-
preroll music
-
Herald: North Korea; not only famous for chocolate
but for being a surveillance state
-
And as a good surveillance state,
it has to have its own operation system.
-
Because how will you do proper surveillance
without your own operation system?
-
Today, we get a brief introduction
how Red Star OS is working.
-
The introduction will have a specific
focus on the custom code
-
which was inserted for surveillance,
and especially how to get around it.
-
So please welcome Florian and Niklaus
with a big round of applause.
-
Applause
-
Florian Grunow: Hey everybody,
thanks for having us.
-
We are going to give you a deep
dive into Red Star OS.
-
Actually, we were kind of surprised that
there is not so much information
-
on the net about really the core of Red
Star and what is it doing.
-
So we thought we would change this,
and give you an insight in how
-
this Operating System works,
and by looking into the technical aspects
-
of Red Star you can also draw conclusions
about how development in North Korea
-
is evolving and is, maybe, catching up.
-
So what we're going to talk about is:
First of all, a short introduction
-
into the motivation; why are we doing
this? We are going through
-
the architecture of Red Star; we are going
to show you the components in the core
-
in the operating system itself; and then
we will take a deep dive into
-
the additional components, all of the
programs that are coming from North Korea
-
and are supplied with the ISO
of Red Star OS.
-
After that, we are going to give you a
deep dive into the most interesting features
-
of Red Star OS; and then we will be able
to draw our own conclusions;
-
and afterwards we will have time
for questions, we hope.
-
By the way, this picture on the left you
can see here is actually one of the--
-
I think it's the screensaver right from
Red Star OS. Laughter So, um, yeah.
-
So before we begin, we need to
do this disclaimer:
-
For your information we have never visited
DPRK, we have never been to North Korea.
-
All we know about North Korea is from
public sources, from the internet,
-
from media, whatever. So what we are
going to say about North Korea
-
has to be speculation because we don't
know exactly what happens in North Korea.
-
Also, the ISOs that we have been analysing
are found publicly available on
-
the internet, [and] may be fake. We don't
think that they are fake because
-
Will Scott has shown last year on the 31C3
how Red Star looks, and everything that
-
he has been showing is basically in the
ISO, so we think it is legit.
-
Remember that we are not going to make fun
of anybody in this talk. We are not going
-
to make fun of the developers, and we are
certainly not going to make fun of
-
the people in the DPRK, because we think
that our presentation might have some
-
funny aspects or something that makes
you laugh - which is perfectly fine - but
-
looking at Red Star in detail is kind of a
surveillance mess, I would say, and
-
it's a security or privacy nightmare.
So keep these aspects in mind.
-
Also, this talk is not going to focus
about security. We're not going to talk
-
about security. Many of the publications
available on the internet are
-
about security, and we're not going to
focus on this in this presentation.
-
So, why are we doing this? Red Star ISOs
have been leaked some time ago; there is
-
a version 2 hanging around the internet
and there is obviously a version 3.0
-
which has been leaked at the end of 2014,
and we were quite surprised at the middle
-
of the year that there is no in-depth
analysis of this operating system.
-
So most of the blogs and news articles are
quite superficial that you can find out there,
-
and this is kind of surprising because
if there is some kind of state that
-
doesn't put focus on transparency and free
speech, and they are putting out an
-
operating system, you kind of want to know
how do they build their operating system.
-
So that was one of the major aspects for
us to look into it. The other aspect was
-
to find out how is the state of
software development in DPRK;
-
how are they developing software? Do they
have a well-thought architecture;
-
are they thinking about what they are
doing? How is the skill level of software
-
development in North Korea?
So these were the two aspects that
-
we wanted to find out.
-
So if you look at previous work, as I said
there is mostly superficial stuff.
-
There is some information that Red Star OS
actually looks like Mac OSX, and we will
-
go into this a little bit further.
Then we have this talk from Will Scott
-
last year at 31C3, who was talking about
Computer Science in DPRK which was
-
very very interesting, and gave a pretty good
insight into what's happening in DPRK.
-
And then we have a bunch of guys who
looked into the browser of Red Star,
-
which is also quite interesting.
-
So what we are going to do now is--
I'm going to show you the custom basic
-
components; I'm going to talk a little bit
about integrity on the system; then I will
-
hand over to Niklaus who will be looking
into the core and surveillance features;
-
and then as I said, we will have time
for questions afterwards.
-
So there are different leaked versions out
there, as I said. We have a desktop and
-
a server version of Red Star, so you can
also use Red Star as a server, and it
-
turns out that server version 3 is
actually used on the internet right now.
