preroll music Herald: North Korea; not only famous for chocolate but for being a surveillance state And as a good surveillance state, it has to have its own operation system. Because how will you do proper surveillance without your own operation system? Today, we get a brief introduction how Red Star OS is working. The introduction will have a specific focus on the custom code which was inserted for surveillance, and especially how to get around it. So please welcome Florian and Niklaus with a big round of applause. Applause Florian Grunow: Hey everybody, thanks for having us. We are going to give you a deep dive into Red Star OS. Actually, we were kind of surprised that there is not so much information on the net about really the core of Red Star and what is it doing. So we thought we would change this, and give you an insight in how this Operating System works, and by looking into the technical aspects of Red Star you can also draw conclusions about how development in North Korea is evolving and is, maybe, catching up. So what we're going to talk about is: First of all, a short introduction into the motivation; why are we doing this? We are going through the architecture of Red Star; we are going to show you the components in the core in the operating system itself; and then we will take a deep dive into the additional components, all of the programs that are coming from North Korea and are supplied with the ISO of Red Star OS. After that, we are going to give you a deep dive into the most interesting features of Red Star OS; and then we will be able to draw our own conclusions; and afterwards we will have time for questions, we hope. By the way, this picture on the left you can see here is actually one of the-- I think it's the screensaver right from Red Star OS. Laughter So, um, yeah. So before we begin, we need to do this disclaimer: For your information we have never visited DPRK, we have never been to North Korea. All we know about North Korea is from public sources, from the internet, from media, whatever. So what we are going to say about North Korea has to be speculation because we don't know exactly what happens in North Korea. Also, the ISOs that we have been analysing are found publicly available on the internet, [and] may be fake. We don't think that they are fake because Will Scott has shown last year on the 31C3 how Red Star looks, and everything that he has been showing is basically in the ISO, so we think it is legit. Remember that we are not going to make fun of anybody in this talk. We are not going to make fun of the developers, and we are certainly not going to make fun of the people in the DPRK, because we think that our presentation might have some funny aspects or something that makes you laugh - which is perfectly fine - but looking at Red Star in detail is kind of a surveillance mess, I would say, and it's a security or privacy nightmare. So keep these aspects in mind. Also, this talk is not going to focus about security. We're not going to talk about security. Many of the publications available on the internet are about security, and we're not going to focus on this in this presentation. So, why are we doing this? Red Star ISOs have been leaked some time ago; there is a version 2 hanging around the internet and there is obviously a version 3.0 which has been leaked at the end of 2014, and we were quite surprised at the middle of the year that there is no in-depth analysis of this operating system. So most of the blogs and news articles are quite superficial that you can find out there, and this is kind of surprising because if there is some kind of state that doesn't put focus on transparency and free speech, and they are putting out an operating system, you kind of want to know how do they build their operating system. So that was one of the major aspects for us to look into it. The other aspect was to find out how is the state of software development in DPRK; how are they developing software? Do they have a well-thought architecture; are they thinking about what they are doing? How is the skill level of software development in North Korea? So these were the two aspects that we wanted to find out. So if you look at previous work, as I said there is mostly superficial stuff. There is some information that Red Star OS actually looks like Mac OSX, and we will go into this a little bit further. Then we have this talk from Will Scott last year at 31C3, who was talking about Computer Science in DPRK which was very very interesting, and gave a pretty good insight into what's happening in DPRK. And then we have a bunch of guys who looked into the browser of Red Star, which is also quite interesting. So what we are going to do now is-- I'm going to show you the custom basic components; I'm going to talk a little bit about integrity on the system; then I will hand over to Niklaus who will be looking into the core and surveillance features; and then as I said, we will have time for questions afterwards. So there are different leaked versions out there, as I said. We have a desktop and a server version of Red Star, so you can also use Red Star as a server, and it turns out that server version 3 is actually used on the internet right now. As you can see, there is a server header returned: "Red Star 3.0" This is an IP address of the server, and it is pointing into North Korea. So this is one of the few web sites that is publicly facing the internet from North Korea, and they are obviously using the server version 3.0. So 3.0 might actually be the latest version. There is another version, it's 2.0, which has also been leaked to the internet, and then there is supposedly something that looks like 2.5; we have found some South Korean documents that seem to be analysing the system quite superficially, and it looks like 2.5 actually resembles the look and feel of Windows XP. So you kind of see this evolution right now from 2.5 XP going to 3.0 mimicking Mac OSX. Our talk will focus on the desktop version which is desktop 3.0 If you look at the timeline, which is a guess - there's no documentation available on how they did it, obviously - if you look