1
00:00:00,000 --> 00:00:09,534
preroll music
2
00:00:09,534 --> 00:00:15,929
Herald: North Korea; not only famous for chocolate
but for being a surveillance state
3
00:00:15,929 --> 00:00:22,289
And as a good surveillance state,
it has to have its own operation system.
4
00:00:22,289 --> 00:00:27,710
Because how will you do proper surveillance
without your own operation system?
5
00:00:27,710 --> 00:00:35,550
Today, we get a brief introduction
how Red Star OS is working.
6
00:00:35,550 --> 00:00:38,910
The introduction will have a specific
focus on the custom code
7
00:00:38,910 --> 00:00:45,350
which was inserted for surveillance,
and especially how to get around it.
8
00:00:45,350 --> 00:00:52,420
So please welcome Florian and Niklaus
with a big round of applause.
9
00:00:52,420 --> 00:01:00,600
Applause
10
00:01:00,600 --> 00:01:03,230
Florian Grunow: Hey everybody,
thanks for having us.
11
00:01:03,230 --> 00:01:08,070
We are going to give you a deep
dive into Red Star OS.
12
00:01:08,070 --> 00:01:12,070
Actually, we were kind of surprised that
there is not so much information
13
00:01:12,070 --> 00:01:17,850
on the net about really the core of Red
Star and what is it doing.
14
00:01:17,850 --> 00:01:22,310
So we thought we would change this,
and give you an insight in how
15
00:01:22,310 --> 00:01:26,500
this Operating System works,
and by looking into the technical aspects
16
00:01:26,500 --> 00:01:33,700
of Red Star you can also draw conclusions
about how development in North Korea
17
00:01:33,700 --> 00:01:38,200
is evolving and is, maybe, catching up.
18
00:01:38,200 --> 00:01:42,390
So what we're going to talk about is:
First of all, a short introduction
19
00:01:42,390 --> 00:01:45,630
into the motivation; why are we doing
this? We are going through
20
00:01:45,630 --> 00:01:49,720
the architecture of Red Star; we are going
to show you the components in the core
21
00:01:49,720 --> 00:01:53,640
in the operating system itself; and then
we will take a deep dive into
22
00:01:53,640 --> 00:01:57,440
the additional components, all of the
programs that are coming from North Korea
23
00:01:57,440 --> 00:02:01,470
and are supplied with the ISO
of Red Star OS.
24
00:02:01,470 --> 00:02:06,500
After that, we are going to give you a
deep dive into the most interesting features
25
00:02:06,500 --> 00:02:13,290
of Red Star OS; and then we will be able
to draw our own conclusions;
26
00:02:13,290 --> 00:02:16,069
and afterwards we will have time
for questions, we hope.
27
00:02:16,069 --> 00:02:21,459
By the way, this picture on the left you
can see here is actually one of the--
28
00:02:21,459 --> 00:02:28,579
I think it's the screensaver right from
Red Star OS. Laughter So, um, yeah.
29
00:02:28,579 --> 00:02:32,849
So before we begin, we need to
do this disclaimer:
30
00:02:32,849 --> 00:02:37,959
For your information we have never visited
DPRK, we have never been to North Korea.
31
00:02:37,959 --> 00:02:41,549
All we know about North Korea is from
public sources, from the internet,
32
00:02:41,549 --> 00:02:47,450
from media, whatever. So what we are
going to say about North Korea
33
00:02:47,450 --> 00:02:52,590
has to be speculation because we don't
know exactly what happens in North Korea.
34
00:02:52,590 --> 00:02:58,370
Also, the ISOs that we have been analysing
are found publicly available on
35
00:02:58,370 --> 00:03:02,499
the internet, [and] may be fake. We don't
think that they are fake because
36
00:03:02,499 --> 00:03:09,340
Will Scott has shown last year on the 31C3
how Red Star looks, and everything that
37
00:03:09,340 --> 00:03:15,719
he has been showing is basically in the
ISO, so we think it is legit.
38
00:03:15,719 --> 00:03:20,840
Remember that we are not going to make fun
of anybody in this talk. We are not going
39
00:03:20,840 --> 00:03:24,319
to make fun of the developers, and we are
certainly not going to make fun of
40
00:03:24,319 --> 00:03:30,040
the people in the DPRK, because we think
that our presentation might have some
41
00:03:30,040 --> 00:03:36,120
funny aspects or something that makes
you laugh - which is perfectly fine - but
42
00:03:36,120 --> 00:03:41,889
looking at Red Star in detail is kind of a
surveillance mess, I would say, and
43
00:03:41,889 --> 00:03:48,449
it's a security or privacy nightmare.
So keep these aspects in mind.
44
00:03:48,449 --> 00:03:51,849
Also, this talk is not going to focus
about security. We're not going to talk
45
00:03:51,849 --> 00:03:56,010
about security. Many of the publications
available on the internet are
46
00:03:56,010 --> 00:04:00,290
about security, and we're not going to
focus on this in this presentation.
47
00:04:00,290 --> 00:04:06,849
So, why are we doing this? Red Star ISOs
have been leaked some time ago; there is
48
00:04:06,849 --> 00:04:12,290
a version 2 hanging around the internet
and there is obviously a version 3.0
49
00:04:12,290 --> 00:04:17,099
which has been leaked at the end of 2014,
and we were quite surprised at the middle
50
00:04:17,099 --> 00:04:20,459
of the year that there is no in-depth
analysis of this operating system.
51
00:04:20,459 --> 00:04:25,080
So most of the blogs and news articles are
quite superficial that you can find out there,
52
00:04:25,080 --> 00:04:31,370
and this is kind of surprising because
if there is some kind of state that
53
00:04:31,370 --> 00:04:35,680
doesn't put focus on transparency and free
speech, and they are putting out an
54
00:04:35,680 --> 00:04:41,419
operating system, you kind of want to know
how do they build their operating system.
55
00:04:41,419 --> 00:04:46,349
So that was one of the major aspects for
us to look into it. The other aspect was
56
00:04:46,349 --> 00:04:50,580
to find out how is the state of
software development in DPRK;
57
00:04:50,580 --> 00:04:58,519
how are they developing software? Do they
have a well-thought architecture;
58
00:04:58,519 --> 00:05:04,229
are they thinking about what they are
doing? How is the skill level of software
59
00:05:04,229 --> 00:05:08,669
development in North Korea?
So these were the two aspects that
60
00:05:08,669 --> 00:05:10,370
we wanted to find out.
61
00:05:10,370 --> 00:05:15,189
So if you look at previous work, as I said
there is mostly superficial stuff.
62
00:05:15,189 --> 00:05:22,659
There is some information that Red Star OS
actually looks like Mac OSX, and we will
63
00:05:22,659 --> 00:05:27,129
go into this a little bit further.
Then we have this talk from Will Scott
64
00:05:27,129 --> 00:05:31,439
last year at 31C3, who was talking about
Computer Science in DPRK which was
65
00:05:31,439 --> 00:05:37,159
very very interesting, and gave a pretty good
insight into what's happening in DPRK.
66
00:05:37,159 --> 00:05:44,349
And then we have a bunch of guys who
looked into the browser of Red Star,
67
00:05:44,349 --> 00:05:46,319
which is also quite interesting.
68
00:05:46,319 --> 00:05:53,310
So what we are going to do now is--
I'm going to show you the custom basic
69
00:05:53,310 --> 00:05:58,180
components; I'm going to talk a little bit
about integrity on the system; then I will
70
00:05:58,180 --> 00:06:04,610
hand over to Niklaus who will be looking
into the core and surveillance features;
71
00:06:04,610 --> 00:06:08,319
and then as I said, we will have time
for questions afterwards.
72
00:06:08,319 --> 00:06:13,340
So there are different leaked versions out
there, as I said. We have a desktop and
73
00:06:13,340 --> 00:06:19,319
a server version of Red Star, so you can
also use Red Star as a server, and it
74
00:06:19,319 --> 00:06:23,430
turns out that server version 3 is
actually used on the internet right now.
75
00:06:23,430 --> 00:06:28,520
As you can see, there is a server
header returned: "Red Star 3.0"
76
00:06:28,520 --> 00:06:32,750
This is an IP address of the server, and
it is pointing into North Korea.
77
00:06:32,750 --> 00:06:37,379
So this is one of the few web sites that
is publicly facing the internet from
78
00:06:37,379 --> 00:06:44,259
North Korea, and they are obviously using
the server version 3.0. So 3.0 might
79
00:06:44,259 --> 00:06:48,500
actually be the latest version.
There is another version, it's 2.0,
80
00:06:48,500 --> 00:06:53,550
which has also been leaked to the internet,
and then there is supposedly something
81
00:06:53,550 --> 00:07:02,139
that looks like 2.5; we have found some
South Korean documents that seem to be
82
00:07:02,139 --> 00:07:08,909
analysing the system quite superficially,
and it looks like 2.5 actually resembles
83
00:07:08,909 --> 00:07:14,139
the look and feel of Windows XP. So you
kind of see this evolution right now from
84
00:07:14,139 --> 00:07:19,319
2.5 XP going to 3.0 mimicking Mac OSX.
85
00:07:19,319 --> 00:07:24,499
Our talk will focus on the
desktop version which is desktop 3.0
86
00:07:24,499 --> 00:07:28,770
If you look at the timeline, which is
a guess - there's no documentation available
87
00:07:28,770 --> 00:07:35,400
on how they did it, obviously - if you
look at the 3.0 version you see that it is
88
00:07:35,400 --> 00:07:41,780
based on Fedora 11 which came out in 2009.