-
As you can see, there is a server
header returned: "Red Star 3.0"
-
This is an IP address of the server, and
it is pointing into North Korea.
-
So this is one of the few web sites that
is publicly facing the internet from
-
North Korea, and they are obviously using
the server version 3.0. So 3.0 might
-
actually be the latest version.
There is another version, it's 2.0,
-
which has also been leaked to the internet,
and then there is supposedly something
-
that looks like 2.5; we have found some
South Korean documents that seem to be
-
analysing the system quite superficially,
and it looks like 2.5 actually resembles
-
the look and feel of Windows XP. So you
kind of see this evolution right now from
-
2.5 XP going to 3.0 mimicking Mac OSX.
-
Our talk will focus on the
desktop version which is desktop 3.0
-
If you look at the timeline, which is
a guess - there's no documentation available
-
on how they did it, obviously - if you
look at the 3.0 version you see that it is
-
based on Fedora 11 which came out in 2009.
So our guess is they started developing 3.0
-
in 2009 with this Fedora 11 release.
The kernel that they are using is 2.6.38
-
which came out with Fedora 15 in 2011.
So it could be that the OS itself is
-
a little bit older, the kernel is a little
bit newer, and the latest package build
-
dates that you can see in
Red Star OS date to June 2013.
-
So our educated guess is that Red Star
came out in June 2013 or a little bit later,
-
a few weeks later or months later.
-
In December 2014 we had the public leak,
so the ISOs have been leaked to the internet
-
and are publicly available right now.
-
If you look into the operating system,
it's basically a fully-featured desktop system
-
you might imagine. It's based on KDE
and Fedora as I already said, and it tries
-
to mimic the look and feel of Mac OSX.
You have an e-mail client, a calendar,
-
a word processor, you've got Quicktime and
all of that stuff. You even have a disk
-
encryption utility that Will Scott
has shown last year.
-
They implemented additional kernel modules
and they touched a lot of kernel modules.
-
They have this kernel module "rtscan"
which Niklaus is going to say a little bit
-
more about, they have this kernel module
called "pilsung" - I was told this
-
means "victory" in Korean - and that
kind of is a kernel module that supplies
-
AES encryption. So they implemented an own
kernel module to supply something like AES.
-
Then there is a kernel module called "kdm"
which is the Korean Display Module,
-
and "kimm"-- muffled laughter
--which is not what it's like--
-
it's not looking-- laughter
Well, I'll just go on.
-
It basically just does something with
Korean letters and displaying Korean
-
letters on the screen.
-
Red Star has been developed by the KCC,
the Korean Computer Centre.
-
It's quite interesting that since a few
years ago they had an office in Berlin.
-
I don't know what they did there, but
they obviously had an office in Berlin
-
maybe for knowledge sharing, whatever.
If you look at the system hardening,
-
it's quite interesting that they
took care of system hardening.
-
So they implemented SELinux rules with
custom modules, they have IP tables
-
rolled out immediately so you don't have
to activate it or put your rules into it;
-
the firewall is working. They even have
Snort installed on the system.
-
It's not running by default but they are
kind of delivering it by default, and they
-
have a lot of custom services that we are
going to look into right now.
-
Quite interesting is-- so why should
North Korea mimic Mac OSX?
-
That might be one reason right there:
because this young fella sitting on the left
-
is actually using an iMac right here.
So this is one reason.
-
So why should they implement their own
operating system? There actually are
-
so-called anthologies put out by the leader,
and one anthology by Kim Jong-il says that
-
- if you translate it correctly, and we
try to - "in the process of programming,
-
it is important to develop one in our own
style," and with "one" he means programs
-
and operating systems. So there is this
clear guidance that North Korea should not
-
rely on third-party Western operating
system and programs, they should
-
develop this stuff on their own.
And by looking at the code and everything
-
that we have by Red Star OS, this is
exactly what they did. They touched
-
nearly everything on the operating system,
changed it a little bit, added custom code
-
and so this is actually what they
are doing right there.
-
The custom applications that you have is
a browser, which translates to "my country."
-
You also have a crypto tool that Will Scott
has shown last year which is called Bokem
-
which if you translate it kind of
translates to "sword."
-
You have Sogwang Office which is an
OpenOffice customised for North Korean use.
-
A software manager; you have MusicScore
which is an application you can compose
-
music with. Then you have a program which
is called "rootsetting" and it basically
-
gives you root. So if you look into the
documentation, it says you are not
-
supposed to have root on the system for
integrity reasons, but if you want to get
-
root you can use this tool, so they're not
hiding anything. So there are rumours
-
on the net that say that you're not
supposed to get root on the system
-
because it's so locked down. This is not
true obviously because there is software
-
intended to give you administrative privileges.
