Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon

310,465 views ・ 2011-03-29

TED


請雙擊下方英文字幕播放視頻。

譯者: K. C. Peng 審譯者: Crystal Tu
00:15
The idea behind the Stuxnet computer worm
0
15260
3000
電腦蠕蟲 Stuxnet 背後的概念
00:18
is actually quite simple.
1
18260
2000
其實相當簡單
00:20
We don't want Iran to get the bomb.
2
20260
3000
我們不希望伊朗擁有核武
00:23
Their major asset for developing nuclear weapons
3
23260
3000
而他們能發展核武的主要資產
00:26
is the Natanz uranium enrichment facility.
4
26260
4000
就是Natanz 鈾料濃縮工廠
00:30
The gray boxes that you see,
5
30260
2000
你看到的灰色方塊
00:32
these are real-time control systems.
6
32260
3000
就是即時控制系統
00:35
Now if we manage to compromise these systems
7
35260
3000
現在如果我們真的能操弄系統
00:38
that control drive speeds and valves,
8
38260
3000
控制速度與閥門開關
00:41
we can actually cause a lot of problems
9
41260
3000
那我們就能讓離心機
00:44
with the centrifuge.
10
44260
2000
出各種狀況
00:46
The gray boxes don't run Windows software;
11
46260
2000
這個灰色方塊無法執行 Windows 軟體
00:48
they are a completely different technology.
12
48260
3000
而是用全然不同的科技
00:51
But if we manage
13
51260
2000
但如果我們能
00:53
to place a good Windows virus
14
53260
3000
在筆記電腦中
00:56
on a notebook
15
56260
2000
放個 Windows 的病毒
00:58
that is used by a maintenance engineer
16
58260
2000
而那筆電是設備工程師用來
01:00
to configure this gray box,
17
60260
3000
控制系統的
01:03
then we are in business.
18
63260
2000
那我們就快成功了
01:05
And this is the plot behind Stuxnet.
19
65260
3000
這也就是 Stuxnet 的計畫
01:08
So we start with a Windows dropper.
20
68260
5000
讓我們從 Windows 的釋放程式開始
01:13
The payload goes onto the gray box,
21
73260
3000
使攻擊程式能進入灰色方塊
01:16
damages the centrifuge,
22
76260
2000
破壞離心機
01:18
and the Iranian nuclear program is delayed --
23
78260
2000
就會拖延伊朗的核武計畫
01:20
mission accomplished.
24
80260
2000
任務達成
01:22
That's easy, huh?
25
82260
2000
很容易對吧?
01:24
I want to tell you how we found that out.
26
84260
3000
我想要告訴大家我們是怎麼發現的
01:27
When we started our research on Stuxnet six months ago,
27
87260
3000
我們六個月前開始研究 Stuxnet時
01:30
it was completely unknown what the purpose of this thing was.
28
90260
3000
完全不明白這東西的攻擊目標是什麼
01:33
The only thing that was known
29
93260
2000
只知道這東西
01:35
is it's very, very complex on the Windows part, the dropper part,
30
95260
3000
是非常非常複雜的 Windows 釋放程式
01:38
used multiple zero-day vulnerabilities.
31
98260
3000
使用多個零日攻擊 (註: 指利用軟體未修補漏洞進行攻擊)
01:41
And it seemed to want to do something
32
101260
3000
它似乎想對這些灰色方塊
01:44
with these gray boxes, these real-time control systems.
33
104260
2000
也就是即時控制系統下手
01:46
So that got our attention,
34
106260
2000
所以引起我們的關注
01:48
and we started a lab project
35
108260
2000
開始一個實驗室計畫
01:50
where we infected our environment with Stuxnet
36
110260
4000
我們故意讓系統感染 Stuxnet 的病毒
01:54
and checked this thing out.
37
114260
2000
再試著檢查
01:56
And then some very funny things happened.
38
116260
3000
結果有趣的事發生了
01:59
Stuxnet behaved like a lab rat
39
119260
3000
Stuxnet 就像白老鼠一樣
02:02
that didn't like our cheese --
40
122260
3000
它不喜歡我們的起司
02:05
sniffed, but didn't want to eat.
41
125260
2000
聞了聞, 卻不想吃
02:07
Didn't make sense to me.
42
127260
2000
我覺得這完全沒道理啊
02:09
And after we experimented with different flavors of cheese,
43
129260
3000
我們試過不同口味的起司
02:12
I realized, well, this is a directed attack.
44
132260
4000
才明白這是一個指向性攻擊
02:16
It's completely directed.