at the 3.0 version you see that it is based on Fedora 11 which came out in 2009. So our guess is they started developing 3.0 in 2009 with this Fedora 11 release. The kernel that they are using is 2.6.38 which came out with Fedora 15 in 2011. So it could be that the OS itself is a little bit older, the kernel is a little bit newer, and the latest package build dates that you can see in Red Star OS date to June 2013. So our educated guess is that Red Star came out in June 2013 or a little bit later, a few weeks later or months later. In December 2014 we had the public leak, so the ISOs have been leaked to the internet and are publicly available right now. If you look into the operating system, it's basically a fully-featured desktop system you might imagine. It's based on KDE and Fedora as I already said, and it tries to mimic the look and feel of Mac OSX. You have an e-mail client, a calendar, a word processor, you've got Quicktime and all of that stuff. You even have a disk encryption utility that Will Scott has shown last year. They implemented additional kernel modules and they touched a lot of kernel modules. They have this kernel module "rtscan" which Niklaus is going to say a little bit more about, they have this kernel module called "pilsung" - I was told this means "victory" in Korean - and that kind of is a kernel module that supplies AES encryption. So they implemented an own kernel module to supply something like AES. Then there is a kernel module called "kdm" which is the Korean Display Module, and "kimm"-- muffled laughter --which is not what it's like-- it's not looking-- laughter Well, I'll just go on. It basically just does something with Korean letters and displaying Korean letters on the screen. Red Star has been developed by the KCC, the Korean Computer Centre. It's quite interesting that since a few years ago they had an office in Berlin. I don't know what they did there, but they obviously had an office in Berlin maybe for knowledge sharing, whatever. If you look at the system hardening, it's quite interesting that they took care of system hardening. So they implemented SELinux rules with custom modules, they have IP tables rolled out immediately so you don't have to activate it or put your rules into it; the firewall is working. They even have Snort installed on the system. It's not running by default but they are kind of delivering it by default, and they have a lot of custom services that we are going to look into right now. Quite interesting is-- so why should North Korea mimic Mac OSX? That might be one reason right there: because this young fella sitting on the left is actually using an iMac right here. So this is one reason. So why should they implement their own operating system? There actually are so-called anthologies put out by the leader, and one anthology by Kim Jong-il says that - if you translate it correctly, and we try to - "in the process of programming, it is important to develop one in our own style," and with "one" he means programs and operating systems. So there is this clear guidance that North Korea should not rely on third-party Western operating system and programs, they should develop this stuff on their own. And by looking at the code and everything that we have by Red Star OS, this is exactly what they did. They touched nearly everything on the operating system, changed it a little bit, added custom code and so this is actually what they are doing right there. The custom applications that you have is a browser, which translates to "my country." You also have a crypto tool that Will Scott has shown last year which is called Bokem which if you translate it kind of translates to "sword." You have Sogwang Office which is an OpenOffice customised for North Korean use. A software manager; you have MusicScore which is an application you can compose music with. Then you have a program which is called "rootsetting" and it basically gives you root. So if you look into the documentation, it says you are not supposed to have root on the system for integrity reasons, but if you want to get root you can use this tool, so they're not hiding anything. So there are rumours on the net that say that you're not supposed to get root on the system because it's so locked down. This is not true obviously because there is software intended to give you administrative privileges. They even touched KDM, so the code base that they touched is really, really big. Nearly the whole operating system. We are now going to give you a demo. The first demo that we are doing, we are doing it right now, because we are actually doing this presentation in Red Star OS. Laughter and applause So what you see right here is basically Red Star OS. We're going to show some of the aspects to you. There are many many screenshots on the internet, some of you might already know how Red Star works, you might have experience yourself. We're just going over a few interesting issues. So as you have seen, there is a full-blown set of word processing, Powerpoint presentation stuff. I'm going to open up the browser-- pfft, whatever. Laughter --and going into the preferences just to give you a quick-- no. Muted laughter Oh. Laughter Yeah, to give you an insight on the Certificate Authorities that are implemented in this Firefox version - it's Firefox 3 - so you see there is not so many Certificate Authorities right here, and they all are I guess from North Korea. So the browser is totally created to not be used outside of North Korea, which you can see in the URL bar. There is an internal IP address which points into the network of North Korea, and all of the settings, proxy settings, hard-coded IP addresses, or whatever, all point into this internal infrastructure of North Korea. So this browser and the e-mail program was never intended to be used outside of North Korea. Pfft Okay. Laughter What else do we have? Okay, we have a Quicktime player. So speaking of Mac OSX, you all have seen this. Woo! Swoosh. Right? Okay, so that perfectly mimics Mac OSX. So let me try to find-- I'll try with aplay right here. So this is the shell. Quite interesting is that when we were