-
They even touched KDM, so the code base
that they touched is really, really big.
-
Nearly the whole operating system.
-
We are now going to give you a demo.
The first demo that we are doing, we are
-
doing it right now, because we are
actually doing this presentation
-
in Red Star OS.
Laughter and applause
-
So what you see right here is basically
Red Star OS. We're going to show
-
some of the aspects to you. There are many many
screenshots on the internet, some of you might already
-
know how Red Star works, you might have
experience yourself.
-
We're just going over a few interesting issues.
-
So as you have seen, there is a full-blown
set of word processing, Powerpoint
-
presentation stuff. I'm going to open up
the browser-- pfft, whatever. Laughter
-
--and going into the preferences just to
give you a quick-- no. Muted laughter
-
Oh. Laughter Yeah, to give you an insight
on the Certificate Authorities that are
-
implemented in this Firefox version - it's
Firefox 3 - so you see there is not so many
-
Certificate Authorities right here, and
they all are I guess from North Korea.
-
So the browser is totally created to not
be used outside of North Korea,
-
which you can see in the URL bar.
There is an internal IP address
-
which points into the network of
North Korea, and all of the settings,
-
proxy settings, hard-coded IP addresses,
or whatever, all point into this
-
internal infrastructure of North Korea.
So this browser and the e-mail program
-
was never intended to be used
outside of North Korea.
-
Pfft Okay. Laughter
What else do we have?
-
Okay, we have a Quicktime player.
So speaking of Mac OSX,
-
you all have seen this. Woo! Swoosh. Right?
Okay, so that perfectly mimics Mac OSX.
-
So let me try to find--
I'll try with aplay right here.
-
So this is the shell. Quite interesting is
that when we were looking through
-
all of this stuff, there is a bunch of
files that have a certain protection,
-
and they seem to be pretty important
for the system, and there is a
-
wave file - an audio wave file - that
actually is protected.
-
It's usr/lib/Warnning.wav;
I don't know if we can hear this.
-
I hope that your ears are not going to
explode right now. I'll just try it.
-
Pig squealing
I'll try it again.
-
Pig squealing
You hear that? Laughter
-
Pig squealing
Does anybody know what this is?
-
Shouts of "pig" from audience
Pardon me? Pig, exactly.
-
And where is it coming from?
Does anybody know?
-
That's stolen from Kaspersky antivirus,
because in the older version of
-
Kaspersky antivirus if you find a virus
it actually will play this sound, and it's
-
exactly the wav file from Kaspersky;
we verified this by doing checksums, okay.
-
Laughter So we have a copyright violation
right here. Laughter and applause
-
So what else do we have? I've been talking
about this, you can create your own music.
-
I'm not going to do this now because
I'm not good at making music.
-
What else do we have? We have the browser.
Did we want to show-- ah yeah.
-
I'm going to show you one more thing.
I'm not going to show you the encryption
-
tool because Will Scott has done this
last year, but to give you an insight into
-
the crypto tool, it's pretty interesting.
If you look at the description of the bokem3,
-
bokem is the tool that is used for disk
encryption so it provides the user a tool
-
to encrypt files or even the complete
hard drive, and if you look into
-
the description it says "this allows the user
to store his/her privacy data with encrypted,"
-
which is quite nice. I mean, we didn't
expect to have something like this
-
in Red Star. So the user can at least
try to encrypt files.
-
Bokem is using out-of-the-box crypto
that comes with the kernel.
-
It also uses pilsung, which we don't know
if there are any backdoors in it or not,
-
so we have no idea if this is possible to
decrypt with a master key or something.
-
If you want to look into this, we would be
happy if someone with big crypto
-
experience would look into it.
So let me get back to the presentation.
-
Ah! One thing I need to show you is this
red flag on the right corner, right here.
-
If you look into this, and you translate -
I didn't click the right one - if you are
-
going to translate all of this, you will
find that all of the strings and all of
-
the text that you see right here, they
seem to be an antivirus scanner.
-
So they even implemented from scratch
an antivirus scanner in Red Star OS.
-
You can now select the folder or a file
and say run a check on the file,
-
and if the file is actually a malicious
file - we will come to that part later,
-
what "malicious" is - it will instantly
be deleted from the hard drive.
-
So this is an interesting feature, having
a virus scanner in a Linux OS.
-
Okay so let's look at the custom
components. We have been
-
looking into the user space a little bit,
and all of the programs that come with it.
-
There is far more stuff. Download the ISO,
play around with it a little bit.
-
First, change the language to English.