So our guess is they started developing 3.0
89
00:07:41,780 --> 00:07:48,029
in 2009 with this Fedora 11 release.
The kernel that they are using is 2.6.38
90
00:07:48,029 --> 00:07:55,840
which came out with Fedora 15 in 2011.
So it could be that the OS itself is
91
00:07:55,840 --> 00:08:00,759
a little bit older, the kernel is a little
bit newer, and the latest package build
92
00:08:00,759 --> 00:08:05,150
dates that you can see in
Red Star OS date to June 2013.
93
00:08:05,150 --> 00:08:11,789
So our educated guess is that Red Star
came out in June 2013 or a little bit later,
94
00:08:11,789 --> 00:08:13,939
a few weeks later or months later.
95
00:08:13,939 --> 00:08:18,219
In December 2014 we had the public leak,
so the ISOs have been leaked to the internet
96
00:08:18,219 --> 00:08:21,479
and are publicly available right now.
97
00:08:21,479 --> 00:08:26,449
If you look into the operating system,
it's basically a fully-featured desktop system
98
00:08:26,449 --> 00:08:31,150
you might imagine. It's based on KDE
and Fedora as I already said, and it tries
99
00:08:31,150 --> 00:08:36,230
to mimic the look and feel of Mac OSX.
You have an e-mail client, a calendar,
100
00:08:36,230 --> 00:08:41,260
a word processor, you've got Quicktime and
all of that stuff. You even have a disk
101
00:08:41,260 --> 00:08:45,850
encryption utility that Will Scott
has shown last year.
102
00:08:45,850 --> 00:08:51,630
They implemented additional kernel modules
and they touched a lot of kernel modules.
103
00:08:51,630 --> 00:08:55,180
They have this kernel module "rtscan"
which Niklaus is going to say a little bit
104
00:08:55,180 --> 00:09:00,120
more about, they have this kernel module
called "pilsung" - I was told this
105
00:09:00,120 --> 00:09:05,210
means "victory" in Korean - and that
kind of is a kernel module that supplies
106
00:09:05,210 --> 00:09:12,280
AES encryption. So they implemented an own
kernel module to supply something like AES.
107
00:09:12,280 --> 00:09:16,290
Then there is a kernel module called "kdm"
which is the Korean Display Module,
108
00:09:16,290 --> 00:09:20,960
and "kimm"-- muffled laughter
--which is not what it's like--
109
00:09:20,960 --> 00:09:24,800
it's not looking-- laughter
Well, I'll just go on.
110
00:09:24,800 --> 00:09:31,130
It basically just does something with
Korean letters and displaying Korean
111
00:09:31,130 --> 00:09:35,250
letters on the screen.
112
00:09:35,250 --> 00:09:39,710
Red Star has been developed by the KCC,
the Korean Computer Centre.
113
00:09:39,710 --> 00:09:46,720
It's quite interesting that since a few
years ago they had an office in Berlin.
114
00:09:46,720 --> 00:09:50,750
I don't know what they did there, but
they obviously had an office in Berlin
115
00:09:50,750 --> 00:09:55,320
maybe for knowledge sharing, whatever.
If you look at the system hardening,
116
00:09:55,320 --> 00:09:58,480
it's quite interesting that they
took care of system hardening.
117
00:09:58,480 --> 00:10:02,780
So they implemented SELinux rules with
custom modules, they have IP tables
118
00:10:02,780 --> 00:10:06,860
rolled out immediately so you don't have
to activate it or put your rules into it;
119
00:10:06,860 --> 00:10:11,640
the firewall is working. They even have
Snort installed on the system.
120
00:10:11,640 --> 00:10:16,290
It's not running by default but they are
kind of delivering it by default, and they
121
00:10:16,290 --> 00:10:21,590
have a lot of custom services that we are
going to look into right now.
122
00:10:21,590 --> 00:10:25,880
Quite interesting is-- so why should
North Korea mimic Mac OSX?
123
00:10:25,880 --> 00:10:30,150
That might be one reason right there:
because this young fella sitting on the left
124
00:10:30,150 --> 00:10:35,900
is actually using an iMac right here.
So this is one reason.
125
00:10:35,900 --> 00:10:40,700
So why should they implement their own
operating system? There actually are
126
00:10:40,700 --> 00:10:48,210
so-called anthologies put out by the leader,
and one anthology by Kim Jong-il says that
127
00:10:48,210 --> 00:10:54,220
- if you translate it correctly, and we
try to - "in the process of programming,
128
00:10:54,220 --> 00:10:59,290
it is important to develop one in our own
style," and with "one" he means programs
129
00:10:59,290 --> 00:11:05,990
and operating systems. So there is this
clear guidance that North Korea should not
130
00:11:05,990 --> 00:11:11,620
rely on third-party Western operating
system and programs, they should
131
00:11:11,620 --> 00:11:15,290
develop this stuff on their own.
And by looking at the code and everything
132
00:11:15,290 --> 00:11:19,470
that we have by Red Star OS, this is
exactly what they did. They touched
133
00:11:19,470 --> 00:11:24,260
nearly everything on the operating system,
changed it a little bit, added custom code
134
00:11:24,260 --> 00:11:28,710
and so this is actually what they
are doing right there.
135
00:11:28,710 --> 00:11:34,060
The custom applications that you have is
a browser, which translates to "my country."
136
00:11:34,060 --> 00:11:40,470
You also have a crypto tool that Will Scott
has shown last year which is called Bokem
137
00:11:40,470 --> 00:11:44,230
which if you translate it kind of
translates to "sword."
138
00:11:44,230 --> 00:11:49,780
You have Sogwang Office which is an
OpenOffice customised for North Korean use.
139
00:11:49,780 --> 00:11:53,920
A software manager; you have MusicScore
which is an application you can compose
140
00:11:53,920 --> 00:11:59,270
music with. Then you have a program which
is called "rootsetting" and it basically
141
00:11:59,270 --> 00:12:03,520
gives you root. So if you look into the
documentation, it says you are not
142
00:12:03,520 --> 00:12:07,520
supposed to have root on the system for
integrity reasons, but if you want to get
143
00:12:07,520 --> 00:12:12,940
root you can use this tool, so they're not
hiding anything. So there are rumours
144
00:12:12,940 --> 00:12:16,110
on the net that say that you're not
supposed to get root on the system
145
00:12:16,110 --> 00:12:21,370
because it's so locked down. This is not
true obviously because there is software
146
00:12:21,370 --> 00:12:24,140
intended to give you administrative privileges.
147
00:12:24,140 --> 00:12:30,240
They even touched KDM, so the code base
that they touched is really, really big.
148
00:12:30,240 --> 00:12:32,760
Nearly the whole operating system.
149
00:12:32,760 --> 00:12:38,250
We are now going to give you a demo.
The first demo that we are doing, we are
150
00:12:38,250 --> 00:12:42,390
doing it right now, because we are
actually doing this presentation
151
00:12:42,390 --> 00:12:55,080
in Red Star OS.
Laughter and applause
152
00:12:55,080 --> 00:12:58,990
So what you see right here is basically
Red Star OS. We're going to show
153
00:12:58,990 --> 00:13:03,480
some of the aspects to you. There are many many
screenshots on the internet, some of you might already
154
00:13:03,480 --> 00:13:06,980
know how Red Star works, you might have
experience yourself.
155
00:13:06,980 --> 00:13:09,600
We're just going over a few interesting issues.
156
00:13:09,600 --> 00:13:16,110
So as you have seen, there is a full-blown
set of word processing, Powerpoint
157
00:13:16,110 --> 00:13:22,150
presentation stuff. I'm going to open up
the browser-- pfft, whatever. Laughter
158
00:13:22,150 --> 00:13:31,240
--and going into the preferences just to
give you a quick-- no. Muted laughter
159
00:13:31,240 --> 00:13:38,580
Oh. Laughter Yeah, to give you an insight
on the Certificate Authorities that are
160
00:13:38,580 --> 00:13:43,720
implemented in this Firefox version - it's
Firefox 3 - so you see there is not so many
161
00:13:43,720 --> 00:13:50,740
Certificate Authorities right here, and
they all are I guess from North Korea.
162
00:13:50,740 --> 00:13:55,780
So the browser is totally created to not
be used outside of North Korea,
163
00:13:55,780 --> 00:14:04,170
which you can see in the URL bar.
There is an internal IP address
164
00:14:04,170 --> 00:14:08,630
which points into the network of
North Korea, and all of the settings,
165
00:14:08,630 --> 00:14:11,940
proxy settings, hard-coded IP addresses,
or whatever, all point into this
166
00:14:11,940 --> 00:14:16,070
internal infrastructure of North Korea.
So this browser and the e-mail program
167
00:14:16,070 --> 00:14:19,380
was never intended to be used
outside of North Korea.
168
00:14:19,380 --> 00:14:22,900
Pfft Okay. Laughter
What else do we have?
169
00:14:22,900 --> 00:14:29,000
Okay, we have a Quicktime player.
So speaking of Mac OSX,
170
00:14:29,000 --> 00:14:41,000
you all have seen this. Woo! Swoosh. Right?