looking through all of this stuff, there is a bunch of files that have a certain protection, and they seem to be pretty important for the system, and there is a wave file - an audio wave file - that actually is protected. It's usr/lib/Warnning.wav; I don't know if we can hear this. I hope that your ears are not going to explode right now. I'll just try it. Pig squealing I'll try it again. Pig squealing You hear that? Laughter Pig squealing Does anybody know what this is? Shouts of "pig" from audience Pardon me? Pig, exactly. And where is it coming from? Does anybody know? That's stolen from Kaspersky antivirus, because in the older version of Kaspersky antivirus if you find a virus it actually will play this sound, and it's exactly the wav file from Kaspersky; we verified this by doing checksums, okay. Laughter So we have a copyright violation right here. Laughter and applause So what else do we have? I've been talking about this, you can create your own music. I'm not going to do this now because I'm not good at making music. What else do we have? We have the browser. Did we want to show-- ah yeah. I'm going to show you one more thing. I'm not going to show you the encryption tool because Will Scott has done this last year, but to give you an insight into the crypto tool, it's pretty interesting. If you look at the description of the bokem3, bokem is the tool that is used for disk encryption so it provides the user a tool to encrypt files or even the complete hard drive, and if you look into the description it says "this allows the user to store his/her privacy data with encrypted," which is quite nice. I mean, we didn't expect to have something like this in Red Star. So the user can at least try to encrypt files. Bokem is using out-of-the-box crypto that comes with the kernel. It also uses pilsung, which we don't know if there are any backdoors in it or not, so we have no idea if this is possible to decrypt with a master key or something. If you want to look into this, we would be happy if someone with big crypto experience would look into it. So let me get back to the presentation. Ah! One thing I need to show you is this red flag on the right corner, right here. If you look into this, and you translate - I didn't click the right one - if you are going to translate all of this, you will find that all of the strings and all of the text that you see right here, they seem to be an antivirus scanner. So they even implemented from scratch an antivirus scanner in Red Star OS. You can now select the folder or a file and say run a check on the file, and if the file is actually a malicious file - we will come to that part later, what "malicious" is - it will instantly be deleted from the hard drive. So this is an interesting feature, having a virus scanner in a Linux OS. Okay so let's look at the custom components. We have been looking into the user space a little bit, and all of the programs that come with it. There is far more stuff. Download the ISO, play around with it a little bit. First, change the language to English. You will obviously not get far if your Korean is bad. So change the language and play around with it a little bit. So Red Star Comes with interesting packages. They touched KDE as I said. They are getting out an integrity checker and a security daemon. There are signature packages right here which Niklaus is going to talk about a little bit, there are policies for selinux, and I'm going to talk about two of the integrity checking mechanisms that Red Star has. So by looking at Red Star, we saw that one thing was pretty important to them: They wanted to preserve the integrity of the system, and one way to do this is using this process right here, it's called "intcheck." It comes with an SQLite database with hashes of files on the system, like signatures for the system, and you can configure it from user space so it's not pretty hidden, it's pretty transparent to the user. I think there even comes a UI with it where you can configure everything, and it's run at boot. It checks the files and if it sees that the files have been manipulated or tampered with - if the checksum changes - then it will issue a warning to the user. So you get a small popup that says, "this file has been tampered with," the security or the integrity of the system is not where it should be. So that's pretty much what this thing does. securityd is kind of interesting, because securityd is also a process that is known to run under Mac OSX. I'm not a Mac user, and I think that Mac OSX with securityd is keeping track of certificates and stuff like that. So what they did is they reimplemented securityd for Linux, and they included various plugins. One interesting issue with securityd is it comes with a library that provides a function called validate_os(), and what this function does is it has a hard-coded list of files. You can see like our wav file right here, you can see configuration files, and autostart files for scnprc which is the antivirus scanner. So it checks if these files are untouched, and if these files have been tampered with it initiates a reboot instantly. So if you touch one of these files, your machine will reboot instantly. The same library is also used from KDM, so during the startup process when KDM is starting it is also doing an integrity check, and if it finds that one of these files has been tampered with it actually immediately issues a reboot, and the problem is that if you start tampering with the system you will end up in reboot loops all of the time if you're doing research, because once KDM is saying reboot the system, it's going to check it again if it's rebooted and sees that it's still tampered with and it reboots again, and again, and again, and then your system is basically dead. So what they tried to do with intcheck and securityd is try and protect certain files, conserve the integrity of these files, and if these files get tampered with they assume that it is better to have an operating system that you cannot work with any more than to still let it run or issue any warning. So integrity is one of the main aspects they were looking for in