You will obviously not get far
-
if your Korean is bad.
So change the language and
-
play around with it a little bit.
-
So Red Star Comes with
interesting packages.
-
They touched KDE as I said.
They are getting out an integrity
-
checker and a security daemon.
There are signature packages right here
-
which Niklaus is going to talk about
a little bit, there are policies for selinux,
-
and I'm going to talk about two of the
integrity checking mechanisms that
-
Red Star has.
-
So by looking at Red Star, we saw that
one thing was pretty important to them:
-
They wanted to preserve the integrity
of the system, and one way to do this
-
is using this process right here,
it's called "intcheck."
-
It comes with an SQLite database with
hashes of files on the system,
-
like signatures for the system, and
you can configure it from user space so
-
it's not pretty hidden, it's pretty
transparent to the user.
-
I think there even comes a UI with it
where you can configure everything,
-
and it's run at boot. It checks the files
and if it sees that the files have been
-
manipulated or tampered with - if the
checksum changes - then it will issue
-
a warning to the user.
So you get a small popup that says,
-
"this file has been tampered with," the
security or the integrity of the system
-
is not where it should be. So that's
pretty much what this thing does.
-
securityd is kind of interesting, because
securityd is also a process that is known
-
to run under Mac OSX. I'm not a Mac user,
and I think that Mac OSX with securityd
-
is keeping track of certificates
and stuff like that.
-
So what they did is they reimplemented
securityd for Linux, and they included
-
various plugins. One interesting issue
with securityd is it comes with a library
-
that provides a function called
validate_os(), and what this function does
-
is it has a hard-coded list of files.
You can see like our wav file right here,
-
you can see configuration files, and
autostart files for scnprc which is
-
the antivirus scanner. So it checks if
these files are untouched, and if
-
these files have been tampered with it
initiates a reboot instantly.
-
So if you touch one of these files,
your machine will reboot instantly.
-
The same library is also used from KDM,
so during the startup process when KDM is
-
starting it is also doing an integrity check,
and if it finds that one of these files has
-
been tampered with it actually immediately
issues a reboot, and the problem is
-
that if you start tampering with the system
you will end up in reboot loops
-
all of the time if you're doing research,
because once KDM is saying reboot
-
the system, it's going to check it again
if it's rebooted and sees that it's
-
still tampered with and it reboots again,
and again, and again, and then your
-
system is basically dead.
So what they tried to do with intcheck
-
and securityd is try and protect certain files,
conserve the integrity of these files,
-
and if these files get tampered with they
assume that it is better to have an
-
operating system that you cannot work with
any more than to still let it run or
-
issue any warning.
So integrity is one of the main aspects
-
they were looking for in
implementing Red Star.
-
Okay, I will hand over to Niklaus and
he will go into the guts and the
-
surveillance features a little bit more.
-
Niklaus Schiess: The most interesting
feature-- package we found was this
-
esig-cb package, which actually says
in the description that it's an
-
"electronic signature system," but we
found that it is doing a lot of weird stuff.
-
This is actually one of the pictures
which is included in the package,
-
which is also protected. We don't know
really why, but it says something like
-
"this is our copyright;"
and "don't break it;"
-
and "don't copy it;" and stuff like that.
-
But it's actually doing
something really different.
-
It includes several pretty interesting files.
We have some configuration files,
-
we have a kernel module, and we also
have this redflag.bmp which is the
-
picture you just saw, and we have the
warning file, and we have some
-
shared libraries, and we'll go now
into details what these are actually doing.
-
So the first thing we looked at was
because there is a kernel module
-
loaded by default, and we thought
if you want to put some backdoors in it
-
where would you want to put it?
Right in the kernel module, probably.
-
And what it does, it's actually just
hooking several system calls which
-
provides a device which is actually
interfaced to the kernel so you have
-
different services running on a system
who are actually talking to this
-
kernel module via this device,
and it has some functionality like
-
it can protect PIDs. So when you're
protecting a specific process then
-
even root cannot kill this process,
which will be quite interesting
-
in the next slides. It also provides
functionality to on one side protect
-
files, and on the other side to hide files.
So protect means you cannot edit
-
the file, and hide means you
cannot even read the file.
-
So even if you had root user,
you can't even read those files.
-
And on the right side is actually how
the services are interacting with this
-
kernel module, and this is one function which
mostly protects and hides the files
-
which we just saw, which are included
in this esignature package.
-
Then like Florian said, we have this
virus scanner which at first glance
-
at least looks like a virus scanner,
and this is this "scnprc" process.