45
136260
2000
徹底的指向攻擊
02:18
The dropper is prowling actively
46
138260
2000
釋放程式會主動潛伏在
02:20
on the gray box
47
140260
2000
灰色方塊裡
02:22
if a specific configuration is found,
48
142260
3000
如果它發現一個特定組態
02:25
and even if the actual program code that it's trying to infect
49
145260
4000
甚至是正在嘗試感染的程式
02:29
is actually running on that target.
50
149260
2000
都會確實在目標上執行
02:31
And if not, Stuxnet does nothing.
51
151260
3000
不然 Stuxnet什麼也不做
02:34
So that really got my attention,
52
154260
2000
所以這真的引起我的注意
02:36
and we started to work on this
53
156260
2000
我們沒日沒夜的
02:38
nearly around the clock,
54
158260
2000
進行研究
02:40
because I thought, "Well, we don't know what the target is.
55
160260
3000
因為我們並不知道它的目標為何
02:43
It could be, let's say for example,
56
163260
2000
可能是,打個比方
02:45
a U.S. power plant,
57
165260
2000
美國的核電廠
02:47
or a chemical plant in Germany.
58
167260
2000
或是德國的化工廠
02:49
So we better find out what the target is soon."
59
169260
3000
所以我們最好趕快發現它的目標
02:52
So we extracted and decompiled
60
172260
2000
我們抽出攻擊程式
02:54
the attack code,
61
174260
2000
並進行反組譯
02:56
and we discovered that it's structured in two digital bombs --
62
176260
3000
才發現 它是由兩個 數位炸彈構成的 --
02:59
a smaller one and a bigger one.
63
179260
3000
一個較小 一個較大
03:02
And we also saw that they are very professionally engineered
64
182260
4000
我們也發現 這是非常專業的設計
03:06
by people who obviously had all insider information.
65
186260
4000
設計者顯然知道一切內部資訊
03:10
They knew all the bits and bites
66
190260
2000
他們知道所有需要攻擊的
03:12
that they had to attack.
67
192260
2000
位元和字節
03:14
They probably even know the shoe size of the operator.
68
194260
3000
他們大概還知道控制員的鞋子尺寸
03:17
So they know everything.
69
197260
2000
總之 他們什麼都知道
03:19
And if you have heard that the dropper of Stuxnet
70
199260
3000
如果你們聽過Stuxnet釋放程式
03:22
is complex and high-tech,
71
202260
2000
的高科技與複雜程度
03:24
let me tell you this:
72
204260
2000
讓我肯定地說:
03:26
the payload is rocket science.
73
206260
2000
這病毒根本就像是火箭科技
03:28
It's way above everything
74
208260
2000
艱難得超過
03:30
that we have ever seen before.
75
210260
3000
過去我們所研究的所有程式
03:33
Here you see a sample of this actual attack code.
76
213260
3000
這裡是一小段實際攻擊程式的樣本
03:36
We are talking about --
77
216260
2000
總共約有
03:38
around about 15,000 lines of code.
78
218260
3000
15,000 行的代碼
03:41
Looks pretty much like old-style assembly language.
79
221260
3000
看起來像是舊式機器組合語言
03:44
And I want to tell you how we were able
80
224260
2000
讓我向大家說明
03:46
to make sense out of this code.
81
226260
2000
我們是如何理解這些代碼的
03:48
So what we were looking for is, first of all, system function calls,
82
228260
3000
首先,我們會找出其中電腦系統函式呼叫
03:51
because we know what they do.
83
231260
2000
因為我們知道它們的作用
03:53
And then we were looking for timers and data structures
84
233260
4000
再來找時間控制器與資料結構
03:57
and trying to relate them to the real world --
85
237260
2000
然後試著與真實世界中的運用連結
03:59
to potential real world targets.
86
239260
2000
也就是可能的真實攻擊目標
04:01
So we do need target theories
87
241260
3000
所以我們的確需要推測目標
04:04
that we can prove or disprove.
88
244260
3000
才能進一步證實
04:07
In order to get target theories,
89
247260
2000
為了要找到這個目標
04:09
we remember
90
249260
2000
我們想起
04:11
that it's definitely hardcore sabotage,
91
251260
2000
這會造成極大破壞
04:13
it must be a high-value target
92
253260
2000
一定是高價值的目標
04:15
and it is most likely located in Iran,
93
255260
3000
它非常可能位於伊朗
04:18
because that's where most of the infections had been reported.
94
258260
4000
因為據報大多數感染都在那裡發生
04:22
Now you don't find several thousand targets in that area.