implementing Red Star. Okay, I will hand over to Niklaus and he will go into the guts and the surveillance features a little bit more. Niklaus Schiess: The most interesting feature-- package we found was this esig-cb package, which actually says in the description that it's an "electronic signature system," but we found that it is doing a lot of weird stuff. This is actually one of the pictures which is included in the package, which is also protected. We don't know really why, but it says something like "this is our copyright;" and "don't break it;" and "don't copy it;" and stuff like that. But it's actually doing something really different. It includes several pretty interesting files. We have some configuration files, we have a kernel module, and we also have this redflag.bmp which is the picture you just saw, and we have the warning file, and we have some shared libraries, and we'll go now into details what these are actually doing. So the first thing we looked at was because there is a kernel module loaded by default, and we thought if you want to put some backdoors in it where would you want to put it? Right in the kernel module, probably. And what it does, it's actually just hooking several system calls which provides a device which is actually interfaced to the kernel so you have different services running on a system who are actually talking to this kernel module via this device, and it has some functionality like it can protect PIDs. So when you're protecting a specific process then even root cannot kill this process, which will be quite interesting in the next slides. It also provides functionality to on one side protect files, and on the other side to hide files. So protect means you cannot edit the file, and hide means you cannot even read the file. So even if you had root user, you can't even read those files. And on the right side is actually how the services are interacting with this kernel module, and this is one function which mostly protects and hides the files which we just saw, which are included in this esignature package. Then like Florian said, we have this virus scanner which at first glance at least looks like a virus scanner, and this is this "scnprc" process. It provides a GUI to the user so it's quite transparent so the user can see "okay, I have something that looks like a virus scanner, and I can also trigger some scans of different directories," and it's started by kdeinit. So there's this scnprc desktop file which is quite interesting because what you want to do is disable it, but you cannot actually edit these file. So as soon as you edit this file and save it, then the system will immediately reboot. So disabling it is not so easy. Like I already said, you have different ways of scanning. You can just click on a folder and say "scan this," but also if you for example plug in a USB stick into the system then it will automatically scan the files on the USB stick. And this scnprc service is actually loading the kernel module, and it starts another service which is called "opprc" which we are going to look in detail in a minute, and this is also quite interesting this next service. But the pattern matching, we looked into this a little bit and there's another package. So we have this esig-cb package and you have esic-cb-db package which actually just provides this one single "AnGae" file. As far as we know, it means "fog" in Korean. And this is basically a signature file, or how the code references it a pattern file. It's a file with a well-defined file format and it includes patterns which are loaded into memory, and as soon as you are scanning a file it just checks if these patterns are matching and as soon as the patterns are matched then it immediately deletes the file and it plays the warning, and this is one of the hidden files so even if you get root privilege on the system you are not able to actually read this file. So a user of the operating system won't be able to check "okay, what does it check and can I produce documents which won't be detected by this" because you cannot actually read this file. We took a look into this. Most likely our best guess is that these contain-- A lot of the files are little-endian so you always have to switch the bytes and we saw that it looks at least like they are UTF-16 strings with Korean, Chinese, and some other weird characters, and if we put these in Google Translate then there are actually some pretty weird and disturbing terms in those files. But we actually cannot confirm this. It looks like they are actually not scanning for malware in the system, so most likely they are checking documents and if those documents match those patterns then they are most likely-- for example, governments don't want these files to be distributed within the intranet of North Korea then it just deletes those files. But actually we cannot confirm this because we are not quite sure if you put those strings in Google Translate that they are actually real translations. But you can always update these pattern files, so on the one side is scnprc has a built-in update process where it just updates the file itself, or you can just when you are doing operating system update via your package manager and you update this esig-cb-db package and you also get a brand new file. The interesting part of this is that the developers decide what is malicious. So it's not necessarily that "malicious" means that it's malware, that it's bad for you, but somewhere the developers and officials will actually say, "okay, we don't want those files distributed, just delete them "because we think they are malicious." There is this other service which I was also talking about, this "opprc." This is more interesting than the virus scanning itself. It's running in the background, so actually a user will not see that there is actually another service running, you don't have any GUI or something like that, you cannot trick or something with this, and this is one of the protected PIDs. So scnprc for example you can just kill with root privileges, but this is a process no one can kill on the system, and this is quite interesting because