-
It provides a GUI to the user so it's
quite transparent so the user can see
-
"okay, I have something that looks
like a virus scanner, and I can also
-
trigger some scans of
different directories,"
-
and it's started by kdeinit. So there's
this scnprc desktop file which is
-
quite interesting because what you
want to do is disable it, but you
-
cannot actually edit these file.
So as soon as you edit this file
-
and save it, then the system
will immediately reboot.
-
So disabling it is not so easy.
-
Like I already said, you have different
ways of scanning. You can just click
-
on a folder and say "scan this," but
also if you for example plug in
-
a USB stick into the system then it will
automatically scan the files on the USB stick.
-
And this scnprc service is actually
loading the kernel module, and
-
it starts another service which is
called "opprc" which we are going to
-
look in detail in a minute, and this is
also quite interesting this next service.
-
But the pattern matching, we looked into
this a little bit and there's another
-
package. So we have this esig-cb package
and you have esic-cb-db package which
-
actually just provides this one single
"AnGae" file. As far as we know,
-
it means "fog" in Korean. And this is
basically a signature file, or how the
-
code references it a pattern file.
It's a file with a well-defined file format
-
and it includes patterns which are
loaded into memory, and as soon as
-
you are scanning a file it just checks if
these patterns are matching and as soon
-
as the patterns are matched then it
immediately deletes the file and it
-
plays the warning, and this is one of
the hidden files so even if you get root
-
privilege on the system you are not
able to actually read this file.
-
So a user of the operating system won't
be able to check "okay, what does it
-
check and can I produce documents
which won't be detected by this"
-
because you cannot actually read this file.
-
We took a look into this. Most likely our
best guess is that these contain--
-
A lot of the files are little-endian so
you always have to switch the bytes
-
and we saw that it looks at least like
they are UTF-16 strings with Korean,
-
Chinese, and some other weird characters,
and if we put these in Google Translate
-
then there are actually some pretty weird
and disturbing terms in those files.
-
But we actually cannot confirm this.
It looks like they are actually not
-
scanning for malware in the system, so
most likely they are checking documents
-
and if those documents match those
patterns then they are most likely--
-
for example, governments don't want these
files to be distributed within the intranet
-
of North Korea then it just
deletes those files.
-
But actually we cannot confirm this
because we are not quite sure if you
-
put those strings in Google Translate that
they are actually real translations.
-
But you can always update these pattern
files, so on the one side is scnprc has a
-
built-in update process where it just
updates the file itself, or you can just
-
when you are doing operating system
update via your package manager
-
and you update this esig-cb-db package
and you also get a brand new file.
-
The interesting part of this is that the
developers decide what is malicious.
-
So it's not necessarily that "malicious"
means that it's malware, that it's
-
bad for you, but somewhere the developers
and officials will actually say,
-
"okay, we don't want those files
distributed, just delete them
-
"because we think they are malicious."
-
There is this other service which I was
also talking about, this "opprc."
-
This is more interesting than the
virus scanning itself.
-
It's running in the background, so
actually a user will not see that there
-
is actually another service running, you
don't have any GUI or something like that,
-
you cannot trick or something with this,
and this is one of the protected PIDs.
-
So scnprc for example you can just kill
with root privileges, but this is a process
-
no one can kill on the system, and
this is quite interesting because
-
you cannot unload the kernel module
unless this service is killed, so they
-
are actually protecting each other so that
no one can stop the services at all.
-
And this service shares a lot of
code with the scnprc.
-
We just did some entropy checking
and saw okay-- I will talk in a minute
-
when we are comparing more of these
files why we think that this looks
-
pretty much the same, why they are
sharing so much code, because
-
we found something interesting with
older versions of those services.
-
But the most interesting thing this
service is doing is it watermarks files.
-
And now we are going to look deeper
into what this watermarking means.
-
So actually as soon as this system is
started, it reads your hard disk serial
-
and then scrambles it a little bit,
and as soon as you are for example
-
plugging a USB stick into your system
then it will trigger a watermarking
-
process where it takes the serial,
takes a hard-coded DES key from
-
the binary itself, and then encrypts
it and then puts it into your file.
-
And when you are converting this hex key
into a decimal representation then you
-
see that it is actually two dates.
We actually cannot confirm what
-
those two dates mean, but one of those
matches Madonna's birth date, and
-
there are rumours that some people in
North Korea might really like Madonna.
-
This is just speculation, but if you have a
better conspiracy theory then just let us know.
-
Because we found some pretty interesting
stuff, but we cannot confirm this.
