯一知道的是,
01:35
is it's very, very complex on the Windows part, the dropper part,
30
95260
3000
它的Windows部分,注入器部分非常非常复杂,
01:38
used multiple zero-day vulnerabilities.
31
98260
3000
使用了多重零日漏洞攻击。
01:41
And it seemed to want to do something
32
101260
3000
它似乎想要对
01:44
with these gray boxes, these real-time control systems.
33
104260
2000
这些灰盒子,这些实时控制系统做些什么。
01:46
So that got our attention,
34
106260
2000
这引起了我们的注意,
01:48
and we started a lab project
35
108260
2000
我们启动了一个实验室项目,
01:50
where we infected our environment with Stuxnet
36
110260
4000
用震网病毒感染我们的系统,
01:54
and checked this thing out.
37
114260
2000
并进行了仔细的检查。
01:56
And then some very funny things happened.
38
116260
3000
接着一些非常有趣的事发生了。
01:59
Stuxnet behaved like a lab rat
39
119260
3000
震网病毒表现的像只
02:02
that didn't like our cheese --
40
122260
3000
不喜欢起司的大白鼠 --
02:05
sniffed, but didn't want to eat.
41
125260
2000
嗅一嗅起司,但并不想吃。
02:07
Didn't make sense to me.
42
127260
2000
我有些不理解。
02:09
And after we experimented with different flavors of cheese,
43
129260
3000
而在我们实验了各种不同的起司之后,
02:12
I realized, well, this is a directed attack.
44
132260
4000
我意识到,这是一个定向攻击。
02:16
It's completely directed.
45
136260
2000
它完全是定向的。
02:18
The dropper is prowling actively
46
138260
2000
如果找到了特定的配置,
02:20
on the gray box
47
140260
2000
注入器就会
02:22
if a specific configuration is found,
48
142260
3000
主动潜入灰盒子里,
02:25
and even if the actual program code that it's trying to infect
49
145260
4000
即使它正试图感染的实际的程序
02:29
is actually running on that target.
50
149260
2000
也在干着同样的事儿。
02:31
And if not, Stuxnet does nothing.
51
151260
3000
如果没有找到目标,震网病毒什么也不做。
02:34
So that really got my attention,
52
154260
2000
这确实引起了我的注意,
02:36
and we started to work on this
53
156260
2000
我们开始昼夜不停的
02:38
nearly around the clock,
54
158260
2000
对这个进行研究,
02:40
because I thought, "Well, we don't know what the target is.
55
160260
3000
因为我觉得我们还不知道它的目标呢。
02:43
It could be, let's say for example,
56
163260
2000
目标也许是,打个比方,
02:45
a U.S. power plant,
57
165260
2000
一座美国发电厂,
02:47
or a chemical plant in Germany.
58
167260
2000
或德国的化工厂。
02:49
So we better find out what the target is soon."
59
169260
3000
因此我们最好尽快找出它的目标。
02:52
So we extracted and decompiled
60
172260
2000
我们提取并反编译了
02:54
the attack code,
61
174260
2000
攻击代码,
02:56
and we discovered that it's structured in two digital bombs --
62
176260
3000
发现它包含两个数字炸弹 --
02:59
a smaller one and a bigger one.
63
179260
3000
一个小些的和一个大些的。
03:02
And we also saw that they are very professionally engineered
64
182260
4000
而我们也发现,它们是被了解所有内幕信息的人
03:06
by people who obviously had all insider information.
65
186260
4000
非常专业地制作出来的。
03:10
They knew all the bits and bites
66
190260
2000
他们了解所要攻击
03:12
that they had to attack.
67
192260
2000
目标的所有细节。
03:14
They probably even know the shoe size of the operator.
68
194260
3000
他们甚至知道操作员鞋子的号码。
03:17
So they know everything.
69
197260
2000
他们知道一切。
03:19
And if you have heard that the dropper of Stuxnet
70
199260
3000
如果各位曾经听说过,震网病毒的注入器
03:22
is complex and high-tech,
71
202260
2000
复杂且是高科技的,
03:24
let me tell you this:
72
204260
2000
让我告诉各位:
03:26
the payload is rocket science.