you cannot unload the kernel module unless this service is killed, so they are actually protecting each other so that no one can stop the services at all. And this service shares a lot of code with the scnprc. We just did some entropy checking and saw okay-- I will talk in a minute when we are comparing more of these files why we think that this looks pretty much the same, why they are sharing so much code, because we found something interesting with older versions of those services. But the most interesting thing this service is doing is it watermarks files. And now we are going to look deeper into what this watermarking means. So actually as soon as this system is started, it reads your hard disk serial and then scrambles it a little bit, and as soon as you are for example plugging a USB stick into your system then it will trigger a watermarking process where it takes the serial, takes a hard-coded DES key from the binary itself, and then encrypts it and then puts it into your file. And when you are converting this hex key into a decimal representation then you see that it is actually two dates. We actually cannot confirm what those two dates mean, but one of those matches Madonna's birth date, and there are rumours that some people in North Korea might really like Madonna. This is just speculation, but if you have a better conspiracy theory then just let us know. Because we found some pretty interesting stuff, but we cannot confirm this. So technically the watermarks have an ASCII EOF appended, which is most likely used by the code itself to parse the files and see if there's already a watermark in there, and for JPEG and AVI files, for example, it just appends this watermark to the end of the file, and when you have a DOCX for example it just appends it near the header where there are a bunch of null bytes, and then it just puts it in there. So the watermarking itself is as soon as you open a document file with Office then it will be watermarked, and actually they have code which watermarks files even if you don't open those files, but as soon as we saw this-- it's pretty buggy. It doesn't work every time, but they have code for this implemented, and mostly it works but sometimes it just fails. The supported types that we can confirm are DOCX files, image files like JPEG and PNG and AVI video files. But the code indicates there are several more file types available for watermarking, but we most likely didn't look into this. But the most interesting thing here is that only media files are affected. So they don't watermark any binaries or something like that, they are reducing their surface to files which could be used to carry information, which could be used to put out information for free speech purposes, and actually what we think is that this is not a security feature. So they are actually trying to watermark free speech in general, so that every time you have a document file, an image, or a video file, then they want to know who had this file and they watermark it so they can track the origin of the file. We have a short demo where you can see for example I have a USB stick. Let me put it in my system. There is a file on the USB stick which is a love letter from Kim, and it has a checksum which starts with "529", and as soon as I plug this into the system-- I hope that it will notice this. You can see okay, it recognised something like a USB stick on the system, but I won't open it, and I won't open any file on the USB stick. I just will eject it. I hope that it works. Will it actually open? This is what I meant, that it's kind of buggy, so it doesn't always work with the watermarking, but most likely if you open the file itself then it will work. I guess we didn't have the case that it doesn't work when you open it. [sic] --which then opens Office, and I close it again and-- just close this. Go back, and then hopefully if we mount this again then you can see it has been changed. So we didn't change anything in the file, it was just the operating system who's changing files, and this was initially the part where we started to look into this more deeply because we thought an operating system who is just changing files when you are plugging into the system is kind of annoying. Just to make this easier for you-- So what it actually does in the file, we have here the header of the file which is a document, a DOCX file, and it just added this string which is marked right here. This is actually the watermark it's putting in there. Opposite there you can see the plaintext which is actually encrypted and then put into the file, and the serial starts with "B48" so every time it puts the serial into the file, it prefixes it with "WM" we think stands for "watermark" probably, and you can see the EOF at the end of the file. This allows basically everyone who can access this file, who can decrypt this watermark which is actually encoded with the hard-coded key, so pretty much everyone who has access to this ISO can get this key and can decrypt this. And this allows you to really track back the origin of the file, where it came from. But there is a pretty funny example. So imagine you have this picture, and you are inside North Korea and you think "okay, this is pretty cool, and I want to distribute this to all of my friends." So you think "okay, they might be intercepting all of my e-mail and my browser communication," so you put it on a USB stick and give it to your friends so that you think, "okay, no-one actually on the internet can access this file" and you give it to someone else. Then at the beginning we have this situation, where this is the original file. This is the end of the JPEG file - which by definition always ends with an "FF D9" hexadecimal - and as soon as you give this to your friend and he plugs the USB stick into his computer which is running Red Star OS, then the file will actually change and it will look like this. So for JPEG files, as I said it just appends the watermark to the end of the file. So you can see the "FF D9," this is the actual end of the image file, and they're appending the watermark there, like you can see with the EOF. But