-
So technically the watermarks have an
ASCII EOF appended, which is most likely
-
used by the code itself to parse
the files and see if there's already
-
a watermark in there, and for JPEG
and AVI files, for example, it just
-
appends this watermark to the end of the
file, and when you have a DOCX for example
-
it just appends it near the header where
there are a bunch of null bytes, and then
-
it just puts it in there.
-
So the watermarking itself is as soon as
you open a document file with Office then
-
it will be watermarked, and actually they
have code which watermarks files even if
-
you don't open those files, but as soon
as we saw this-- it's pretty buggy.
-
It doesn't work every time, but they have
code for this implemented, and mostly
-
it works but sometimes it just fails.
The supported types that we can confirm
-
are DOCX files, image files like JPEG and
PNG and AVI video files. But the code
-
indicates there are several more file
types available for watermarking, but
-
we most likely didn't look into this.
But the most interesting thing here
-
is that only media files are affected.
So they don't watermark any binaries
-
or something like that, they are reducing
their surface to files which could be used
-
to carry information, which could be used
to put out information for free speech
-
purposes, and actually what we think is
that this is not a security feature.
-
So they are actually trying to watermark
free speech in general, so that every time
-
you have a document file, an image, or
a video file, then they want to know who
-
had this file and they watermark it so
they can track the origin of the file.
-
We have a short demo where you can see
for example I have a USB stick.
-
Let me put it in my system.
-
There is a file on the USB stick which
is a love letter from Kim, and it has
-
a checksum which starts with "529", and
as soon as I plug this into the system--
-
I hope that it will notice this.
-
You can see okay, it recognised something
like a USB stick on the system, but I won't
-
open it, and I won't open any file on the
USB stick. I just will eject it.
-
I hope that it works.
Will it actually open?
-
This is what I meant, that it's kind of
buggy, so it doesn't always work with
-
the watermarking, but most likely if you
open the file itself then it will work.
-
I guess we didn't have the case that it
doesn't work when you open it. [sic]
-
--which then opens Office, and I close
it again and-- just close this.
-
Go back, and then hopefully if we mount
this again then you can see it has
-
been changed. So we didn't change anything
in the file, it was just the operating system
-
who's changing files, and this was
initially the part where we started to
-
look into this more deeply because we
thought an operating system who is
-
just changing files when you are plugging
into the system is kind of annoying.
-
Just to make this easier for you--
So what it actually does in the file,
-
we have here the header of the file
which is a document, a DOCX file,
-
and it just added this string which is
marked right here. This is actually
-
the watermark it's putting in there.
Opposite there you can see the plaintext
-
which is actually encrypted and then
put into the file, and the serial starts
-
with "B48" so every time it puts the
serial into the file, it prefixes it with
-
"WM"
-
we think stands for "watermark" probably,
and you can see the EOF at the end of
-
the file. This allows basically everyone
who can access this file, who can
-
decrypt this watermark which is actually
encoded with the hard-coded key,
-
so pretty much everyone who has access
to this ISO can get this key and can
-
decrypt this. And this allows you to
really track back the origin of the file,
-
where it came from.
-
But there is a pretty funny example.
So imagine you have this picture, and
-
you are inside North Korea and you think
"okay, this is pretty cool, and I want to
-
distribute this to all of my friends."
So you think "okay, they might be
-
intercepting all of my e-mail and my
browser communication," so you put it
-
on a USB stick and give it to your friends
so that you think, "okay, no-one actually
-
on the internet can access this file"
and you give it to someone else.
-
Then at the beginning we have this
situation, where this is the original file.
-
This is the end of the JPEG file - which
by definition always ends with an "FF D9"
-
hexadecimal - and as soon as you give this
to your friend and he plugs the USB stick
-
into his computer which is running Red
Star OS, then the file will actually
-
change and it will look like this.
So for JPEG files, as I said it just
-
appends the watermark to the end of
the file. So you can see the "FF D9," this
-
is the actual end of the image file, and
they're appending the watermark there,
-
like you can see with the EOF.
But where it gets interesting
-
is when your friend is actually
distributing the file to another friend.
-
So what Red Star OS is actually doing,
it appends also the watermark of your
-
third friend. Slight laughter
So what you then can do--
-
If you technically combine this together,
then you can see not only where the file
-
has its origins, but you can also track
each and everyone who had this file
-
and who distributed this file, and with
this knowledge you might be able to
-
construct something like this, where you
can track the distribution of all of the
-
media files which are distributed
over the intranet in North Korea.
-
You can see then in the centre we have
this one really weird guy who is always
-
distributing images that we don't like,
and you can see also who gets these files
-
and trace it back to all of the persons
who ever had this file, and then you
-
can just go home to him and then shut
him down and take his computer.
