Upload
igor-korkin
View
300
Download
1
Tags:
Embed Size (px)
Citation preview
TWO CHALLENGES OF STEALTHY HYPERVISORS DETECTION:
TIME CHEATING & DATA FLUCTUATIONS
Igor Korkin
CDFSL 2015
Agenda
● Hypervisor (or HYP) as a security threat
● Ways of HYPs detection & their drawbacks
● Time-based detection methods
improvements & its challenges
Any PC can be compared with a big ship
*The Russian Nuclear Icebreaker "Yamal“ in the Arctic
Any PC can be compared with a big ship
User & kernel modes
Hypervisor
SMM
AMT
Firmware level
*The Russian Nuclear Icebreaker "Yamal“ in the Arctic
Plugged device
with infected chip
The existing places to plant the backdoor
User & kernel modes
(VMX non root mode)
Hypervisor
(VMX root mode)
System Management
Mode (SMM)
Active Management
Technology (AMT)
Firmware level
e.g. BADUSB, 2014
Own chip on the
motherboard
ADFSL 2014
ADFSL 2015
AMT keylogger by Stewin & Seifert,
2011
SMM keylogger by Wecherowski,
2009
GPU-based Keylogger by
Koromilas, 2013
What & where is a hypervisor?
Image source: http://pngimg.com/download/5932
What & where is a hypervisor?
AV
Image source: http://pngimg.com/download/5932
What & where is a hypervisor?
OPERATING SYSTEM
COMPUTER HARDWARE
AV
Image source: http://pngimg.com/download/5932
2005-now1990-2005
What & where is a hypervisor?
OPERATING SYSTEM
COMPUTER HARDWARE
OPERATING
SYSTEM
HYPERVISOR*
• VT-x• AMD-V
COMPUTER HARDWARE
AV
Image source: http://pngimg.com/download/5932
2005-now1990-2005
What & where is a hypervisor?
OPERATING SYSTEM
COMPUTER HARDWARE
OPERATING
SYSTEM
HYPERVISOR*
• VT-x• AMD-V
*Hypervisor (or HYP) is a code run by
CPU in a more privileged mode than OS
COMPUTER HARDWARE
AV
Image source: http://pngimg.com/download/5932
CPU without VT-xlow performance computers
CPU with VT-xhigh performance computers
Does your CPU support Hardware Virtualization?
Check on ark.intel.com or use CPU-Z
What computers support hardware virtualization?
Server
Workstation
LaptopNetbook &
Ultrabook
mini PC
tablet PC
VT-x
VT-x
VT-x
no
no
no
Five features of HYP & the area of its application
Features
1. HYP can control access to memory, HDD etc
2. Impossible to block or delete HYP by OS
3. There is no built-in tool for HYP detection4. HYP can prevent its detection = stealthy HYP
e.g. by using time cheating
5. HYP installs invisibly for both users & AVs
Areas
Five features of HYP & the area of its application
Features
1. HYP can control access to memory, HDD etc
2. Impossible to block or delete HYP by OS
3. There is no built-in tool for HYP detection4. HYP can prevent its detection = stealthy HYP
e.g. by using time cheating
5. HYP installs invisibly for both users & AVs
Areas
1 + 2 = for security
1 + 2 + 3 + 4 + 5 = for backdoor
Backdoor HYP can Ways to plant a HYP
Overview of a backdoor HYP facilities
● using OS
vulnerabilities to load
a driver-based HYP
● using BIOS-based
approach to infect a
motherboard
● record keystrokes
● steal all data
● block PC
Hardware
Hypervisor with secure system monitor functions
Backdoor hypervisor
Backdoor HYP & well-known examples
Loaded #2
Loaded #1
HYP example Author HYP is loaded by CPU
Blue Pill Invisible Things Lab Windows driver
Vitriol Matasano Security MAC OS driver
Russian Ghost M.Utin by DeepSec14 BIOS
Backdoor HYP & well-known examples
Loaded #2
Loaded #1
Hardware
Hypervisor with secure system monitor functions
Backdoor hypervisor
Analysis of hypervisor detection tools
Tool Detection method
Resi-lient?
Easy to distribute?