Okay, so that perfectly mimics Mac OSX.
171
00:14:41,000 --> 00:14:45,670
So let me try to find--
I'll try with aplay right here.
172
00:14:45,670 --> 00:14:51,800
So this is the shell. Quite interesting is
that when we were looking through
173
00:14:51,800 --> 00:14:57,310
all of this stuff, there is a bunch of
files that have a certain protection,
174
00:14:57,310 --> 00:15:00,420
and they seem to be pretty important
for the system, and there is a
175
00:15:00,420 --> 00:15:06,630
wave file - an audio wave file - that
actually is protected.
176
00:15:06,630 --> 00:15:15,170
It's usr/lib/Warnning.wav;
I don't know if we can hear this.
177
00:15:15,170 --> 00:15:19,000
I hope that your ears are not going to
explode right now. I'll just try it.
178
00:15:19,000 --> 00:15:22,430
Pig squealing
I'll try it again.
179
00:15:22,430 --> 00:15:25,870
Pig squealing
You hear that? Laughter
180
00:15:25,870 --> 00:15:28,740
Pig squealing
Does anybody know what this is?
181
00:15:28,740 --> 00:15:33,670
Shouts of "pig" from audience
Pardon me? Pig, exactly.
182
00:15:33,670 --> 00:15:36,430
And where is it coming from?
Does anybody know?
183
00:15:36,430 --> 00:15:39,970
That's stolen from Kaspersky antivirus,
because in the older version of
184
00:15:39,970 --> 00:15:45,340
Kaspersky antivirus if you find a virus
it actually will play this sound, and it's
185
00:15:45,340 --> 00:15:49,970
exactly the wav file from Kaspersky;
we verified this by doing checksums, okay.
186
00:15:49,970 --> 00:16:03,310
Laughter So we have a copyright violation
right here. Laughter and applause
187
00:16:03,310 --> 00:16:07,770
So what else do we have? I've been talking
about this, you can create your own music.
188
00:16:07,770 --> 00:16:12,630
I'm not going to do this now because
I'm not good at making music.
189
00:16:12,630 --> 00:16:16,300
What else do we have? We have the browser.
Did we want to show-- ah yeah.
190
00:16:16,300 --> 00:16:20,570
I'm going to show you one more thing.
I'm not going to show you the encryption
191
00:16:20,570 --> 00:16:28,980
tool because Will Scott has done this
last year, but to give you an insight into
192
00:16:28,980 --> 00:16:33,970
the crypto tool, it's pretty interesting.
If you look at the description of the bokem3,
193
00:16:33,970 --> 00:16:38,260
bokem is the tool that is used for disk
encryption so it provides the user a tool
194
00:16:38,260 --> 00:16:42,470
to encrypt files or even the complete
hard drive, and if you look into
195
00:16:42,470 --> 00:16:49,730
the description it says "this allows the user
to store his/her privacy data with encrypted,"
196
00:16:49,730 --> 00:16:56,420
which is quite nice. I mean, we didn't
expect to have something like this
197
00:16:56,420 --> 00:17:04,000
in Red Star. So the user can at least
try to encrypt files.
198
00:17:04,000 --> 00:17:08,750
Bokem is using out-of-the-box crypto
that comes with the kernel.
199
00:17:08,750 --> 00:17:14,240
It also uses pilsung, which we don't know
if there are any backdoors in it or not,
200
00:17:14,240 --> 00:17:19,849
so we have no idea if this is possible to
decrypt with a master key or something.
201
00:17:19,849 --> 00:17:24,140
If you want to look into this, we would be
happy if someone with big crypto
202
00:17:24,140 --> 00:17:32,750
experience would look into it.
So let me get back to the presentation.
203
00:17:32,750 --> 00:17:39,440
Ah! One thing I need to show you is this
red flag on the right corner, right here.
204
00:17:39,440 --> 00:17:46,410
If you look into this, and you translate -
I didn't click the right one - if you are
205
00:17:46,410 --> 00:17:52,110
going to translate all of this, you will
find that all of the strings and all of
206
00:17:52,110 --> 00:17:59,160
the text that you see right here, they
seem to be an antivirus scanner.
207
00:17:59,160 --> 00:18:03,510
So they even implemented from scratch
an antivirus scanner in Red Star OS.
208
00:18:03,510 --> 00:18:08,230
You can now select the folder or a file
and say run a check on the file,
209
00:18:08,230 --> 00:18:13,050
and if the file is actually a malicious
file - we will come to that part later,
210
00:18:13,050 --> 00:18:17,870
what "malicious" is - it will instantly
be deleted from the hard drive.
211
00:18:17,870 --> 00:18:25,260
So this is an interesting feature, having
a virus scanner in a Linux OS.
212
00:18:25,260 --> 00:18:28,570
Okay so let's look at the custom
components. We have been
213
00:18:28,570 --> 00:18:32,290
looking into the user space a little bit,
and all of the programs that come with it.
214
00:18:32,290 --> 00:18:37,400
There is far more stuff. Download the ISO,
play around with it a little bit.
215
00:18:37,400 --> 00:18:41,610
First, change the language to English.
You will obviously not get far
216
00:18:41,610 --> 00:18:46,260
if your Korean is bad.
So change the language and
217
00:18:46,260 --> 00:18:48,030
play around with it a little bit.
218
00:18:48,030 --> 00:18:53,020
So Red Star Comes with
interesting packages.
219
00:18:53,020 --> 00:18:56,620
They touched KDE as I said.
They are getting out an integrity
220
00:18:56,620 --> 00:19:00,210
checker and a security daemon.
There are signature packages right here
221
00:19:00,210 --> 00:19:05,840
which Niklaus is going to talk about
a little bit, there are policies for selinux,
222
00:19:05,840 --> 00:19:11,280
and I'm going to talk about two of the
integrity checking mechanisms that
223
00:19:11,280 --> 00:19:12,300
Red Star has.
224
00:19:12,300 --> 00:19:17,730
So by looking at Red Star, we saw that
one thing was pretty important to them:
225
00:19:17,730 --> 00:19:22,710
They wanted to preserve the integrity
of the system, and one way to do this
226
00:19:22,710 --> 00:19:27,140
is using this process right here,
it's called "intcheck."
227
00:19:27,140 --> 00:19:32,280
It comes with an SQLite database with
hashes of files on the system,
228
00:19:32,280 --> 00:19:36,920
like signatures for the system, and
you can configure it from user space so
229
00:19:36,920 --> 00:19:40,770
it's not pretty hidden, it's pretty
transparent to the user.
230
00:19:40,770 --> 00:19:44,660
I think there even comes a UI with it
where you can configure everything,
231
00:19:44,660 --> 00:19:48,540
and it's run at boot. It checks the files
and if it sees that the files have been
232
00:19:48,540 --> 00:19:52,350
manipulated or tampered with - if the
checksum changes - then it will issue
233
00:19:52,350 --> 00:19:55,600
a warning to the user.
So you get a small popup that says,
234
00:19:55,600 --> 00:20:00,380
"this file has been tampered with," the
security or the integrity of the system
235
00:20:00,380 --> 00:20:05,950
is not where it should be. So that's
pretty much what this thing does.
236
00:20:05,950 --> 00:20:11,270
securityd is kind of interesting, because
securityd is also a process that is known
237
00:20:11,270 --> 00:20:18,090
to run under Mac OSX. I'm not a Mac user,
and I think that Mac OSX with securityd
238
00:20:18,090 --> 00:20:21,440
is keeping track of certificates
and stuff like that.
239
00:20:21,440 --> 00:20:26,910
So what they did is they reimplemented
securityd for Linux, and they included
240
00:20:26,910 --> 00:20:32,900
various plugins. One interesting issue
with securityd is it comes with a library
241
00:20:32,900 --> 00:20:37,260
that provides a function called
validate_os(), and what this function does
242
00:20:37,260 --> 00:20:43,280
is it has a hard-coded list of files.
You can see like our wav file right here,
243
00:20:43,280 --> 00:20:48,930
you can see configuration files, and
autostart files for scnprc which is
244
00:20:48,930 --> 00:20:54,190
the antivirus scanner. So it checks if
these files are untouched, and if
245
00:20:54,190 --> 00:20:59,020
these files have been tampered with it
initiates a reboot instantly.
246
00:20:59,020 --> 00:21:03,500
So if you touch one of these files,
your machine will reboot instantly.
247
00:21:03,500 --> 00:21:11,080
The same library is also used from KDM,
so during the startup process when KDM is
248
00:21:11,080 --> 00:21:15,820
starting it is also doing an integrity check,
and if it finds that one of these files has
249
00:21:15,820 --> 00:21:20,460
been tampered with it actually immediately
issues a reboot, and the problem is
250
00:21:20,460 --> 00:21:24,000
that if you start tampering with the system
you will end up in reboot loops
251
00:21:24,000 --> 00:21:29,809
all of the time if you're doing research,
because once KDM is saying reboot
252
00:21:29,809 --> 00:21:33,450
the system, it's going to check it again
if it's rebooted and sees that it's
253
00:21:33,450 --> 00:21:36,660
still tampered with and it reboots again,
and again, and again, and then your
254
00:21:36,660 --> 00:21:40,000
system is basically dead.