95
262260
3000
現在已經不是數以千計的可能目標
04:25
It basically boils down
96
265260
2000
可以簡單歸納成
04:27
to the Bushehr nuclear power plant
97
267260
2000
Bushehr 核能電廠
04:29
and to the Natanz fuel enrichment plant.
98
269260
2000
以及 Natanz 核鈾料濃縮廠兩個
04:31
So I told my assistant,
99
271260
2000
我跟我的助理說
04:33
"Get me a list of all centrifuge and power plant experts from our client base."
100
273260
3000
"把我們客戶裡了解所有離心機與核電廠的專家列出一張表給我"
04:36
And I phoned them up and picked their brain
101
276260
2000
我一個個親自去電 聽取他們的意見
04:38
in an effort to match their expertise
102
278260
2000
努力把他們的專業知識
04:40
with what we found in code and data.
103
280260
3000
和我們在代碼與資料找到的訊息做比對
04:43
And that worked pretty well.
104
283260
2000
這部份很成功
04:45
So we were able to associate
105
285260
2000
我們確實找出
04:47
the small digital warhead
106
287260
2000
小型數位彈頭
04:49
with the rotor control.
107
289260
2000
與轉子控制間的關聯
04:51
The rotor is that moving part within the centrifuge,
108
291260
3000
而轉子就是離心機內重要的移動單元
04:54
that black object that you see.
109
294260
2000
也就是畫面中黑色物體
04:56
And if you manipulate the speed of this rotor,
110
296260
3000
若能控制轉子轉速
04:59
you are actually able to crack the rotor
111
299260
2000
你就能破壞轉子
05:01
and eventually even have the centrifuge explode.
112
301260
4000
最終甚至導致離心機爆炸
05:05
What we also saw
113
305260
2000
我們也發現
05:07
is that the goal of the attack
114
307260
2000
這攻擊的目的
05:09
was really to do it slowly and creepy --
115
309260
3000
是緩慢而不引人注意的達成目標
05:12
obviously in an effort
116
312260
2000
明顯的要把
05:14
to drive maintenance engineers crazy,
117
314260
3000
維修工程師們逼瘋
05:17
that they would not be able to figure this out quickly.
118
317260
3000
而他們也不能馬上想到這是怎麼一回事
05:20
The big digital warhead -- we had a shot at this
119
320260
3000
而這大型數位彈頭 -- 我們試著
05:23
by looking very closely
120
323260
2000
仔細查看它的
05:25
at data and data structures.
121
325260
2000
資料與資料結構
05:27
So for example, the number 164
122
327260
2000
比如說, 數字164
05:29
really stands out in that code;
123
329260
2000
在代碼裡相當突出
05:31
you can't overlook it.
124
331260
2000
很難忽視它
05:33
I started to research scientific literature
125
333260
2000
我開始研究科學文獻
05:35
on how these centrifuges
126
335260
2000
想了解這些離心機
05:37
are actually built in Natanz
127
337260
2000
是怎樣在Natanz建造的
05:39
and found they are structured
128
339260
2000
也找出他們的結構
05:41
in what is called a cascade,
129
341260
2000
是一層層的
05:43
and each cascade holds 164 centrifuges.
130
343260
4000
每一個層級有 164 個離心機
05:47
So that made sense, that was a match.
131
347260
2000
所以和我們的猜測相符
05:49
And it even got better.
132
349260
2000
我們更發現
05:51
These centrifuges in Iran
133
351260
2000
伊朗的離心機會下分為
05:53
are subdivided into 15, what is called, stages.
134
353260
4000
15個等級
05:57
And guess what we found in the attack code?
135
357260
2000
你猜 我們在程式中找到什麼?
05:59
An almost identical structure.
136
359260
2000
幾乎完全相同的架構
06:01
So again, that was a real good match.
137
361260
3000
又是完美的相符
06:04
And this gave us very high confidence for what we were looking at.
138
364260
3000
這給麼我們很大的信心
06:07
Now don't get me wrong here, it didn't go like this.
139
367260
3000
但別會錯意了 這其實是非常嚴謹的
06:10
These results have been obtained
140
370260
3000
一切都是經由
06:13
over several weeks of really hard labor.
141
373260
3000
好幾週的艱苦努力才得來的
06:16
And we often went into just a dead end
142
376260
3000
我們也常常遇到死胡同
06:19
and had to recover.