73
206260
2000
它携带的病毒非常复杂。
03:28
It's way above everything
74
208260
2000
这远超过我们
03:30
that we have ever seen before.
75
210260
3000
曾经见过的技术。
03:33
Here you see a sample of this actual attack code.
76
213260
3000
在这儿各位能看到实际的攻击代码的片段。
03:36
We are talking about --
77
216260
2000
我们在讨论 --
03:38
around about 15,000 lines of code.
78
218260
3000
大约1万5千行代码。
03:41
Looks pretty much like old-style assembly language.
79
221260
3000
看起来很像旧式的汇编语言。
03:44
And I want to tell you how we were able
80
224260
2000
我想告诉各位我们是
03:46
to make sense out of this code.
81
226260
2000
如何弄明白这些代码的。
03:48
So what we were looking for is, first of all, system function calls,
82
228260
3000
我们首先要寻找的是系统函数调用,
03:51
because we know what they do.
83
231260
2000
因为我们知道这些函数做什么。
03:53
And then we were looking for timers and data structures
84
233260
4000
然后我们要找到定时器和数据结构,
03:57
and trying to relate them to the real world --
85
237260
2000
接着尝试把它们和现实世界联系起来 --
03:59
to potential real world targets.
86
239260
2000
与潜在的现实世界目标联系起来。
04:01
So we do need target theories
87
241260
3000
因此我们需要目标理论
04:04
that we can prove or disprove.
88
244260
3000
我们能用它来证实与否。
04:07
In order to get target theories,
89
247260
2000
为了得到目标理论,
04:09
we remember
90
249260
2000
我们记得
04:11
that it's definitely hardcore sabotage,
91
251260
2000
这绝对会造成严重的破坏,
04:13
it must be a high-value target
92
253260
2000
因此必然有个高价值的目标,
04:15
and it is most likely located in Iran,
93
255260
3000
而且很有可能就位于伊朗境内,
04:18
because that's where most of the infections had been reported.
94
258260
4000
因为在伊朗报告的病毒感染最多。
04:22
Now you don't find several thousand targets in that area.
95
262260
3000
在这一区域并不会发现许多目标。
04:25
It basically boils down
96
265260
2000
基本上可以把目标缩小至
04:27
to the Bushehr nuclear power plant
97
267260
2000
布歇赫尔核电厂
04:29
and to the Natanz fuel enrichment plant.
98
269260
2000
和纳坦兹的铀浓缩厂。
04:31
So I told my assistant,
99
271260
2000
因此我对我的助理说,
04:33
"Get me a list of all centrifuge and power plant experts from our client base."
100
273260
3000
“给我一个包含我们客户群中所有离心机和发电厂专家的列表。”
04:36
And I phoned them up and picked their brain
101
276260
2000
我跟他们通了电话,让他们
04:38
in an effort to match their expertise
102
278260
2000
用他们的专业知识帮忙
04:40
with what we found in code and data.
103
280260
3000
分析我们在代码和数据中的发现。
04:43
And that worked pretty well.
104
283260
2000
这非常管用。
04:45
So we were able to associate
105
285260
2000
我们能把这个小的
04:47
the small digital warhead
106
287260
2000
数字弹头与转子控制器
04:49
with the rotor control.
107
289260
2000
联系起来了。
04:51
The rotor is that moving part within the centrifuge,
108
291260
3000
这个转子是离心机内部的运动机件,
04:54
that black object that you see.
109
294260
2000
就是各位看到的那个黑色物体。
04:56
And if you manipulate the speed of this rotor,
110
296260
3000
如果控制这个转子的速度,
04:59
you are actually able to crack the rotor
111
299260
2000
实际上就能破解转子
05:01
and eventually even have the centrifuge explode.