So what they tried to do with intcheck
255
00:21:40,000 --> 00:21:45,860
and securityd is try and protect certain files,
conserve the integrity of these files,
256
00:21:45,860 --> 00:21:50,600
and if these files get tampered with they
assume that it is better to have an
257
00:21:50,600 --> 00:21:55,280
operating system that you cannot work with
any more than to still let it run or
258
00:21:55,280 --> 00:22:00,220
issue any warning.
So integrity is one of the main aspects
259
00:22:00,220 --> 00:22:03,030
they were looking for in
implementing Red Star.
260
00:22:03,030 --> 00:22:08,000
Okay, I will hand over to Niklaus and
he will go into the guts and the
261
00:22:08,000 --> 00:22:12,500
surveillance features a little bit more.
262
00:22:12,500 --> 00:22:14,940
Niklaus Schiess: The most interesting
feature-- package we found was this
263
00:22:14,940 --> 00:22:21,280
esig-cb package, which actually says
in the description that it's an
264
00:22:21,280 --> 00:22:26,790
"electronic signature system," but we
found that it is doing a lot of weird stuff.
265
00:22:26,790 --> 00:22:30,570
This is actually one of the pictures
which is included in the package,
266
00:22:30,570 --> 00:22:34,420
which is also protected. We don't know
really why, but it says something like
267
00:22:34,420 --> 00:22:38,300
"this is our copyright;"
and "don't break it;"
268
00:22:38,300 --> 00:22:41,020
and "don't copy it;" and stuff like that.
269
00:22:41,020 --> 00:22:45,559
But it's actually doing
something really different.
270
00:22:45,559 --> 00:22:49,500
It includes several pretty interesting files.
We have some configuration files,
271
00:22:49,500 --> 00:22:54,059
we have a kernel module, and we also
have this redflag.bmp which is the
272
00:22:54,059 --> 00:22:57,820
picture you just saw, and we have the
warning file, and we have some
273
00:22:57,820 --> 00:23:03,500
shared libraries, and we'll go now
into details what these are actually doing.
274
00:23:03,500 --> 00:23:07,640
So the first thing we looked at was
because there is a kernel module
275
00:23:07,640 --> 00:23:11,890
loaded by default, and we thought
if you want to put some backdoors in it
276
00:23:11,890 --> 00:23:16,010
where would you want to put it?
Right in the kernel module, probably.
277
00:23:16,010 --> 00:23:20,290
And what it does, it's actually just
hooking several system calls which
278
00:23:20,290 --> 00:23:26,630
provides a device which is actually
interfaced to the kernel so you have
279
00:23:26,630 --> 00:23:30,500
different services running on a system
who are actually talking to this
280
00:23:30,500 --> 00:23:33,730
kernel module via this device,
and it has some functionality like
281
00:23:33,730 --> 00:23:39,080
it can protect PIDs. So when you're
protecting a specific process then
282
00:23:39,080 --> 00:23:42,429
even root cannot kill this process,
which will be quite interesting
283
00:23:42,429 --> 00:23:47,990
in the next slides. It also provides
functionality to on one side protect
284
00:23:47,990 --> 00:23:52,670
files, and on the other side to hide files.
So protect means you cannot edit
285
00:23:52,670 --> 00:23:56,040
the file, and hide means you
cannot even read the file.
286
00:23:56,040 --> 00:23:59,710
So even if you had root user,
you can't even read those files.
287
00:23:59,710 --> 00:24:04,679
And on the right side is actually how
the services are interacting with this
288
00:24:04,679 --> 00:24:10,840
kernel module, and this is one function which
mostly protects and hides the files
289
00:24:10,840 --> 00:24:15,520
which we just saw, which are included
in this esignature package.
290
00:24:15,520 --> 00:24:19,559
Then like Florian said, we have this
virus scanner which at first glance
291
00:24:19,559 --> 00:24:25,200
at least looks like a virus scanner,
and this is this "scnprc" process.
292
00:24:25,200 --> 00:24:29,030
It provides a GUI to the user so it's
quite transparent so the user can see
293
00:24:29,030 --> 00:24:32,410
"okay, I have something that looks
like a virus scanner, and I can also
294
00:24:32,410 --> 00:24:35,320
trigger some scans of
different directories,"
295
00:24:35,320 --> 00:24:40,760
and it's started by kdeinit. So there's
this scnprc desktop file which is
296
00:24:40,760 --> 00:24:45,550
quite interesting because what you
want to do is disable it, but you
297
00:24:45,550 --> 00:24:48,220
cannot actually edit these file.
So as soon as you edit this file
298
00:24:48,220 --> 00:24:51,340
and save it, then the system
will immediately reboot.
299
00:24:51,340 --> 00:24:54,479
So disabling it is not so easy.
300
00:24:54,479 --> 00:24:58,570
Like I already said, you have different
ways of scanning. You can just click
301
00:24:58,570 --> 00:25:02,150
on a folder and say "scan this," but
also if you for example plug in
302
00:25:02,150 --> 00:25:06,860
a USB stick into the system then it will
automatically scan the files on the USB stick.
303
00:25:06,860 --> 00:25:11,610
And this scnprc service is actually
loading the kernel module, and
304
00:25:11,610 --> 00:25:15,520
it starts another service which is
called "opprc" which we are going to
305
00:25:15,520 --> 00:25:22,790
look in detail in a minute, and this is
also quite interesting this next service.
306
00:25:22,790 --> 00:25:28,960
But the pattern matching, we looked into
this a little bit and there's another
307
00:25:28,960 --> 00:25:34,730
package. So we have this esig-cb package
and you have esic-cb-db package which
308
00:25:34,730 --> 00:25:40,100
actually just provides this one single
"AnGae" file. As far as we know,
309
00:25:40,100 --> 00:25:44,520
it means "fog" in Korean. And this is
basically a signature file, or how the
310
00:25:44,520 --> 00:25:49,809
code references it a pattern file.
It's a file with a well-defined file format
311
00:25:49,809 --> 00:25:53,429
and it includes patterns which are
loaded into memory, and as soon as
312
00:25:53,429 --> 00:25:57,380
you are scanning a file it just checks if
these patterns are matching and as soon
313
00:25:57,380 --> 00:26:02,309
as the patterns are matched then it
immediately deletes the file and it
314
00:26:02,309 --> 00:26:08,630
plays the warning, and this is one of
the hidden files so even if you get root
315
00:26:08,630 --> 00:26:12,040
privilege on the system you are not
able to actually read this file.
316
00:26:12,040 --> 00:26:15,540
So a user of the operating system won't
be able to check "okay, what does it
317
00:26:15,540 --> 00:26:20,030
check and can I produce documents
which won't be detected by this"
318
00:26:20,030 --> 00:26:23,010
because you cannot actually read this file.
319
00:26:23,010 --> 00:26:31,370
We took a look into this. Most likely our
best guess is that these contain--
320
00:26:31,370 --> 00:26:35,110
A lot of the files are little-endian so
you always have to switch the bytes
321
00:26:35,110 --> 00:26:40,720
and we saw that it looks at least like
they are UTF-16 strings with Korean,
322
00:26:40,720 --> 00:26:45,000
Chinese, and some other weird characters,
and if we put these in Google Translate
323
00:26:45,000 --> 00:26:49,720
then there are actually some pretty weird
and disturbing terms in those files.
324
00:26:49,720 --> 00:26:53,620
But we actually cannot confirm this.
It looks like they are actually not
325
00:26:53,620 --> 00:26:57,910
scanning for malware in the system, so
most likely they are checking documents
326
00:26:57,910 --> 00:27:02,020
and if those documents match those
patterns then they are most likely--
327
00:27:02,020 --> 00:27:05,460
for example, governments don't want these
files to be distributed within the intranet
328
00:27:05,460 --> 00:27:07,850
of North Korea then it just
deletes those files.
329
00:27:07,850 --> 00:27:12,200
But actually we cannot confirm this
because we are not quite sure if you
330
00:27:12,200 --> 00:27:17,570
put those strings in Google Translate that
they are actually real translations.
331
00:27:17,570 --> 00:27:22,809
But you can always update these pattern
files, so on the one side is scnprc has a
332
00:27:22,809 --> 00:27:26,610
built-in update process where it just
updates the file itself, or you can just
333
00:27:26,610 --> 00:27:30,340
when you are doing operating system
update via your package manager
334
00:27:30,340 --> 00:27:35,809
and you update this esig-cb-db package
and you also get a brand new file.
335
00:27:35,809 --> 00:27:40,830
The interesting part of this is that the
developers decide what is malicious.
336
00:27:40,830 --> 00:27:46,110
So it's not necessarily that "malicious"
means that it's malware, that it's
337
00:27:46,110 --> 00:27:52,179
bad for you, but somewhere the developers
and officials will actually say,
338
00:27:52,179 --> 00:27:55,559
"okay, we don't want those files
distributed, just delete them
339
00:27:55,559 --> 00:27:57,980
"because we think they are malicious."
340
00:27:57,980 --> 00:28:02,799
There is this other service which I was
also talking about, this "opprc."
341
00:28:02,799 --> 00:28:06,260
This is more interesting than the
virus scanning itself.
342
00:28:06,260 --> 00:28:10,179
It's running in the background, so
actually a user will not see that there
343
00:28:10,179 --> 00:28:13,549
is actually another service running, you
don't have any GUI or something like that,
344
00:28:13,549 --> 00:28:17,809
you cannot trick or something with this,
and this is one of the protected PIDs.