143
379260
2000
得重頭做起
06:21
Anyway, so we figured out
144
381260
2000
總之 我們推論出
06:23
that both digital warheads
145
383260
2000
兩個數位彈頭
06:25
were actually aiming at one and the same target,
146
385260
2000
都只針對一個目標
06:27
but from different angles.
147
387260
2000
但從不同角度
06:29
The small warhead is taking one cascade,
148
389260
3000
小彈頭是攻擊其中一個層級的
06:32
and spinning up the rotors and slowing them down,
149
392260
3000
轉子升速與降速
06:35
and the big warhead
150
395260
2000
而大的彈頭
06:37
is talking to six cascades
151
397260
2000
是攻擊6個層級
06:39
and manipulating valves.
152
399260
2000
控制閥門
06:41
So in all, we are very confident
153
401260
2000
簡言之 我們相當有信心
06:43
that we have actually determined what the target is.
154
403260
2000
我們已經找出真正的特定攻擊目標
06:45
It is Natanz, and it is only Natanz.
155
405260
3000
就是Natanz 只會是Natanz
06:48
So we don't have to worry
156
408260
2000
所以我們不用擔心
06:50
that other targets
157
410260
2000
會有其他的目標
06:52
might be hit by Stuxnet.
158
412260
2000
受到 Stuxnet 攻擊
06:54
Here's some very cool stuff that we saw --
159
414260
3000
我們發現一些相當酷的東西
06:57
really knocked my socks off.
160
417260
2000
讓我印象深刻
06:59
Down there is the gray box,
161
419260
2000
在這灰色方塊的下方
07:01
and on the top you see the centrifuges.
162
421260
3000
也就是離心機的上方
07:04
Now what this thing does
163
424260
2000
在這裡,病毒攻擊
07:06
is it intercepts the input values from sensors --
164
426260
3000
攔截感應器的測得數值
07:09
so for example, from pressure sensors
165
429260
2000
像是 壓力感應計
07:11
and vibration sensors --
166
431260
2000
和震動感應器
07:13
and it provides legitimate program code,
167
433260
3000
而病毒攻擊是持續提供正常數值
07:16
which is still running during the attack,
168
436260
2000
使得攻擊發生時 一切看似正常
07:18
with fake input data.
169
438260
2000
但卻是錯誤資料
07:20
And as a matter of fact, this fake input data
170
440260
2000
實際上 這一連串錯誤數值
07:22
is actually prerecorded by Stuxnet.
171
442260
3000
是預藏在 Stuxnet 內的
07:25
So it's just like from the Hollywood movies
172
445260
2000
就像好萊塢電影一樣
07:27
where during the heist,
173
447260
2000
在搶劫時
07:29
the observation camera is fed with prerecorded video.
174
449260
3000
監視器輸出畫面 被換入預錄的影像
07:32
That's cool, huh?
175
452260
2000
很酷吧?
07:35
The idea here is obviously
176
455260
2000
這個想法很明顯的
07:37
not only to fool the operators in the control room.
177
457260
3000
不只是要騙過控制室的操作人員
07:40
It actually is much more dangerous and aggressive.
178
460260
4000
它的目標其實更加大膽與危險
07:44
The idea
179
464260
2000
想要
07:46
is to circumvent a digital safety system.
180
466260
3000
規避數位電子安全系統
07:50
We need digital safety systems
181
470260
2000
我們需要數位電子安全系統
07:52
where a human operator could not act quick enough.
182
472260
3000
來補足人類操控員不夠快的時候
07:55
So for example, in a power plant,
183
475260
2000
舉例說 在電廠中
07:57
when your big steam turbine gets too over speed,
184
477260
3000
當大型蒸氣渦輪轉速過快
08:00
you must open relief valves within a millisecond.
185
480260
3000
你一定要在一毫秒內打開洩壓閥
08:03
Obviously, this cannot be done by a human operator.
186
483260
3000
很明顯這絕不是人類辦的到的
08:06
So this is where we need digital safety systems.
187
486260
2000
所以需要數位電子安全系統
08:08
And when they are compromised,
188
488260
2000
一旦它們被破壞
08:10
then real bad things can happen.
189
490260
3000
真正嚴重的事情就會發生
08:13
Your plant can blow up.
190
493260
2000
電廠可能會爆炸
08:15
And neither your operators nor your safety system will notice it.
191
495260
3000
而且人員和系統都無法及時察覺
08:18
That's scary.
192
498260
2000
這就可怕了
08:20
But it gets worse.
193
500260
2000
更糟的是
08:22
And this is very important, what I'm going to say.