where it gets interesting is when your friend is actually distributing the file to another friend. So what Red Star OS is actually doing, it appends also the watermark of your third friend. Slight laughter So what you then can do-- If you technically combine this together, then you can see not only where the file has its origins, but you can also track each and everyone who had this file and who distributed this file, and with this knowledge you might be able to construct something like this, where you can track the distribution of all of the media files which are distributed over the intranet in North Korea. You can see then in the centre we have this one really weird guy who is always distributing images that we don't like, and you can see also who gets these files and trace it back to all of the persons who ever had this file, and then you can just go home to him and then shut him down and take his computer. And we have actually not seen any functionality, but probably there is functionality in the system implemented where it always sends your hard disk serial to their servers, so the OS can probably be able to match your IP address to your hard disk serial, and then they don't even have to go to your home and get to your computer and check your hard disk serial, they just can do this remotely and can check all of the distribution of all malicious media files within the intranet of North Korea. What we thought is pretty hard for someone who doesn't have access to a system other than Red Star OS, who just has this one system, and tries to disable all of this malicious functionality like the virus scanning that can delete all of your files that someone else doesn't like, or the watermarking/the tracking of those files. And this is actually quite hard, because some of those services are depending on each other and can only be killed when the other service is not running. So what you actually have to do is you have to get root privileges, and then you have to kill those two integrity checking daemons which Florian was talking about so that it doesn't always reboot the system when you're changing anything. Then you can via ioctl calls to the kernel module, and say just "disable" because it has this nice feature where you can enable and disable it, and then you can kill scnprc, opprc, and the best thing you can do is-- Weirdly, the libos file is not protected by anyone, so you can just exchange this with a validate_os() function which always returns 1 which says everything is fine, and then at the end you can delete the desktop file which is used by KDE in it to start all of these processes, and then you are fine. And we don't think that actually anyone in North Korea who only has access to this one system-- It will be extremely hard to figure all of this out and to completely disable it. So they did a pretty good job in building an architecture which is quite self-protecting, and they put a lot of effort into it to just prevent you from disabling all of the malicious functionality. We also took a quick look on the second version of Red Star OS, just to compare some of those services, and there we can see there is quite an evolution from the older version to the current version. The thing which I was talking about, that the binaries are quite similar, is that in the older version they used a lot of shared libraries, and in the current version they statically linked a lot of code into the binaries themselves even if they don't use it, so the codebase looks quite the same. And the chain of starting the processes is a little bit different, so they put a lot in the init process which will be started at first and not like this depending-on-each-other infrastructure which they have in the current version. In the current version they also have a lot of problems with file privileges, so privilege escalations would be pretty easy, even if you don't have this root setting file. But also they have a lot of binaries that are just setting that everyone can read and write this interface to the kernel module, which basically allows you even as a non-root user to disable the kernel module, and then you can kill all of the binaries but you cannot actually delete something because it will then end up in the reboot loop. And when you are doing something malicious then the OS reboots, in the older version it just shuts down the system, so we thought this is a pretty interesting thing. And we think, and we saw, that there's a more advanced watermarking technique in there which is not just appending watermarks into the files but it looks like they are doing, for video and audio files at least, something like they are putting the watermarks as filters on the files. So this will be a little bit harder to actually see those watermarks and read those watermarks, because it is not so obvious like when you have this "EOF" string at the end which is always quite weird. But it uses this "/usr/lib/organ" file which is actually not present on the ISO we had. We're going to talk about this in the conclusion why we think this might not be there, but it's actually not available. It's referenced a lot in the code, but we actually haven't had this file and unfortunately we couldn't look into this more deeply. So what we didn't find were quite obvious backdoors which we thought would be in place, and that they would be pretty easy to spot. But we didn't see any of those. It doesn't mean that there are no backdoors, but we have some speculations for this, and one of these is that like we saw at the beginning of the talk that there are actually systems on the internet running this version of Red Star OS, so it would be pretty weird if they would backdoor a system and then put it on the internet. As far as someone gets the ISO file, and can look for backdoors and can find some of them, they would be actually able to exploit the system from the internet. Actually the system has a package manager and as we saw with the pattern file it has built-in update functionality and different services, so backdoors could just be loaded via updates because probably they thought "okay, these ISOs might be leaked into