Hardware
Copilot 2004Signature based + ―
Deep Watch 2008
Software
Symantec EndPoint Protection 2012 Based on the
trusted HYP
― +McAfee Deep
Defender 2012
Actaeon 2013 Signature based
Proof of Concepts2008 - 2015
Behavior based & Time based
New proposal tool Time based + +
Tool Detection method
Resi-lient?
Easy to distribute?
Hardware
Copilot 2004Signature based + ―
Deep Watch 2008
Software
Symantec EndPoint Protection 2012 Based on the
trusted HYP
― +McAfee Deep
Defender 2012
Actaeon 2013 Signature based
Proof of Concepts2008 - 2015
Behavior based & Time based
New proposal tool Time based + +
Analysis of hypervisor detection tools
Tool Detection method
Resi-lient?
Easy to distribute?
Hardware
Copilot 2004Signature based + ―
Deep Watch 2008
Software
Symantec EndPoint Protection 2012 Based on the
trusted HYP
― +McAfee Deep
Defender 2012
Actaeon 2013 Signature based
Proof of Concepts2008 - 2015
Behavior based & Time based
New proposal tool Time based + +
Analysis of hypervisor detection tools
Tool Detection method
Resi-lient?
Easy to distribute?
Hardware
Copilot 2004Signature based + ―
Deep Watch 2008
Software
Symantec EndPoint Protection 2012 Based on the
trusted HYP
― +McAfee Deep
Defender 2012
Actaeon 2013 Signature based
Proof of Concepts2008 - 2015
Behavior based & Time based
New proposal tool Time based + +
Analysis of hypervisor detection tools
What are the principles of
these software detection
tools?
Hypervisor detection methods
Signature based
Behavior based
Based on the trusted HYP
Time based
Without HYP Non-stealthy HYP Stealthy HYP
Signature based detection
HYPcode
Physica lmemory
Physica lmemory
HYPcode
• HYP is loaded to memory
• We can detect a HYP using a
search in the mem dump
• HYP hides memory areas
• HYP prevents acquiring a real
memory dump from OS
Physica lmemory
Detection based on the trusted HYP
*McAfee Deep Defender Technical Evaluation and Best Practices Guide
The boot process with McAfee Deep Defender
Detection based on the trusted HYP
*McAfee Deep Defender Technical Evaluation and Best Practices Guide
The boot process with McAfee Deep DefenderWORM HYP
WORM HYP
Vulnerability:
• If worm HYP
is loaded first
it blocks Deep
Defender
• Exp. BIOS-
based HYP
Old CPU & HYP2007-2011
New CPU & HYPnowadays
Behavior based detection
Is OS Freezed?
VMSAVE 0x67
Yes
No
HYP is present
No HYP ? ? ?
? ? ?
Yes
No
VMSAVE 0x67 is a “bug” instruction presented by Barbosa in the 2007
There is no such “bug” instruction for new CPU
Time based detection
Operating System
event 1
event 2∆ 𝑡𝑡 2
timer
𝑡1
is small
Time based detection
Operating System Hypervisor
event 1
event 2
∆ 𝑡
VM Exit
VM Entry𝑡 2
timer
𝑡1
Dispatcher is significant
Time based detection
Operating System Hypervisor
event 1
event 2Dispatcher
Time cheating function
VM Entry
𝑡 2
timer
VM Exit
𝑡1
is small
∆ 𝑡
Drawbacks of HYP detection methods
Based on the trusted HYP
Behavior based
Signature based
Time based
Is good only for old CPU & HYPS
Vulnerable to hidden pages
Susceptible to MITM attack*
Vulnerable to time cheating
*MITM attack - man in the middle attack
Time based detection. Yesterday.
Time based
HYP detection
Using average
values (2007)
Time based detection. Today.
Timecheating(2008)
Time based
#1 How to detect a HYP
that applies time cheating?
Using average
values (2007)
Time based detection. Today & tomorrow
Timecheating(2008)
Using average
values (2007)
Usingstatistics
(CDFSL 2015)
HYP detection
Time based
#1 How to detect a HYP
that applies time cheating?
Operating System
Unconditionally
Intercepted
Instructions
event
Let's focus on the time-based detection by unconditionally intercepted
instructions
Our detection
program is execute
these instructions
Time based detection by Unconditionally Intercepted Instructions
Their execution is always trapped by HYP
e.g. CPUID instruction
How to detect
a HYP using
them?
Average
IET values
What are these?