345
00:28:17,809 --> 00:28:23,750
So scnprc for example you can just kill
with root privileges, but this is a process
346
00:28:23,750 --> 00:28:27,710
no one can kill on the system, and
this is quite interesting because
347
00:28:27,710 --> 00:28:32,240
you cannot unload the kernel module
unless this service is killed, so they
348
00:28:32,240 --> 00:28:37,360
are actually protecting each other so that
no one can stop the services at all.
349
00:28:37,360 --> 00:28:40,660
And this service shares a lot of
code with the scnprc.
350
00:28:40,660 --> 00:28:45,559
We just did some entropy checking
and saw okay-- I will talk in a minute
351
00:28:45,559 --> 00:28:51,610
when we are comparing more of these
files why we think that this looks
352
00:28:51,610 --> 00:28:55,020
pretty much the same, why they are
sharing so much code, because
353
00:28:55,020 --> 00:28:58,710
we found something interesting with
older versions of those services.
354
00:28:58,710 --> 00:29:03,600
But the most interesting thing this
service is doing is it watermarks files.
355
00:29:03,600 --> 00:29:07,630
And now we are going to look deeper
into what this watermarking means.
356
00:29:07,630 --> 00:29:11,850
So actually as soon as this system is
started, it reads your hard disk serial
357
00:29:11,850 --> 00:29:15,660
and then scrambles it a little bit,
and as soon as you are for example
358
00:29:15,660 --> 00:29:20,740
plugging a USB stick into your system
then it will trigger a watermarking
359
00:29:20,740 --> 00:29:25,080
process where it takes the serial,
takes a hard-coded DES key from
360
00:29:25,080 --> 00:29:28,850
the binary itself, and then encrypts
it and then puts it into your file.
361
00:29:28,850 --> 00:29:35,049
And when you are converting this hex key
into a decimal representation then you
362
00:29:35,049 --> 00:29:39,410
see that it is actually two dates.
We actually cannot confirm what
363
00:29:39,410 --> 00:29:45,120
those two dates mean, but one of those
matches Madonna's birth date, and
364
00:29:45,120 --> 00:29:51,010
there are rumours that some people in
North Korea might really like Madonna.
365
00:29:51,010 --> 00:29:57,530
This is just speculation, but if you have a
better conspiracy theory then just let us know.
366
00:29:57,530 --> 00:30:01,890
Because we found some pretty interesting
stuff, but we cannot confirm this.
367
00:30:01,890 --> 00:30:07,420
So technically the watermarks have an
ASCII EOF appended, which is most likely
368
00:30:07,420 --> 00:30:11,200
used by the code itself to parse
the files and see if there's already
369
00:30:11,200 --> 00:30:15,690
a watermark in there, and for JPEG
and AVI files, for example, it just
370
00:30:15,690 --> 00:30:20,330
appends this watermark to the end of the
file, and when you have a DOCX for example
371
00:30:20,330 --> 00:30:24,000
it just appends it near the header where
there are a bunch of null bytes, and then
372
00:30:24,000 --> 00:30:27,610
it just puts it in there.
373
00:30:27,610 --> 00:30:32,320
So the watermarking itself is as soon as
you open a document file with Office then
374
00:30:32,320 --> 00:30:38,309
it will be watermarked, and actually they
have code which watermarks files even if
375
00:30:38,309 --> 00:30:43,770
you don't open those files, but as soon
as we saw this-- it's pretty buggy.
376
00:30:43,770 --> 00:30:48,350
It doesn't work every time, but they have
code for this implemented, and mostly
377
00:30:48,350 --> 00:30:54,360
it works but sometimes it just fails.
The supported types that we can confirm
378
00:30:54,360 --> 00:31:01,760
are DOCX files, image files like JPEG and
PNG and AVI video files. But the code
379
00:31:01,760 --> 00:31:06,720
indicates there are several more file
types available for watermarking, but
380
00:31:06,720 --> 00:31:11,380
we most likely didn't look into this.
But the most interesting thing here
381
00:31:11,380 --> 00:31:16,860
is that only media files are affected.
So they don't watermark any binaries
382
00:31:16,860 --> 00:31:22,950
or something like that, they are reducing
their surface to files which could be used
383
00:31:22,950 --> 00:31:31,299
to carry information, which could be used
to put out information for free speech
384
00:31:31,299 --> 00:31:36,250
purposes, and actually what we think is
that this is not a security feature.
385
00:31:36,250 --> 00:31:40,580
So they are actually trying to watermark
free speech in general, so that every time
386
00:31:40,580 --> 00:31:46,559
you have a document file, an image, or
a video file, then they want to know who
387
00:31:46,559 --> 00:31:52,489
had this file and they watermark it so
they can track the origin of the file.
388
00:31:52,489 --> 00:32:00,090
We have a short demo where you can see
for example I have a USB stick.
389
00:32:00,090 --> 00:32:09,610
Let me put it in my system.
390
00:32:09,610 --> 00:32:15,130
There is a file on the USB stick which
is a love letter from Kim, and it has
391
00:32:15,130 --> 00:32:21,380
a checksum which starts with "529", and
as soon as I plug this into the system--
392
00:32:21,380 --> 00:32:34,740
I hope that it will notice this.
393
00:32:34,740 --> 00:32:38,740
You can see okay, it recognised something
like a USB stick on the system, but I won't
394
00:32:38,740 --> 00:32:55,220
open it, and I won't open any file on the
USB stick. I just will eject it.
395
00:32:55,220 --> 00:33:03,360
I hope that it works.
Will it actually open?
396
00:33:03,360 --> 00:33:07,410
This is what I meant, that it's kind of
buggy, so it doesn't always work with
397
00:33:07,410 --> 00:33:12,720
the watermarking, but most likely if you
open the file itself then it will work.
398
00:33:12,720 --> 00:33:17,520
I guess we didn't have the case that it
doesn't work when you open it. [sic]
399
00:33:17,520 --> 00:33:28,690
--which then opens Office, and I close
it again and-- just close this.
400
00:33:28,690 --> 00:33:33,860
Go back, and then hopefully if we mount
this again then you can see it has
401
00:33:33,860 --> 00:33:39,250
been changed. So we didn't change anything
in the file, it was just the operating system
402
00:33:39,250 --> 00:33:44,350
who's changing files, and this was
initially the part where we started to
403
00:33:44,350 --> 00:33:47,570
look into this more deeply because we
thought an operating system who is
404
00:33:47,570 --> 00:33:57,219
just changing files when you are plugging
into the system is kind of annoying.
405
00:33:57,219 --> 00:34:00,690
Just to make this easier for you--
So what it actually does in the file,
406
00:34:00,690 --> 00:34:04,570
we have here the header of the file
which is a document, a DOCX file,
407
00:34:04,570 --> 00:34:09,089
and it just added this string which is
marked right here. This is actually
408
00:34:09,089 --> 00:34:13,649
the watermark it's putting in there.
Opposite there you can see the plaintext
409
00:34:13,649 --> 00:34:17,679
which is actually encrypted and then
put into the file, and the serial starts
410
00:34:17,679 --> 00:34:23,440
with "B48" so every time it puts the
serial into the file, it prefixes it with
411
00:34:23,440 --> 00:34:24,978
"WM"
412
00:34:24,978 --> 00:34:29,998
we think stands for "watermark" probably,
and you can see the EOF at the end of
413
00:34:29,998 --> 00:34:35,399
the file. This allows basically everyone
who can access this file, who can
414
00:34:35,399 --> 00:34:40,679
decrypt this watermark which is actually
encoded with the hard-coded key,
415
00:34:40,679 --> 00:34:45,989
so pretty much everyone who has access
to this ISO can get this key and can
416
00:34:45,989 --> 00:34:51,319
decrypt this. And this allows you to
really track back the origin of the file,
417
00:34:51,319 --> 00:34:54,190
where it came from.
418
00:34:54,190 --> 00:35:00,589
But there is a pretty funny example.
So imagine you have this picture, and
419
00:35:00,589 --> 00:35:05,130
you are inside North Korea and you think
"okay, this is pretty cool, and I want to
420
00:35:05,130 --> 00:35:09,160
distribute this to all of my friends."
So you think "okay, they might be
421
00:35:09,160 --> 00:35:12,470
intercepting all of my e-mail and my
browser communication," so you put it
422
00:35:12,470 --> 00:35:16,239
on a USB stick and give it to your friends
so that you think, "okay, no-one actually
423
00:35:16,239 --> 00:35:22,759
on the internet can access this file"
and you give it to someone else.
424
00:35:22,759 --> 00:35:26,680
Then at the beginning we have this
situation, where this is the original file.
425
00:35:26,680 --> 00:35:31,900
This is the end of the JPEG file - which
by definition always ends with an "FF D9"
426
00:35:31,900 --> 00:35:37,019
hexadecimal - and as soon as you give this
to your friend and he plugs the USB stick
427
00:35:37,019 --> 00:35:42,019
into his computer which is running Red
Star OS, then the file will actually
428
00:35:42,019 --> 00:35:45,799
change and it will look like this.
So for JPEG files, as I said it just
429
00:35:45,799 --> 00:35:49,640
appends the watermark to the end of
the file. So you can see the "FF D9," this
430
00:35:49,640 --> 00:35:53,890
is the actual end of the image file, and
they're appending the watermark there,
431
00:35:53,890 --> 00:35:57,509
like you can see with the EOF.