the outside world" and you just get an ISO, install it, update your system - which is only possible from within the intranet of North Korea, with hard coded internal IP addresses - so probably they thought "we only want our backdoors on the systems which are actually located within North Korea." This is what we thought, that they thought the ISO might be leaked, which is what actually happened. Another problem is that, like Florian already said, they will touch a lot of code within the operating system and we didn't manage to check all of the code. We mostly focused on the watermarking and the virus scanning stuff, and there might be a lot of code that should be checked further. The conclusion also is that the system's quite self-protecting. They not only implemented several services for integrity checking themselves but also they configured and implemented selinux and something like that, to just protect the system and make it more secure. What we think is really bad is this virus scanning and watermarking, because it actually allows you to track not only the origin but the complete distribution within the network of those files, and combined with the virus scanner where the developers are able to actually say what files are really malicious and what shouldn't be distributed within the network, it just deletes those files. So these two combined are a really strong framework which can help you to track malicious people within your network. But some words about security: Like I said, they have a lot of problems with file permissions. There are actually some documents on the ISO of the server version of Red Star OS 3.0, and there are some user guides and administration guides which are quite interesting, and they talk a lot about how to make the system secure, how to run it secure, and why they are doing different kinds of stuff to save the integrity of the system. They have a huge chapter talking about file permissions, but they actually didn't manage to fix them themselves which is quite weird. And even their custom code uses basic memory corruption protection like stack cookies, and non-executable stacks which we saw that a lot of security vendors don't bother to use, so we thought this is quite funny. Some of their code is more secure than a lot of security appliances. Slight laughter Florian: So to wrap this up-- Am I going, can you hear me? Yes. Okay so to wrap this up, again we think - this is a guess - that primarily they try to protect and to save the integrity of the system, which totally makes sense if you're putting out an operating system from North Korea. The system was, in our opinion, definitely built for home computers, so it's not like industrial control or something else, it's definitely built for a home user because it mimics Mac OSX and gives you all of the tools. Maybe the reason why we didn't find backdoors is they actually know that backdoors are bullshit. Could be a reason, we don't know. If you want to look into Red Star OS and help us out, especially with the crypto, the pilsung kernel module which provides custom crypto, with a look into the kernel to see if there is something hidden there, if maybe there are backdoors there, take a look at our github. Please contribute if you find something, because we think that this message and all of this stuff has to be put out to the public, so it is a well-known fact that this operating system is actually abusing free software to actually make free speech harder in a country that is quite oppressed. So with this, we are at our end and we are going to take your questions now. Applause Herald: Thank you very much. We have about 15 minutes time for questions. If you want to ask a question, please come to the microphones. There are some on the right and some on the left aisle. If you for any reason can't come to the microphones, please raise your hand and I'll come to you with my microphone. Okay, please line up there. If you wanna leave now, please do this quietly through the front door. Florian: Could you raise your hand if you have questions and standing at the microphone? There are like three questions over there. Herald: Yeah, on the left one please. Audience 1: Hello? Yeah. So thank you very much, it was very interesting. I have two questions: Have you tried isolating the system in a chroot jail? And the second one is: Were there any outbound connections, like automatic outbound connections it made? Florian: Okay so for the first question, we did not try to run it in an isolated environment. We actually didn't-- Did we install it on a live system? I don't think so. Did we? Niklaus: Yeah. Florian: Yeah, okay. But we didn't do any observations that this changed the behaviour of the system. Concerning the second question, there actually is not really outbound traffic. What it is doing is on the local network it is talking a lot of NetBIOS stuff. So there is an SNMP and an nmbdaemon running on the system and it's talking a lot of NetBIOS. But this is basically everything we could find. We have even left it running for like two days, to see if there is an outbound connection for one day or something like that. We couldn't see anything like that. So the only stuff that Red Star's talking to the network is like this Windows NetBIOS stuff, and if you push the button on the update feature of the virus scanner, it's actually trying to initiate an update process that goes to five hard-coded IP addresses that are all local. So like 192.168.9 something, and 172 whatever. These are the only network connections that we could trigger, or that we have observed so far. A1: Thank you. Herald: The next question is also from this microphone. Audience 2: Two questions: Might it be possible that when you install the system it gets code from North Korea so you cannot find out if it's calling home because you don't get the call? Florian: Could be. Our guess is actually that there is far more stuff that you get when you pull up the operating system in North Korea. One reason is the organ file that Niklaus mentioned that is missing on the system with the additional crypto information that is used for the extended