1. T1 = get_time()
Instructions Execution
Time (IET) = T2 - T1
2. execute CPUIDs
3. T2 = get_time()
Time based detection by Unconditionally Intercepted Instructions
Their execution is always trapped by HYP
e.g. CPUID instruction
How to detect
a HYP using
them?
Average
IET values
What are these?
1. T1 = get_time()
Instructions Execution
Time (IET) = T2 - T1
2. execute CPUIDs
3. T2 = get_time()
Time based detection by Unconditionally Intercepted Instructions
Their execution is always trapped by HYP
e.g. CPUID instruction
How to detect
a HYP using
them?
Average
IET values
What are these?
* Lifebook E752 Core i5, Windows Live CD XP DDD
Non Stealthy
Without HYP ~2,000
With HYP ~20,000
1. T1 = get_time()
Instructions Execution
Time (IET) = T2 - T1
2. execute CPUIDs
3. T2 = get_time()
Time based detection by Unconditionally Intercepted Instructions
Non Stealthy Stealthy HYP
Without HYP ~2,000 ~2,000
With HYP ~20,000 ~2,000
Their execution is always trapped by HYP
e.g. CPUID instruction
!
How to detect
a HYP using
them?
What are these?
* Lifebook E752 Core i5, Windows Live CD XP DDD
Average
IET values
How do we want to detect a HYP?
What steps can be used
to detect a stealthy
hypervisor?
Preliminary stage
Detection
stage
What are the steps for time-based detection?
1. Load a clear PC without any HYP
2. Measure time for no HYP and for HYP present
3. Calculate *STAT* value (now it is average)
4. Achieve intervals for each of two cases:
5. Measure time & calculate *STAT* value
6. Check if *STAT* value is belongs to the intervals:
No HYP tiny HYP present *STAT*
*STAT* = ?
How to find the appropriate statistics?
What is happening to
the PC during time
measurements?
What is happening to the computer during time measurements?
Without HYP: OS SMM*
With HYP: OS HYP
SMM*
SMM ― System Management Mode, works lower than HYP & OS
SMM interrupts ― occur randomly & suspend PC for a short time
VMX transitions ― catch execution of every CPUID instruction
SMM interrupts
VMX transitions
SMM
OS HYP
SMM
Switching between CPU modes during time measurements of CPUID execution1. Without HYP:
2. With HYP:
OS SMM
Process of execution
CPUID instructions
● CPU works as a stochastic system
● SMM interrupts both OS & HYP
● IET indexes are increased after HYP is loaded:
Theoretic analysis of switches between modes
IET has a layered structure
Average
Number of layers
Variance & 4th order moment
IET is a random variable
● CPU works as a stochastic system
● SMM interrupts both OS & HYP
● IET indexes are increased after HYP is loaded:
Average Time-cheating by HYP
Number of layers Both are possible for
stealth HYP detectionVariance & 4th order moment
Theoretic analysis of switches between modes
IET has a layered structure
IET is a random variable
Let’s check these three ideas by
experiment
Scheme of the experiment1. Run a tiny HYP with time cheating
2. Measure IET by the own driver:
→ matrix 1000 x 10
Instruction Execution Time in CPU ticks*Number of outer loop interactions1 2 3 … 10
Number of
inner loop interactions
1 2004 2008 2048 … 2044
2 2000 2008 2048 … 2048
3 2012 2004 2048 … 2044
4 2008 2000 2048 … 2048
5 2008 2004 2044 … 2040
… … … … … …
1000 2008 2000 2040 … 2036
* without HYP, Lifebook E752 Core i5, Windows Live CD XP DDD
Analysis of the experimental results
1985
1995
2005
2015
2025
2035
1 20 39 58 77 961985
1995
2005
2015
2025
2035
1 20 39 58 77 96
Comparison of statistical indexes values
Are averages values the same?
No HYP Stealthy HYP Present
Analysis of the experimental results
1985
1995
2005
2015
2025
2035
1 20 39 58 77 961985
1995
2005
2015
2025
2035
1 20 39 58 77 96
Comparison of statistical indexes values
Yes, averages values are the same
Does IET have a layered nature?
No HYP Stealthy HYP Present
Analysis of the experimental results
1985
1995
2005
2015
2025
2035
1 20 39 58 77 961985
1995
2005
2015
2025
2035
1 20 39 58 77 96
Comparison of statistical indexes values
Yes, averages values are the same
Yes, IET has a layered nature
Is the number of layers increased?