But where it gets interesting
432
00:35:57,509 --> 00:36:02,140
is when your friend is actually
distributing the file to another friend.
433
00:36:02,140 --> 00:36:06,920
So what Red Star OS is actually doing,
it appends also the watermark of your
434
00:36:06,920 --> 00:36:09,930
third friend. Slight laughter
So what you then can do--
435
00:36:09,930 --> 00:36:14,880
If you technically combine this together,
then you can see not only where the file
436
00:36:14,880 --> 00:36:19,119
has its origins, but you can also track
each and everyone who had this file
437
00:36:19,119 --> 00:36:24,499
and who distributed this file, and with
this knowledge you might be able to
438
00:36:24,499 --> 00:36:29,079
construct something like this, where you
can track the distribution of all of the
439
00:36:29,079 --> 00:36:33,150
media files which are distributed
over the intranet in North Korea.
440
00:36:33,150 --> 00:36:37,049
You can see then in the centre we have
this one really weird guy who is always
441
00:36:37,049 --> 00:36:41,769
distributing images that we don't like,
and you can see also who gets these files
442
00:36:41,769 --> 00:36:45,299
and trace it back to all of the persons
who ever had this file, and then you
443
00:36:45,299 --> 00:36:49,499
can just go home to him and then shut
him down and take his computer.
444
00:36:49,499 --> 00:36:54,859
And we have actually not seen any
functionality, but probably there is
445
00:36:54,859 --> 00:36:58,509
functionality in the system implemented
where it always sends your hard disk
446
00:36:58,509 --> 00:37:04,569
serial to their servers, so the OS can
probably be able to match your IP
447
00:37:04,569 --> 00:37:07,759
address to your hard disk serial, and
then they don't even have to go to your
448
00:37:07,759 --> 00:37:12,599
home and get to your computer and check
your hard disk serial, they just can do
449
00:37:12,599 --> 00:37:16,279
this remotely and can check all of the
distribution of all malicious media files
450
00:37:16,279 --> 00:37:21,729
within the intranet of North Korea.
451
00:37:21,729 --> 00:37:27,210
What we thought is pretty hard for someone
who doesn't have access to a system other
452
00:37:27,210 --> 00:37:31,700
than Red Star OS, who just has this one
system, and tries to disable all of this
453
00:37:31,700 --> 00:37:35,210
malicious functionality like the virus
scanning that can delete all of your files
454
00:37:35,210 --> 00:37:40,619
that someone else doesn't like, or the
watermarking/the tracking of those files.
455
00:37:40,619 --> 00:37:44,569
And this is actually quite hard, because
some of those services are depending
456
00:37:44,569 --> 00:37:49,470
on each other and can only be killed
when the other service is not running.
457
00:37:49,470 --> 00:37:53,700
So what you actually have to do is you
have to get root privileges, and then you
458
00:37:53,700 --> 00:37:58,239
have to kill those two integrity checking
daemons which Florian was talking about
459
00:37:58,239 --> 00:38:02,819
so that it doesn't always reboot the
system when you're changing anything.
460
00:38:02,819 --> 00:38:07,529
Then you can via ioctl calls to the kernel
module, and say just "disable" because
461
00:38:07,529 --> 00:38:10,890
it has this nice feature where you can
enable and disable it, and then you
462
00:38:10,890 --> 00:38:18,390
can kill scnprc, opprc, and the
best thing you can do is--
463
00:38:18,390 --> 00:38:23,609
Weirdly, the libos file is not protected
by anyone, so you can just exchange
464
00:38:23,609 --> 00:38:27,700
this with a validate_os() function which
always returns 1 which says everything
465
00:38:27,700 --> 00:38:31,559
is fine, and then at the end you can
delete the desktop file which is used
466
00:38:31,559 --> 00:38:35,829
by KDE in it to start all of these
processes, and then you are fine.
467
00:38:35,829 --> 00:38:38,880
And we don't think that actually anyone
in North Korea who only has access
468
00:38:38,880 --> 00:38:43,779
to this one system-- It will be extremely
hard to figure all of this out and
469
00:38:43,779 --> 00:38:48,599
to completely disable it. So they did
a pretty good job in building an
470
00:38:48,599 --> 00:38:53,660
architecture which is quite self-protecting,
and they put a lot of effort into it
471
00:38:53,660 --> 00:39:01,180
to just prevent you from disabling all of
the malicious functionality.
472
00:39:01,180 --> 00:39:07,059
We also took a quick look on the second
version of Red Star OS, just to compare
473
00:39:07,059 --> 00:39:12,519
some of those services, and there we can
see there is quite an evolution from the
474
00:39:12,519 --> 00:39:19,390
older version to the current version.
The thing which I was talking about,
475
00:39:19,390 --> 00:39:22,729
that the binaries are quite similar,
is that in the older version they used
476
00:39:22,729 --> 00:39:27,200
a lot of shared libraries, and in the
current version they statically linked
477
00:39:27,200 --> 00:39:32,859
a lot of code into the binaries themselves
even if they don't use it, so the codebase
478
00:39:32,859 --> 00:39:38,609
looks quite the same. And the chain of
starting the processes is a little bit
479
00:39:38,609 --> 00:39:44,109
different, so they put a lot in the init
process which will be started at first
480
00:39:44,109 --> 00:39:48,779
and not like this depending-on-each-other
infrastructure which they have in the
481
00:39:48,779 --> 00:39:52,880
current version. In the current version
they also have a lot of problems with
482
00:39:52,880 --> 00:39:57,450
file privileges, so privilege escalations
would be pretty easy, even if you don't
483
00:39:57,450 --> 00:40:02,920
have this root setting file. But also they
have a lot of binaries that are just
484
00:40:02,920 --> 00:40:07,749
setting that everyone can read and write
this interface to the kernel module,
485
00:40:07,749 --> 00:40:11,259
which basically allows you even as a
non-root user to disable the kernel
486
00:40:11,259 --> 00:40:14,739
module, and then you can kill all of the
binaries but you cannot actually delete
487
00:40:14,739 --> 00:40:19,499
something because it will then
end up in the reboot loop.
488
00:40:19,499 --> 00:40:23,900
And when you are doing something malicious
then the OS reboots, in the older version
489
00:40:23,900 --> 00:40:29,559
it just shuts down the system, so we
thought this is a pretty interesting thing.
490
00:40:29,559 --> 00:40:34,630
And we think, and we saw, that there's
a more advanced watermarking
491
00:40:34,630 --> 00:40:38,979
technique in there which is not just
appending watermarks into the files
492
00:40:38,979 --> 00:40:43,130
but it looks like they are doing, for
video and audio files at least,
493
00:40:43,130 --> 00:40:47,170
something like they are putting the
watermarks as filters on the files.
494
00:40:47,170 --> 00:40:51,950
So this will be a little bit harder to
actually see those watermarks
495
00:40:51,950 --> 00:40:55,380
and read those watermarks, because it
is not so obvious like when you have
496
00:40:55,380 --> 00:40:58,869
this "EOF" string at the end which
is always quite weird.
497
00:40:58,869 --> 00:41:03,799
But it uses this "/usr/lib/organ" file
which is actually not present on the
498
00:41:03,799 --> 00:41:08,660
ISO we had. We're going to talk about
this in the conclusion why we think
499
00:41:08,660 --> 00:41:12,359
this might not be there, but it's
actually not available. It's referenced
500
00:41:12,359 --> 00:41:17,559
a lot in the code, but we actually
haven't had this file and unfortunately
501
00:41:17,559 --> 00:41:21,880
we couldn't look into this more deeply.
502
00:41:21,880 --> 00:41:27,779
So what we didn't find were quite obvious
backdoors which we thought would be
503
00:41:27,779 --> 00:41:34,819
in place, and that they would be pretty
easy to spot. But we didn't see any of those.
504
00:41:34,819 --> 00:41:38,630
It doesn't mean that there are no
backdoors, but we have some
505
00:41:38,630 --> 00:41:44,549
speculations for this, and one of these
is that like we saw at the beginning of
506
00:41:44,549 --> 00:41:48,019
the talk that there are actually systems
on the internet running this version
507
00:41:48,019 --> 00:41:52,210
of Red Star OS, so it would be pretty
weird if they would backdoor a system
508
00:41:52,210 --> 00:41:57,509
and then put it on the internet.
As far as someone gets the ISO file,
509
00:41:57,509 --> 00:42:03,559
and can look for backdoors and can find
some of them, they would be actually
510
00:42:03,559 --> 00:42:07,440
able to exploit the system
from the internet.
511
00:42:07,440 --> 00:42:12,630
Actually the system has a package manager
and as we saw with the pattern file
512
00:42:12,630 --> 00:42:17,599
it has built-in update functionality and
different services, so backdoors could
513
00:42:17,599 --> 00:42:22,339
just be loaded via updates
because probably they thought
514
00:42:22,339 --> 00:42:27,219
"okay, these ISOs might be leaked into
the outside world" and you just get
515
00:42:27,219 --> 00:42:33,019
an ISO, install it, update your system -
which is only possible from within the
516
00:42:33,019 --> 00:42:39,170
intranet of North Korea, with hard coded
internal IP addresses - so probably they
517
00:42:39,170 --> 00:42:43,420
thought "we only want our backdoors on
the systems which are actually located
518
00:42:43,420 --> 00:42:47,690
within North Korea."