112
301260
4000
并甚至最终能让离心机爆炸。
05:05
What we also saw
113
305260
2000
我们也看到了
05:07
is that the goal of the attack
114
307260
2000
攻击的目的
05:09
was really to do it slowly and creepy --
115
309260
3000
是让这一切令人恐怖的事缓慢地发生--
05:12
obviously in an effort
116
312260
2000
显然这会
05:14
to drive maintenance engineers crazy,
117
314260
3000
让维护工程师们发疯,
05:17
that they would not be able to figure this out quickly.
118
317260
3000
他们不可能很快找出问题所在。
05:20
The big digital warhead -- we had a shot at this
119
320260
3000
大的数字弹头 -- 通过仔细地
05:23
by looking very closely
120
323260
2000
观察数据和数据结构,
05:25
at data and data structures.
121
325260
2000
我们有机会对它有所了解。
05:27
So for example, the number 164
122
327260
2000
例如,数字164
05:29
really stands out in that code;
123
329260
2000
在这些代码中非常引人注目;
05:31
you can't overlook it.
124
331260
2000
不可能忽略它。
05:33
I started to research scientific literature
125
333260
2000
我开始研究与这些分离机
05:35
on how these centrifuges
126
335260
2000
如何被建造在纳坦兹
05:37
are actually built in Natanz
127
337260
2000
有关的科学文献,
05:39
and found they are structured
128
339260
2000
并发现它们被组织在
05:41
in what is called a cascade,
129
341260
2000
一个被称为层级的东西之中,
05:43
and each cascade holds 164 centrifuges.
130
343260
4000
每个层级包含164个离心机。
05:47
So that made sense, that was a match.
131
347260
2000
这有点清楚了,匹配起来了。
05:49
And it even got better.
132
349260
2000
甚至更好地匹配了。
05:51
These centrifuges in Iran
133
351260
2000
在伊朗的这些离心机
05:53
are subdivided into 15, what is called, stages.
134
353260
4000
被分成15个所谓的机组。
05:57
And guess what we found in the attack code?
135
357260
2000
猜测我们在攻击代码中发现了什么?
05:59
An almost identical structure.
136
359260
2000
一个几乎完全相同的机组结构。
06:01
So again, that was a real good match.
137
361260
3000
因此,再一次地很好地匹配上了。
06:04
And this gave us very high confidence for what we were looking at.
138
364260
3000
这在我们所进行的工作上给了我们更多自信。
06:07
Now don't get me wrong here, it didn't go like this.
139
367260
3000
现在别误会我,它不是像这样进行的。
06:10
These results have been obtained
140
370260
3000
这些结果中包含了
06:13
over several weeks of really hard labor.
141
373260
3000
我们数周的辛苦劳动。
06:16
And we often went into just a dead end
142
376260
3000
我们常常走入死胡同
06:19
and had to recover.
143
379260
2000
并回到起点。
06:21
Anyway, so we figured out
144
381260
2000
总之,我们找出了
06:23
that both digital warheads
145
383260
2000
这两个从不同角度
06:25
were actually aiming at one and the same target,
146
385260
2000
瞄准着同一个目标的
06:27
but from different angles.
147
387260
2000
数字弹头。
06:29
The small warhead is taking one cascade,
148
389260
3000
小弹头选择一个层级,
06:32
and spinning up the rotors and slowing them down,
149
392260
3000
旋转加速转子,接着让它们慢下来,
06:35
and the big warhead
150
395260
2000
然后大弹头
06:37
is talking to six cascades
151
397260
2000
选择六个层级
06:39
and manipulating valves.
152
399260
2000
并操控阀门。
06:41
So in all, we are very confident
153
401260
2000
总的来说,我们非常自信
06:43
that we have actually determined what the target is.
154
403260
2000
我们确定了目标是什么。
06:45
It is Natanz, and it is only Natanz.
155
405260
3000
就是纳坦兹,只可能是纳坦兹。
06:48
So we don't have to worry
156
408260
2000
我们并不担心
06:50
that other targets
157
410260
2000
其他可能被震网病毒
06:52
might be hit by Stuxnet.