-
And we have actually not seen any
functionality, but probably there is
-
functionality in the system implemented
where it always sends your hard disk
-
serial to their servers, so the OS can
probably be able to match your IP
-
address to your hard disk serial, and
then they don't even have to go to your
-
home and get to your computer and check
your hard disk serial, they just can do
-
this remotely and can check all of the
distribution of all malicious media files
-
within the intranet of North Korea.
-
What we thought is pretty hard for someone
who doesn't have access to a system other
-
than Red Star OS, who just has this one
system, and tries to disable all of this
-
malicious functionality like the virus
scanning that can delete all of your files
-
that someone else doesn't like, or the
watermarking/the tracking of those files.
-
And this is actually quite hard, because
some of those services are depending
-
on each other and can only be killed
when the other service is not running.
-
So what you actually have to do is you
have to get root privileges, and then you
-
have to kill those two integrity checking
daemons which Florian was talking about
-
so that it doesn't always reboot the
system when you're changing anything.
-
Then you can via ioctl calls to the kernel
module, and say just "disable" because
-
it has this nice feature where you can
enable and disable it, and then you
-
can kill scnprc, opprc, and the
best thing you can do is--
-
Weirdly, the libos file is not protected
by anyone, so you can just exchange
-
this with a validate_os() function which
always returns 1 which says everything
-
is fine, and then at the end you can
delete the desktop file which is used
-
by KDE in it to start all of these
processes, and then you are fine.
-
And we don't think that actually anyone
in North Korea who only has access
-
to this one system-- It will be extremely
hard to figure all of this out and
-
to completely disable it. So they did
a pretty good job in building an
-
architecture which is quite self-protecting,
and they put a lot of effort into it
-
to just prevent you from disabling all of
the malicious functionality.
-
We also took a quick look on the second
version of Red Star OS, just to compare
-
some of those services, and there we can
see there is quite an evolution from the
-
older version to the current version.
The thing which I was talking about,
-
that the binaries are quite similar,
is that in the older version they used
-
a lot of shared libraries, and in the
current version they statically linked
-
a lot of code into the binaries themselves
even if they don't use it, so the codebase
-
looks quite the same. And the chain of
starting the processes is a little bit
-
different, so they put a lot in the init
process which will be started at first
-
and not like this depending-on-each-other
infrastructure which they have in the
-
current version. In the current version
they also have a lot of problems with
-
file privileges, so privilege escalations
would be pretty easy, even if you don't
-
have this root setting file. But also they
have a lot of binaries that are just
-
setting that everyone can read and write
this interface to the kernel module,
-
which basically allows you even as a
non-root user to disable the kernel
-
module, and then you can kill all of the
binaries but you cannot actually delete
-
something because it will then
end up in the reboot loop.
-
And when you are doing something malicious
then the OS reboots, in the older version
-
it just shuts down the system, so we
thought this is a pretty interesting thing.
-
And we think, and we saw, that there's
a more advanced watermarking
-
technique in there which is not just
appending watermarks into the files
-
but it looks like they are doing, for
video and audio files at least,
-
something like they are putting the
watermarks as filters on the files.
-
So this will be a little bit harder to
actually see those watermarks
-
and read those watermarks, because it
is not so obvious like when you have
-
this "EOF" string at the end which
is always quite weird.
-
But it uses this "/usr/lib/organ" file
which is actually not present on the
-
ISO we had. We're going to talk about
this in the conclusion why we think
-
this might not be there, but it's
actually not available. It's referenced
-
a lot in the code, but we actually
haven't had this file and unfortunately
-
we couldn't look into this more deeply.
-
So what we didn't find were quite obvious
backdoors which we thought would be
-
in place, and that they would be pretty
easy to spot. But we didn't see any of those.
-
It doesn't mean that there are no
backdoors, but we have some
-
speculations for this, and one of these
is that like we saw at the beginning of
-
the talk that there are actually systems
on the internet running this version
-
of Red Star OS, so it would be pretty
weird if they would backdoor a system
-
and then put it on the internet.
As far as someone gets the ISO file,
-
and can look for backdoors and can find
some of them, they would be actually
-
able to exploit the system
from the internet.
-
Actually the system has a package manager
and as we saw with the pattern file
-
it has built-in update functionality and
different services, so backdoors could
-
just be loaded via updates
because probably they thought
-
"okay, these ISOs might be leaked into
the outside world" and you just get
-
an ISO, install it, update your system -
which is only possible from within the
-
intranet of North Korea, with hard coded
internal IP addresses - so probably they
-
thought "we only want our backdoors on
the systems which are actually located
-
within North Korea."