519
00:42:47,690 --> 00:42:55,999
This is what we thought, that they thought
the ISO might be leaked, which is what
520
00:42:55,999 --> 00:43:00,440
actually happened. Another problem
is that, like Florian already said, they
521
00:43:00,440 --> 00:43:05,499
will touch a lot of code within the
operating system and we didn't manage
522
00:43:05,499 --> 00:43:09,900
to check all of the code. We mostly
focused on the watermarking and the
523
00:43:09,900 --> 00:43:14,969
virus scanning stuff, and there might be a
lot of code that should be checked further.
524
00:43:14,969 --> 00:43:21,789
The conclusion also is that the system's
quite self-protecting. They not only
525
00:43:21,789 --> 00:43:26,450
implemented several services for
integrity checking themselves but also
526
00:43:26,450 --> 00:43:31,150
they configured and implemented selinux
and something like that, to just protect
527
00:43:31,150 --> 00:43:35,450
the system and make it more secure.
528
00:43:35,450 --> 00:43:39,479
What we think is really bad is this
virus scanning and watermarking,
529
00:43:39,479 --> 00:43:43,529
because it actually allows you to
track not only the origin but the
530
00:43:43,529 --> 00:43:47,859
complete distribution within the network
of those files, and combined with the
531
00:43:47,859 --> 00:43:53,379
virus scanner where the developers are
able to actually say what files are really
532
00:43:53,379 --> 00:43:58,369
malicious and what shouldn't be
distributed within the network,
533
00:43:58,369 --> 00:44:04,249
it just deletes those files. So these
two combined are a really strong
534
00:44:04,249 --> 00:44:10,349
framework which can help you to track
malicious people within your network.
535
00:44:10,349 --> 00:44:14,950
But some words about security: Like I
said, they have a lot of problems with
536
00:44:14,950 --> 00:44:22,480
file permissions. There are actually some
documents on the ISO of the server
537
00:44:22,480 --> 00:44:26,630
version of Red Star OS 3.0, and there are
some user guides and administration
538
00:44:26,630 --> 00:44:30,180
guides which are quite interesting, and
they talk a lot about how to make the
539
00:44:30,180 --> 00:44:34,960
system secure, how to run it secure, and
why they are doing different kinds of
540
00:44:34,960 --> 00:44:42,089
stuff to save the integrity of the system.
They have a huge chapter talking about
541
00:44:42,089 --> 00:44:46,569
file permissions, but they actually didn't
manage to fix them themselves which
542
00:44:46,569 --> 00:44:52,279
is quite weird. And even their custom code
uses basic memory corruption protection
543
00:44:52,279 --> 00:44:57,660
like stack cookies, and non-executable
stacks which we saw that a lot of security
544
00:44:57,660 --> 00:45:02,999
vendors don't bother to use, so we
thought this is quite funny.
545
00:45:02,999 --> 00:45:06,580
Some of their code is more secure than
a lot of security appliances.
546
00:45:06,580 --> 00:45:08,789
Slight laughter
547
00:45:08,789 --> 00:45:12,569
Florian: So to wrap this up--
Am I going, can you hear me? Yes.
548
00:45:12,569 --> 00:45:18,869
Okay so to wrap this up, again we think -
this is a guess - that primarily they try
549
00:45:18,869 --> 00:45:24,690
to protect and to save the integrity
of the system, which totally makes
550
00:45:24,690 --> 00:45:28,960
sense if you're putting out an
operating system from North Korea.
551
00:45:28,960 --> 00:45:32,150
The system was, in our opinion,
definitely built for home computers,
552
00:45:32,150 --> 00:45:37,460
so it's not like industrial control or
something else, it's definitely built
553
00:45:37,460 --> 00:45:43,099
for a home user because it mimics
Mac OSX and gives you all of the tools.
554
00:45:43,099 --> 00:45:46,849
Maybe the reason why we didn't find
backdoors is they actually know that
555
00:45:46,849 --> 00:45:51,390
backdoors are bullshit. Could be a
reason, we don't know.
556
00:45:51,390 --> 00:45:55,829
If you want to look into Red Star OS and
help us out, especially with the crypto,
557
00:45:55,829 --> 00:46:01,640
the pilsung kernel module which provides
custom crypto, with a look into the kernel
558
00:46:01,640 --> 00:46:05,839
to see if there is something hidden there,
if maybe there are backdoors there,
559
00:46:05,839 --> 00:46:09,390
take a look at our github.
Please contribute if you find
560
00:46:09,390 --> 00:46:13,079
something, because we think that this
message and all of this stuff has to
561
00:46:13,079 --> 00:46:17,849
be put out to the public, so it is a
well-known fact that this operating
562
00:46:17,849 --> 00:46:25,269
system is actually abusing free software
to actually make free speech harder
563
00:46:25,269 --> 00:46:28,509
in a country that is quite oppressed.
564
00:46:28,509 --> 00:46:33,940
So with this, we are at our end and we
are going to take your questions now.
565
00:46:33,940 --> 00:46:46,010
Applause
566
00:46:46,010 --> 00:46:51,619
Herald: Thank you very much. We have
about 15 minutes time for questions.
567
00:46:51,619 --> 00:46:54,690
If you want to ask a question, please
come to the microphones.
568
00:46:54,690 --> 00:46:58,630
There are some on the right
and some on the left aisle.
569
00:46:58,630 --> 00:47:03,859
If you for any reason can't come to
the microphones, please raise your
570
00:47:03,859 --> 00:47:09,019
hand and I'll come to you
with my microphone.
571
00:47:19,079 --> 00:47:28,349
Okay, please line up there. If you
wanna leave now, please do this
572
00:47:28,349 --> 00:47:35,089
quietly through the front door.
573
00:47:35,089 --> 00:47:37,479
Florian: Could you raise your hand if
you have questions and standing at
574
00:47:37,479 --> 00:47:39,639
the microphone? There are like
three questions over there.
575
00:47:39,639 --> 00:47:42,030
Herald: Yeah, on the left one please.
576
00:47:42,030 --> 00:47:46,489
Audience 1: Hello? Yeah. So thank you
very much, it was very interesting.
577
00:47:46,489 --> 00:47:55,019
I have two questions: Have you tried
isolating the system in a chroot jail?
578
00:47:55,019 --> 00:48:00,410
And the second one is: Were there any
outbound connections, like automatic
579
00:48:00,410 --> 00:48:02,509
outbound connections it made?
580
00:48:02,509 --> 00:48:06,609
Florian: Okay so for the first question,
we did not try to run it in an isolated
581
00:48:06,609 --> 00:48:09,950
environment. We actually didn't--
Did we install it on a live system?
582
00:48:09,950 --> 00:48:12,459
I don't think so. Did we?
Niklaus: Yeah.
583
00:48:12,459 --> 00:48:14,910
Florian: Yeah, okay. But we didn't do any
observations that this changed the
584
00:48:14,910 --> 00:48:20,479
behaviour of the system. Concerning the
second question, there actually is not
585
00:48:20,479 --> 00:48:24,559
really outbound traffic. What it is doing
is on the local network it is talking a
586
00:48:24,559 --> 00:48:31,150
lot of NetBIOS stuff. So there is an
SNMP and an nmbdaemon running
587
00:48:31,150 --> 00:48:35,249
on the system and it's talking a
lot of NetBIOS. But this is basically
588
00:48:35,249 --> 00:48:39,119
everything we could find. We have even
left it running for like two days, to see
589
00:48:39,119 --> 00:48:43,410
if there is an outbound connection for one
day or something like that. We couldn't
590
00:48:43,410 --> 00:48:50,229
see anything like that. So the only stuff
that Red Star's talking to the network
591
00:48:50,229 --> 00:48:57,009
is like this Windows NetBIOS stuff, and if
you push the button on the update
592
00:48:57,009 --> 00:49:00,829
feature of the virus scanner, it's
actually trying to initiate an update
593
00:49:00,829 --> 00:49:06,029
process that goes to five hard-coded
IP addresses that are all local.
594
00:49:06,029 --> 00:49:12,039
So like 192.168.9 something, and
172 whatever. These are the only
595
00:49:12,039 --> 00:49:16,510
network connections that we could trigger,
or that we have observed so far.
596
00:49:16,510 --> 00:49:20,589
A1: Thank you.
Herald: The next question is also
597
00:49:20,589 --> 00:49:27,459
from this microphone.
Audience 2: Two questions:
598
00:49:27,459 --> 00:49:33,739
Might it be possible that when you install
the system it gets code from North Korea
599
00:49:33,739 --> 00:49:39,150
so you cannot find out if it's calling
home because you don't get the call?
600
00:49:39,150 --> 00:49:42,769
Florian: Could be. Our guess is actually
that there is far more stuff that you get
601
00:49:42,769 --> 00:49:49,999
when you pull up the operating system in
North Korea. One reason is the organ file
602
00:49:49,999 --> 00:49:53,719
that Niklaus mentioned that is missing on
the system with the additional crypto
603
00:49:53,719 --> 00:49:58,190
information that is used for the extended
watermarking that they are applying.