194
502260
3000
接下來要說的是更重要的
08:25
Think about this:
195
505260
2000
想想看
08:27
this attack is generic.
196
507260
3000
這個攻擊是一般性的
08:30
It doesn't have anything to do, in specifics,
197
510260
4000
它不一定要和特定
08:34
with centrifuges,
198
514260
2000
核鈾料廠中的
08:36
with uranium enrichment.
199
516260
3000
離心機有關
08:39
So it would work as well, for example,
200
519260
3000
舉例說吧 它也能適用於
08:42
in a power plant
201
522260
2000
發電廠
08:44
or in an automobile factory.
202
524260
3000
或是汽車工廠
08:47
It is generic.
203
527260
2000
可以被廣泛利用
08:49
And you don't have -- as an attacker --
204
529260
2000
就攻擊形式而言
08:51
you don't have to deliver this payload
205
531260
3000
你不需要藉由
08:54
by a USB stick,
206
534260
2000
USB 碟傳遞病毒載體
08:56
as we saw it in the case of Stuxnet.
207
536260
2000
雖然這是 Stuxnet 預設方式
08:58
You could also use conventional worm technology for spreading.
208
538260
3000
你也可以 用傳統蠕蟲技術來散播
09:01
Just spread it as wide as possible.
209
541260
3000
盡可能的擴散出去
09:04
And if you do that,
210
544260
2000
這麼一來
09:06
what you end up with
211
546260
2000
最後你就有了
09:08
is a cyber weapon of mass destruction.
212
548260
5000
可以造成大規模破壞的數位武器
09:14
That's the consequence
213
554260
2000
那也是我們得面對的
09:16
that we have to face.
214
556260
3000
後果
09:19
So unfortunately,
215
559260
3000
不幸的是
09:22
the biggest number of targets for such attacks
216
562260
3000
大多數的攻擊目標
09:25
are not in the Middle East.
217
565260
2000
不是在中東
09:27
They're in the United States and Europe and in Japan.
218
567260
3000
是在美國 歐洲 與 日本
09:30
So all of the green areas,
219
570260
2000
所有綠色區域
09:32
these are your target-rich environments.
220
572260
3000
就是充滿攻擊目標的地方
09:35
We have to face the consequences,
221
575260
3000
我們得面對這些後果
09:38
and we better start to prepare right now.
222
578260
3000
而且最好現在就開始準備
09:41
Thanks.
223
581260
2000
謝謝大家
09:43
(Applause)
224
583260
6000
(掌聲)
09:49
Chris Anderson: I've got a question.
225
589260
2000
Chris Anderson: 我有個疑問
09:53
Ralph, it's been quite widely reported
226
593260
2000
Ralph, Stuxnet 已經廣為人知
09:55
that people assume that Mossad
227
595260
2000
而人們猜測它背後
09:57
is the main entity behind this.
228
597260
2000
的主使者是 Mossad (以色列特工)
09:59
Is that your opinion?
229
599260
3000
你也是這麼想嗎?
10:02
Ralph Langner: Okay, you really want to hear that?
230
602260
2000
Ralph Langner: 好, 你真的想知道?
10:04
Yeah. Okay.
231
604260
2000
是啊
10:06
My opinion is that the Mossad is involved,
232
606260
3000
我的看法是 Mossad 有參與其中
10:09
but that the leading force is not Israel.
233
609260
3000
但以色列絕不是主導角色
10:12
So the leading force behind that
234
612260
2000
所以背後的主導力量
10:14
is the cyber superpower.
235
614260
3000
就是網路超級大國
10:17
There is only one,
236
617260
2000
也只有一個了
10:19
and that's the United States --
237
619260
2000
那就是美國
10:21
fortunately, fortunately.
238
621260
2000
幸好、幸好
10:23
Because otherwise,
239
623260
2000
不然的話
10:25
our problems would even be bigger.
240
625260
3000
我們的問題會更嚴重
10:28
CA: Thank you for scaring the living daylights out of us. Thank you, Ralph.
241
628260
4000
CA: 謝謝你把我們都給嚇壞了 謝謝 Ralph.
10:32
(Applause)
242
632260
2000
(掌聲)
關於本網站

本網站將向您介紹對學習英語有用的 YouTube 視頻。 您將看到來自世界各地的一流教師教授的英語課程。 雙擊每個視頻頁面上顯示的英文字幕,從那裡播放視頻。 字幕與視頻播放同步滾動。 如果您有任何意見或要求,請使用此聯繫表與我們聯繫。

https://forms.gle/WvT1wiN1qDtmnspy7