Is the variance increased ?
No HYP Stealthy HYP Present
Analysis of the experimental results
1985
1995
2005
2015
2025
2035
1 20 39 58 77 961985
1995
2005
2015
2025
2035
1 20 39 58 77 96
Comparison of statistical indexes values
Yes, averages values are the same
Yes, IET has a layered nature
The number of layers is increased: 4 < 12
The variance is increased: 14 < 85
No HYP Stealthy HYP Present
Yeah! We’ve done it!
We’ve found the following “resilient” statistics:
● number of horizontal layers
● variance
● 4th order moment
𝑉=∑ (𝑥 𝑖−𝑋 )2
𝑛
𝑀 4=∑ (𝑥 𝑖− 𝑋 )4
𝑛
Let’s use statistical tests to complete samples
What statistical tests are
appropriate to compare
these samples?
But also IET has the following anomalies:
● IET samples include noise
● IET samples statistics fluctuate daily
● IET random variable is not normally distributed
Possible ways to compare the samples
Classical parametric tests Non-parametric tests● Student’s t-test● ANOVA & ANCOVA
Require normal distribution
● Wilcoxon test
Give bad approximation
Possible ways to compare the samples
Classical parametric tests Non-parametric tests● Student’s t-test● ANOVA & ANCOVA
Require normal distribution
● Wilcoxon test
Give bad approximation
Kornfeld (USSR’65) or Strellen (GER’01) method:
𝑐𝑜𝑛𝑓𝑖𝑑𝑒𝑛𝑐𝑒𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 : (𝑇𝑀𝐼𝑁 ,𝑇𝑀𝐴𝑋 )𝑐𝑜𝑛𝑓𝑖𝑑𝑒𝑛𝑐𝑒𝑙𝑒𝑣𝑒𝑙 :𝑃=1−0.5𝑛− 1
𝐿𝑒𝑡𝑇 1,𝑇 2 ,..𝑇𝑛 𝑖𝑠 𝑎 𝑠𝑎𝑚𝑝𝑙𝑒 , h𝑡 𝑒𝑟𝑒𝑓𝑜𝑟𝑒
1. Calculate variances for each matrixes of IET values:
V1 V2 .. V10
Calculate statistics & variation intervals
1 2 .. 10
1…
1000
1 2 .. 10
1…
1000
V1 V2 .. V10
2. The result:
No HYP HYP present
No HYP HYP present
1. Calculate variances for each matrixes of IET values:
V1 V2 .. V10
Calculate statistics & variation intervals
No HYP HYP present
Overlap too much
V
1 2 .. 10
1…
1000
1 2 .. 10
1…
1000
V1 V2 .. V10
2. The result: instability of statistics values
Data fluctuation: instability of statistics
What are the reasons for
the instability of statistics?
Reasons for the data instability or data fluctuations are outliers & jumps
2000
4000
6000
8000
10000
1 31 61 91 121 151
jump
outlier
2000
3000
4000
5000
6000
7000
8000
9000
10000
11000
1 11 21 31 41 51 61 71
outliers
2360
2370
2380
2390
2400
2410
2420
2430
1 11 21 31 41 51 61 71 81 91 101 111
low frequency values
𝑉=∑ ( 𝑋𝑖−𝑋 )2
𝑛
Variance is significantly
increased because of
outliers and jumps
Type of noise
Outlier, low frequency value Jump
TO DOLow frequency
filtration with 2-10%
How to overcome the negative influence of outliers & jumps
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 10 19 28 37 46 55 64 73 82 91 100
VAR = 526,000
How to overcome the negative influence of outliers & jumps
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 10 19 28 37 46 55 64 73 82 91 1002000
3000
4000
5000
6000
7000
8000
9000
1 10 19 28 37 46 55 64 73 82 91 100
VAR = 526,000 VAR = 93,000
without an outlier
Type of noise
Outlier, low frequency value Jump
TO DOLow frequency
filtration with 2-10%
How to overcome the negative influence of outliers & jumps
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 10 19 28 37 46 55 64 73 82 91 1002000
3000
4000
5000
6000
7000
8000
9000
1 10 19 28 37 46 55 64 73 82 91 100
VAR = 526,000 VAR = 93,000
without an outlier
VAR = 123
without a jump
2000
2200
2400
2600
2800
3000
3200
3400
1 10 19 28 37 46 55 64 73 82 91 100
Type of noise
Outlier, low frequency value Jump
TO DOLow frequency
filtration with 2-10%
𝑉=𝑎
𝑎+𝑏∗𝑉 𝑎+
𝑏𝑎+𝑏
∗𝑉 𝑏
𝑎 𝑏
𝑉 𝑎 𝑉 𝑏
I decided to test these ideas &
try to detect a HYP every day
day #1
day #2
day #3
Obtain different statistical values on different days
No HYP HYP present
V
No HYP HYP presentV
No HYP HYP present
V
Obtain different statistical values on different days
day #1
day #2
day #3
No HYP HYP present
V
No HYP HYP presentV
No HYP HYP present
V
no appropriate threshold
Data fluctuation: lack of repeatability
How to overcome this
data fluctuation every day?