604
00:49:58,190 --> 00:50:01,539
We don't know where this file is coming
from, and from our perspective it totally
605
00:50:01,539 --> 00:50:06,150
makes sense to not distribute this file
on the ISO but to kind of give it as an--
606
00:50:06,150 --> 00:50:09,619
I don't know, somebody has to come to
your house to install the software and
607
00:50:09,619 --> 00:50:14,089
then he puts like this dedicated organ
file on your desktop that is specific
608
00:50:14,089 --> 00:50:18,670
to you, for example. That would totally
make sense because, as you know,
609
00:50:18,670 --> 00:50:21,299
stuff works a little bit different.
It's not like downloading an ISO
610
00:50:21,299 --> 00:50:25,130
and installing it, it's probably more
complex to get this onto your system
611
00:50:25,130 --> 00:50:29,390
if you want to use this. So there might
be more stuff that is pushed either
612
00:50:29,390 --> 00:50:34,660
via updates - only internal - and this
organ file and other stuff that can get
613
00:50:34,660 --> 00:50:39,170
to your computer-- We don't know if this
is possible or if something is happening
614
00:50:39,170 --> 00:50:44,910
with this feature.
A2: And the second question is if you look
615
00:50:44,910 --> 00:50:49,579
at it from the North Korean view, that's
like they had the problem. They are quite
616
00:50:49,579 --> 00:50:54,039
happy, have a nice state, everything's
working fine from what they see, and
617
00:50:54,039 --> 00:50:57,839
now people come from South Korea,
from Western countries, bring their USB
618
00:50:57,839 --> 00:51:03,289
sticks with Western propaganda that to
have stuff like this watermarking even
619
00:51:03,289 --> 00:51:08,180
if it is like evil. Like a natural reaction
from a closed system.
620
00:51:08,180 --> 00:51:11,589
Florian: So actually it totally makes
sense to develop the system in the
621
00:51:11,589 --> 00:51:16,430
way they developed it. It totally makes
sense, because it kind of reflects a
622
00:51:16,430 --> 00:51:23,369
little bit how the government is working.
Because integrity is not only a critical
623
00:51:23,369 --> 00:51:30,390
part not only for the operating system,
it's also a part for the state itself.
624
00:51:30,390 --> 00:51:34,190
Like shutting down everything, closing
off everything - that's, by the way,
625
00:51:34,190 --> 00:51:40,269
the screensaver - and closing down
everything also totally makes sense.
626
00:51:40,269 --> 00:51:44,459
And tracking stuff that is distributed
in the country or deleting unwanted stuff
627
00:51:44,459 --> 00:51:52,709
also makes sense. So what we think that
Red Star resembles this and matches
628
00:51:52,709 --> 00:51:57,959
how culture is in North Korea, actually.
629
00:51:57,959 --> 00:52:02,920
Herald: Okay, we also have two questions
of the IRC which I would like to shift in.
630
00:52:02,920 --> 00:52:08,779
Signal angel: Thank you. Okay, the first question
is if you have any theory on how and why
631
00:52:08,779 --> 00:52:17,209
the ISO got leaked.
632
00:52:17,209 --> 00:52:23,269
Florian: We don't know this, actually. 'Why?' is--
We don't think that it was somebody
633
00:52:23,269 --> 00:52:27,509
from North Korea, we think that it might
be a foreigner that got it.
634
00:52:27,509 --> 00:52:31,450
Like Will Scott told us last year that he
was able to get a copy of it and get it
635
00:52:31,450 --> 00:52:34,690
out of the country. There might
be others that are able.
636
00:52:34,690 --> 00:52:39,180
There is actually tourism in North Korea.
You can go there for your holidays.
637
00:52:39,180 --> 00:52:45,349
So I guess that if you put a little bit
of effort into it, it's possible to get
638
00:52:45,349 --> 00:52:49,049
nearly anything out of the country if
you want to try to take the risk.
639
00:52:49,049 --> 00:52:53,759
But we don't know who leaked the version
and we don't know why it actually was leaked.
640
00:52:53,759 --> 00:52:58,099
Niklaus: There are actually rumours that
it was a Russian student who was studying
641
00:52:58,099 --> 00:53:01,920
in North Korea, and he bought this on the
street and just brought it out of the country
642
00:53:01,920 --> 00:53:05,630
and put it on his blog, but we cannot
confirm that this is actually true.
643
00:53:05,630 --> 00:53:11,789
Signal angel: Okay, thanks. And the second question
is if there has been any attempt at the
644
00:53:11,789 --> 00:53:14,749
custom kernel modules yet, like
reverse engineering or something.
645
00:53:14,749 --> 00:53:19,589
Florian: Well we reverse engineered rtscan
which is pretty simple because it just
646
00:53:19,589 --> 00:53:25,719
hooks a few function calls, that's it.
We have taken a look at the
647
00:53:25,719 --> 00:53:30,670
Korean Display Module on a first glance.
It seems to do what it is supposed to do,
648
00:53:30,670 --> 00:53:35,589
having something to do with display
management, but we didn't take a look
649
00:53:35,589 --> 00:53:38,799
at all of the kernel modules, all the rest
of the remaining kernel modules,
650
00:53:38,799 --> 00:53:43,999
because the code base is so massive
that we actually need you guys to
651
00:53:43,999 --> 00:53:49,089
help us out a little bit.
652
00:53:49,089 --> 00:53:52,749
Herald: Next question from the mic please.
Audience 3: Yes, I have another question.
653
00:53:52,749 --> 00:53:56,469
You said that most of the software is
based of other open source software
654
00:53:56,469 --> 00:54:01,150
for which you don't have the source code,
and it didn't come with the ISO, so it's
655
00:54:01,150 --> 00:54:03,269
pretty much a massive violation of
open source licenses.
656
00:54:03,269 --> 00:54:05,979
Florian: Yep, absolutely.
A3: So my question would be:
657
00:54:05,979 --> 00:54:12,229
Could you get an inside on what other
packages are available, or from the
658
00:54:12,229 --> 00:54:14,450
package manager, and what
other packages are there?
659
00:54:14,450 --> 00:54:20,180
Florian: Actually, there is a DVD which
also was leaked. I think that it was for
660
00:54:20,180 --> 00:54:25,959
Red Star 2. I'm not sure if it is also
for the latest version, but there is
661
00:54:25,959 --> 00:54:32,239
a CD with additional software and you
have stuff like Apache, MYSQL-- pfff
662
00:54:32,239 --> 00:54:35,930
I don't know. All of the stuff you
basically need to run a full-blown
663
00:54:35,930 --> 00:54:40,589
operating system on Linux. So there is
additional software out there, you can
664
00:54:40,589 --> 00:54:47,529
download the DVD and install this
software on the machine.
665
00:54:47,529 --> 00:54:52,640
If you go through the RPM descriptions
you will see that for some of the
666
00:54:52,640 --> 00:55:00,989
software they even wrote-- They kind of
used a description for the license which
667
00:55:00,989 --> 00:55:05,130
says "KCC" which is the Korean Computer
Centre. And sometimes they use GPL,
668
00:55:05,130 --> 00:55:09,250
and sometimes they use GNU, and yeah.
So massive violations.
669
00:55:09,250 --> 00:55:12,239
A3: Did you ask them for the source code?
Laughter
670
00:55:12,239 --> 00:55:16,119
Florian: Actually, we think that there is
an internal git in North Korea where you
671
00:55:16,119 --> 00:55:20,910
can just check out everything, so...
We suppose it is this way because it's
672
00:55:20,910 --> 00:55:30,259
open source, right? By the way,
open source. Laughter
673
00:55:30,259 --> 00:55:35,440
Herald: Very nice. One more question
from here? Are you having a question?
674
00:55:35,440 --> 00:55:38,079
No, okay then we have one more
question from the internet.
675
00:55:38,079 --> 00:55:42,449
IRC: Yes, the question is if there is a
possibility to fake the watermarks
676
00:55:42,449 --> 00:55:46,529
to get some innocent North Korean
into trouble. Quiet laughter
677
00:55:46,529 --> 00:55:50,619
Florian: Yeah, no problem because the
key's hard coded. You could, like--
678
00:55:50,619 --> 00:55:57,229
You know how to scramble the hardware ID
or the disk serial, and you could perfectly
679
00:55:57,229 --> 00:56:01,690
forge documents. That would be not a
problem. Not a problem at all.
680
00:56:01,690 --> 00:56:07,209
You just need the serial number, basically.
A3: Okay, and I've just got another question
681
00:56:07,209 --> 00:56:11,279
that is: Does the warning.wav
have a watermark?
682
00:56:11,279 --> 00:56:14,809
Florian: Umm...
Niklaus: No, actually it has the exact
683
00:56:14,809 --> 00:56:19,729
same checksum as the original file.
Florian: Actually we didn't check if it--
684
00:56:19,729 --> 00:56:23,890
No, so it does not have a watermark
because as Niklaus said, it's the same
685
00:56:23,890 --> 00:56:27,739
checksum as the Kaspersky one.
A3: Okay, thanks.
686
00:56:27,739 --> 00:56:32,910
Herald: Okay, thank you very much.
Please give Florian and Niklaus another
687
00:56:32,910 --> 00:56:36,489
big round of applause for an amazing talk.
Florian: Thank you.
688
00:56:36,489 --> 00:56:40,093
Applause
689
00:56:40,093 --> 00:56:46,054
postroll music
690
00:56:46,054 --> 00:56:52,000
subtitles created by c3subtitles.de
Join, and help us!