watermarking that they are applying. We don't know where this file is coming from, and from our perspective it totally makes sense to not distribute this file on the ISO but to kind of give it as an-- I don't know, somebody has to come to your house to install the software and then he puts like this dedicated organ file on your desktop that is specific to you, for example. That would totally make sense because, as you know, stuff works a little bit different. It's not like downloading an ISO and installing it, it's probably more complex to get this onto your system if you want to use this. So there might be more stuff that is pushed either via updates - only internal - and this organ file and other stuff that can get to your computer-- We don't know if this is possible or if something is happening with this feature. A2: And the second question is if you look at it from the North Korean view, that's like they had the problem. They are quite happy, have a nice state, everything's working fine from what they see, and now people come from South Korea, from Western countries, bring their USB sticks with Western propaganda that to have stuff like this watermarking even if it is like evil. Like a natural reaction from a closed system. Florian: So actually it totally makes sense to develop the system in the way they developed it. It totally makes sense, because it kind of reflects a little bit how the government is working. Because integrity is not only a critical part not only for the operating system, it's also a part for the state itself. Like shutting down everything, closing off everything - that's, by the way, the screensaver - and closing down everything also totally makes sense. And tracking stuff that is distributed in the country or deleting unwanted stuff also makes sense. So what we think that Red Star resembles this and matches how culture is in North Korea, actually. Herald: Okay, we also have two questions of the IRC which I would like to shift in. Signal angel: Thank you. Okay, the first question is if you have any theory on how and why the ISO got leaked. Florian: We don't know this, actually. 'Why?' is-- We don't think that it was somebody from North Korea, we think that it might be a foreigner that got it. Like Will Scott told us last year that he was able to get a copy of it and get it out of the country. There might be others that are able. There is actually tourism in North Korea. You can go there for your holidays. So I guess that if you put a little bit of effort into it, it's possible to get nearly anything out of the country if you want to try to take the risk. But we don't know who leaked the version and we don't know why it actually was leaked. Niklaus: There are actually rumours that it was a Russian student who was studying in North Korea, and he bought this on the street and just brought it out of the country and put it on his blog, but we cannot confirm that this is actually true. Signal angel: Okay, thanks. And the second question is if there has been any attempt at the custom kernel modules yet, like reverse engineering or something. Florian: Well we reverse engineered rtscan which is pretty simple because it just hooks a few function calls, that's it. We have taken a look at the Korean Display Module on a first glance. It seems to do what it is supposed to do, having something to do with display management, but we didn't take a look at all of the kernel modules, all the rest of the remaining kernel modules, because the code base is so massive that we actually need you guys to help us out a little bit. Herald: Next question from the mic please. Audience 3: Yes, I have another question. You said that most of the software is based of other open source software for which you don't have the source code, and it didn't come with the ISO, so it's pretty much a massive violation of open source licenses. Florian: Yep, absolutely. A3: So my question would be: Could you get an inside on what other packages are available, or from the package manager, and what other packages are there? Florian: Actually, there is a DVD which also was leaked. I think that it was for Red Star 2. I'm not sure if it is also for the latest version, but there is a CD with additional software and you have stuff like Apache, MYSQL-- pfff I don't know. All of the stuff you basically need to run a full-blown operating system on Linux. So there is additional software out there, you can download the DVD and install this software on the machine. If you go through the RPM descriptions you will see that for some of the software they even wrote-- They kind of used a description for the license which says "KCC" which is the Korean Computer Centre. And sometimes they use GPL, and sometimes they use GNU, and yeah. So massive violations. A3: Did you ask them for the source code? Laughter Florian: Actually, we think that there is an internal git in North Korea where you can just check out everything, so... We suppose it is this way because it's open source, right? By the way, open source. Laughter Herald: Very nice. One more question from here? Are you having a question? No, okay then we have one more question from the internet. IRC: Yes, the question is if there is a possibility to fake the watermarks to get some innocent North Korean into trouble. Quiet laughter Florian: Yeah, no problem because the key's hard coded. You could, like-- You know how to scramble the hardware ID or the disk serial, and you could perfectly forge documents. That would be not a problem. Not a problem at all. You just need the serial number, basically. A3: Okay, and I've just got another question that is: Does the warning.wav have a watermark? Florian: Umm... Niklaus: No, actually it has the exact same checksum as the original file. Florian: Actually we didn't check if it-- No, so it does not have a watermark because as Niklaus said, it's the same checksum as the Kaspersky one. A3: Okay, thanks. Herald: Okay, thank you very much. Please give Florian and Niklaus another big round of applause for an amazing talk. Florian: Thank you. Applause postroll music subtitles created by c3subtitles.de Join, and help us!