1. Two-step way to calculate statistics :
2. Repeat measurements within 10 days
1 2 .. 10
1…
1000
Overcoming the lack of repeatability
..
𝑉=𝑎𝑣𝑒𝑟𝑎𝑔𝑒 (𝑉 1 , .. ,𝑉 10 )
Step #1
Step #2 as new sample
Matrix of IET values:
No HYP tiny HYP presentAs a results: 𝑉
What can we do if variation intervals keep overlapping?
No HYP HYP present
V
- overlapping part𝐴 𝐵 𝛿
No HYP HYP present
V
→ repeat data acquisition & stats calculation
- overlapping part
Type errors Decision Reality Probability
I HYP is present no NYP
II no NYP HYP is present
𝐴 𝐵
What can we do if variation intervals keep overlapping?
𝛿
Threshold values calculation
1.
2. Calculate two-step way statistics after filtration
3. Choose threshold values so that the sum of
probability of type I and II errors comes to its min
Day #1
= 5+5
Day #2
= 5+5
Day #10
= 5+5
Matrices count
no HYP 50
tiny HYP 50
..
Example of threshold values
Statistics Filtration
level
Threshold values Type I error,
%
Type II error,
% No
HYP HYP is present
Number of layers 0 ≤ 7 ≥ 8 4 0
Variance 0 ≤ 14 ≥ 18 2 0
Moment 0.1 ≤ 679 ≥ 947 2 0
Intel Core 2 Duo E6300 + Windows 7 x32
How to detect stealthy hypervisors?
Step by step method:
Stages Stage description
Preliminary (calculate
thresholds)
1. Flash BIOS with a trusted image or firmware
2. Install OS
3. Get threshold values in case where no HYP is present
Operational (detect a
hypervisor)
4. Check in a loop if a hypervisor is present
5. Install Office etc
6. Monitor messages about a hypervisor presence
7. Go to step 3 to adapt the tool to new legitimate HYP
How to detect stealthy hypervisors?
Stages Stage description
Preliminary
1. Flash BIOS with a trusted image or firmware
2. Install OS
3. Get threshold values in case where no HYP is present
Operational (detection)
4. Check in a loop if a hypervisor is present
5. Install Office etc
6. Monitor messages about a hypervisor presence
7. Go to step 3 to adapt the tool to new legitimate HYP
How to detect stealthy hypervisors?
Image sources: wikipedia.org/wiki/BIOS batronix.com/versand/programmiergeraete/BX32P/index.html http://myonsitetech.ca/images/image/SoftwareUpgrade.png
Stages Stage description
Preliminary (calculate
thresholds)
1. Guarantee the absence of a HYP by checking
a scatter plot (coming soon)
2. Get threshold values in case where no HYP is present
Operational (detect a
hypervisor)
3. Check in a loop if a hypervisor is present
4. Install Office etc
5. Monitor messages about a hypervisor presence
6. Go to step 3 to adapt the tool to new legitimate HYP
How to detect stealthy hypervisors?