158
412260
2000
要攻击的目标。
06:54
Here's some very cool stuff that we saw --
159
414260
3000
有些我们看到的非常酷的东西 --
06:57
really knocked my socks off.
160
417260
2000
确实让我大吃一惊的东西。
06:59
Down there is the gray box,
161
419260
2000
这儿下面是灰盒子,
07:01
and on the top you see the centrifuges.
162
421260
3000
在上面看到的是离心机。
07:04
Now what this thing does
163
424260
2000
事情是这样的,
07:06
is it intercepts the input values from sensors --
164
426260
3000
它拦截了从传感器发送来的输入值--
07:09
so for example, from pressure sensors
165
429260
2000
例如,来自压力传感器
07:11
and vibration sensors --
166
431260
2000
和震动传感器的输入值 --
07:13
and it provides legitimate program code,
167
433260
3000
并提供合法的代码,
07:16
which is still running during the attack,
168
436260
2000
这代码会在攻击期间仍然保持运行,
07:18
with fake input data.
169
438260
2000
随代码一起的还有假的输入数据。
07:20
And as a matter of fact, this fake input data
170
440260
2000
事实上,这假的输入数据
07:22
is actually prerecorded by Stuxnet.
171
442260
3000
是震网病毒事先预存的。
07:25
So it's just like from the Hollywood movies
172
445260
2000
正如好莱坞电影
07:27
where during the heist,
173
447260
2000
中的抢劫片段,
07:29
the observation camera is fed with prerecorded video.
174
449260
3000
观察摄像头被连上了事先录制好的视频。
07:32
That's cool, huh?
175
452260
2000
很酷,不是么?
07:35
The idea here is obviously
176
455260
2000
它的打算显然
07:37
not only to fool the operators in the control room.
177
457260
3000
不仅是要愚弄控制室中的操作员。
07:40
It actually is much more dangerous and aggressive.
178
460260
4000
它实际上要更危险,更具侵略性。
07:44
The idea
179
464260
2000
它的打算
07:46
is to circumvent a digital safety system.
180
466260
3000
是要绕过数字安全系统。
07:50
We need digital safety systems
181
470260
2000
我们需要数字安全系统
07:52
where a human operator could not act quick enough.
182
472260
3000
在那些人类操作员不能做出足够快的行动的地方。
07:55
So for example, in a power plant,
183
475260
2000
例如,在发电厂,
07:57
when your big steam turbine gets too over speed,
184
477260
3000
当巨大的蒸汽轮机转速过快时,
08:00
you must open relief valves within a millisecond.
185
480260
3000
必须在一毫秒内打开安全阀。
08:03
Obviously, this cannot be done by a human operator.
186
483260
3000
显然,人类操作员不可能做到。
08:06
So this is where we need digital safety systems.
187
486260
2000
因此,在这儿就需要数字安全系统。
08:08
And when they are compromised,
188
488260
2000
而当它们受到损害时,
08:10
then real bad things can happen.
189
490260
3000
真正的问题就会出现。
08:13
Your plant can blow up.
190
493260
2000
电厂会爆炸。
08:15
And neither your operators nor your safety system will notice it.
191
495260
3000
操作员和安全系统都不会注意到。
08:18
That's scary.
192
498260
2000
这很可怕。
08:20
But it gets worse.
193
500260
2000
但还会更糟。
08:22
And this is very important, what I'm going to say.
194
502260
3000
我将要说到的,非常重要。
08:25
Think about this:
195
505260
2000
想想这个。
08:27
this attack is generic.
196
507260
3000
这种攻击是通用的。
08:30
It doesn't have anything to do, in specifics,
197
510260
4000
它不需要对离心机,
08:34
with centrifuges,
198
514260
2000
对铀浓缩做什么
08:36
with uranium enrichment.
199
516260
3000
具体的事情。
08:39
So it would work as well, for example,
200
519260
3000
它也将发挥作用,例如,
08:42
in a power plant
201
522260
2000
在一个发电厂
08:44
or in an automobile factory.
202
524260
3000
或是一个汽车制造厂。
08:47
It is generic.
203
527260
2000
这很普通。
08:49
And you don't have -- as an attacker --
204
529260
2000
作为一名攻击者,你不需要 --
08:51
you don't have to deliver this payload
205
531260
3000
不需要用U盘把病毒
08:54
by a USB stick,
206
534260
2000
传播出去,
08:56
as we saw it in the case of Stuxnet.
207
536260
2000
如我们在震网病毒这一案例中看到的那样。
08:58
You could also use conventional worm technology for spreading.
208
538260
3000
你也可以用传统的蠕虫技术进行传播。
09:01
Just spread it as wide as possible.
209
541260
3000
尽可能广泛地传播它。
09:04
And if you do that,
210
544260
2000
如果做到了这些
09:06
what you end up with
211
546260
2000
最终就会拥有
09:08
is a cyber weapon of mass destruction.
212
548260
5000
一个大规模杀伤性的网络武器。
09:14
That's the consequence
213
554260
2000
这就是我们不得不
09:16
that we have to face.
214
556260
3000
面对的后果。
09:19
So unfortunately,
215
559260
3000
不幸地是,
09:22
the biggest number of targets for such attacks
216
562260
3000
这类攻击数量最多的目标
09:25
are not in the Middle East.
217
565260
2000
不是在中东。
09:27
They're in the United States and Europe and in Japan.
218
567260
3000
而是在美国、欧洲和日本。
09:30
So all of the green areas,
219
570260
2000
所有这些绿色的区域,
09:32
these are your target-rich environments.
220
572260
3000
这些是目标密集的区域。
09:35
We have to face the consequences,
221
575260
3000
我们不得不面对这些后果,
09:38
and we better start to prepare right now.
222
578260
3000
我们最好立即开始做准备。
09:41
Thanks.
223
581260
2000
谢谢。
09:43
(Applause)
224
583260
6000
(掌声)
09:49
Chris Anderson: I've got a question.
225
589260
2000
克里斯·安德森:我有个问题。
09:53
Ralph, it's been quite widely reported
226
593260
2000
拉尔夫,广为流传
09:55
that people assume that Mossad
227
595260
2000
人们认为摩萨德
09:57
is the main entity behind this.
228
597260
2000
是幕后主使。
09:59
Is that your opinion?
229
599260
3000
你怎么看?
10:02
Ralph Langner: Okay, you really want to hear that?
230
602260
2000
拉尔夫·兰纳:好的,你真的想知道?
10:04
Yeah. Okay.
231
604260
2000
是的,好吧。
10:06
My opinion is that the Mossad is involved,
232
606260
3000
我认为摩萨德牵涉其中,
10:09
but that the leading force is not Israel.
233
609260
3000
但主导力量不是以色列。
10:12
So the leading force behind that
234
612260
2000
其后的主导力量
10:14
is the cyber superpower.
235
614260
3000
是网络超级大国。
10:17
There is only one,
236
617260
2000
只有一个,
10:19
and that's the United States --
237
619260
2000
那就是美国 --
10:21
fortunately, fortunately.
238
621260
2000
很幸运,很幸运。
10:23
Because otherwise,
239
623260
2000
因为否则的话,
10:25
our problems would even be bigger.
240
625260
3000
我们面临的问题就更加严重了。
10:28
CA: Thank you for scaring the living daylights out of us. Thank you, Ralph.
241
628260
4000
克里斯:谢谢你吓了我们一大跳,谢谢你,拉尔夫。
10:32
(Applause)
242
632260
2000
(掌声)
关于本网站

这个网站将向你介绍对学习英语有用的YouTube视频。你将看到来自世界各地的一流教师教授的英语课程。双击每个视频页面上显示的英文字幕,即可从那里播放视频。字幕会随着视频的播放而同步滚动。如果你有任何意见或要求,请使用此联系表与我们联系。

https://forms.gle/WvT1wiN1qDtmnspy7