Detection: architecture & source code
Source code components Details
Windows x32 drivers & their config tools
Visual Studio & WDK, C++ asm
Matlab
http://github.com/IgorKorkin/HypervisorsDetection
Preliminary (calculate
thresholds)
Operational (detect a HYP)
Tiny HYP Measure IET
Calc stats & get
Calc stats & compare with thresholds
thresholds
Tiny HYP
Measure IET
Calc stats & get thresholds
Positive results on different PCs & HYPs
HYP title HYP authors & details CPU
Driver
Only 1 tiny HYP tested on 5 PCs
2 nested HYPs=
ADD* + tiny HYP
ADD is loaded first,
the tiny HYP is above it
BIOS
TRace EXplorer
(TREX)
A.Tichonov &
A.Avetisyan (ISP RAS)
Russian Ghost A.Lutsenko aka R_T_T
ADD ― Acronis Disk Director for Windows x86
Is run by
List of challenges
Challenges How to achieve
Stealthy HYP cheats time
Use variability indexes of IET
Data fluctuation: jumps & outliers
Lack of repeatability
Apply filtration & two-step way statistics
Repeat measurements
within 10 days
IET is not normally distributed & no HOV
Use Kornfeld method
And also:
Hardware
Hypervisor with secure system monitor functions
Rootkit hypervisor
“Statistical ruler” detects stealthy HYPs
- the detection tool is running in the background
Next steps
● Collaborate with security research
companies
● Publish 2 papers in the next 2 years
● Apply for an academic research position
ADDITIONAL SLIDES
Details of type I and II errors1. Definition of type I and II errors:
2. How to calculate them?
Reality situation
No HYP HYP present
Our decision
No HYP “true” type II
HYP present type I “true”
No HYP HYP present
- overlapping part
Type I error
Type II error
𝛿𝑛𝑜𝐻𝑌𝑃𝐻𝑌𝑃
Analysis of methods to compare samples
Student t-test(parametric stats)
Kornfeld method(non parametric stats)
1. Requirements to input samples
Normal distributionHomogeneity of variances
No requirements
2. Choosing the corresponding confidence level
95% or 99% see t-table
3. Calculating the confidence interval for random variable
, -sample variance
Min-max confidence interval method byStrelen’04 or Kornfeld’65
- are result of measuring random variable
The confidence interval for is
where
with the confidence level
In other words this is the probability of .
Analysis of sample comparison methods
*J.Ch. Strelen, Median confidence intervals. In E.J.H. Kerckhoffs and M. Snorek, editors, Modelling and Simulation 2001 - Proc. of the ESM2001, pages 771-775. The SCS Publishing House, Erlangen, 2001 http://web.informatik.uni-bonn.de/IV/strelen/Forschung/Publikationen/ESM2001.pdf
**Kornfeld, M. (1965, March). Accuracy and Reliability of a Simple Experiment. (in Russian) 85 (3), Number UFN 85 533–542, 533-542, Retrieved on October 12, 2014, from http://ufn.ru/ufn65/ufn65_3/Russian/r653e.pdf
1. Kornfeld method (USSR 1965)
2. Strelen method (Germany 2001)
1. Let’s arrange the set in order of increasing values
2. Therefore the probability
3. Therefore the probability of the complement event:
4. In other words the probability of the fact that
is
Details of Time-based detection
__asm{RDTSCMOV hst, EDXMOV lst, EAXCPUID // 1
RDTSCMOV hfin, EDXMOV lfin, EAX}save_time(...)
tRDTSC-1
tRDTSC-2
tCPUID-1
TSC
read_tsc(time)time = time – Delta
write_tsc(time)
OS Hypervisor
VM exit
time = tVMM
time = (tVMM – Delta ) ≈ tCPUID-1
VM Entry
System Management mode:what are the reasons of SMI?
Maintenance mode:– Used for efficient power management.– Run specific proprietary code.
SMI
SMI
SMI
SMI
RSM instruction
SMM
Back to calling context
Assert a “System Management Interrupt” (SMI) from any other mode:
Thermal Sensor
Century Rollover
RTC AlarmTCO, USB
● WinDbg and VMWare to debug only a HYP driver
● hardware emulators: Bochs, AMD SimNow etc
● debug output by DbgPrint & DbgView
● COM port:
● debug card
The possible ways to debug a HYP
Special thanks to
● Peter Prokoptsev, scientist
● Iwan Nesterov, programmer
● Andrey Chechulin, scientist
● Alexander Nikonov, portfolio manager
● Ben Stein, teacher of English
● Alexey Nesterenko, teacher of English
● Natalia Korkina, teacher of English
Igor Korkin, Ph.D.