-
This is what we thought, that they thought
the ISO might be leaked, which is what
-
actually happened. Another problem
is that, like Florian already said, they
-
will touch a lot of code within the
operating system and we didn't manage
-
to check all of the code. We mostly
focused on the watermarking and the
-
virus scanning stuff, and there might be a
lot of code that should be checked further.
-
The conclusion also is that the system's
quite self-protecting. They not only
-
implemented several services for
integrity checking themselves but also
-
they configured and implemented selinux
and something like that, to just protect
-
the system and make it more secure.
-
What we think is really bad is this
virus scanning and watermarking,
-
because it actually allows you to
track not only the origin but the
-
complete distribution within the network
of those files, and combined with the
-
virus scanner where the developers are
able to actually say what files are really
-
malicious and what shouldn't be
distributed within the network,
-
it just deletes those files. So these
two combined are a really strong
-
framework which can help you to track
malicious people within your network.
-
But some words about security: Like I
said, they have a lot of problems with
-
file permissions. There are actually some
documents on the ISO of the server
-
version of Red Star OS 3.0, and there are
some user guides and administration
-
guides which are quite interesting, and
they talk a lot about how to make the
-
system secure, how to run it secure, and
why they are doing different kinds of
-
stuff to save the integrity of the system.
They have a huge chapter talking about
-
file permissions, but they actually didn't
manage to fix them themselves which
-
is quite weird. And even their custom code
uses basic memory corruption protection
-
like stack cookies, and non-executable
stacks which we saw that a lot of security
-
vendors don't bother to use, so we
thought this is quite funny.
-
Some of their code is more secure than
a lot of security appliances.
-
Slight laughter
-
Florian: So to wrap this up--
Am I going, can you hear me? Yes.
-
Okay so to wrap this up, again we think -
this is a guess - that primarily they try
-
to protect and to save the integrity
of the system, which totally makes
-
sense if you're putting out an
operating system from North Korea.
-
The system was, in our opinion,
definitely built for home computers,
-
so it's not like industrial control or
something else, it's definitely built
-
for a home user because it mimics
Mac OSX and gives you all of the tools.
-
Maybe the reason why we didn't find
backdoors is they actually know that
-
backdoors are bullshit. Could be a
reason, we don't know.
-
If you want to look into Red Star OS and
help us out, especially with the crypto,
-
the pilsung kernel module which provides
custom crypto, with a look into the kernel
-
to see if there is something hidden there,
if maybe there are backdoors there,
-
take a look at our github.
Please contribute if you find
-
something, because we think that this
message and all of this stuff has to
-
be put out to the public, so it is a
well-known fact that this operating
-
system is actually abusing free software
to actually make free speech harder
-
in a country that is quite oppressed.
-
So with this, we are at our end and we
are going to take your questions now.
-
Applause
-
Herald: Thank you very much. We have
about 15 minutes time for questions.
-
If you want to ask a question, please
come to the microphones.
-
There are some on the right
and some on the left aisle.
-
If you for any reason can't come to
the microphones, please raise your
-
hand and I'll come to you
with my microphone.
-
Okay, please line up there. If you
wanna leave now, please do this
-
quietly through the front door.
-
Florian: Could you raise your hand if
you have questions and standing at
-
the microphone? There are like
three questions over there.
-
Herald: Yeah, on the left one please.
-
Audience 1: Hello? Yeah. So thank you
very much, it was very interesting.
-
I have two questions: Have you tried
isolating the system in a chroot jail?
-
And the second one is: Were there any
outbound connections, like automatic
-
outbound connections it made?
-
Florian: Okay so for the first question,
we did not try to run it in an isolated
-
environment. We actually didn't--
Did we install it on a live system?
-
I don't think so. Did we?
Niklaus: Yeah.
-
Florian: Yeah, okay. But we didn't do any
observations that this changed the
-
behaviour of the system. Concerning the
second question, there actually is not
-
really outbound traffic. What it is doing
is on the local network it is talking a
-
lot of NetBIOS stuff. So there is an
SNMP and an nmbdaemon running
-
on the system and it's talking a
lot of NetBIOS. But this is basically
-
everything we could find. We have even
left it running for like two days, to see
-
if there is an outbound connection for one
day or something like that. We couldn't
-
see anything like that. So the only stuff
that Red Star's talking to the network
-
is like this Windows NetBIOS stuff, and if
you push the button on the update
-
feature of the virus scanner, it's
actually trying to initiate an update
-
process that goes to five hard-coded
IP addresses that are all local.
-
So like 192.168.9 something, and
172 whatever. These are the only
-
network connections that we could trigger,
or that we have observed so far.
-
A1: Thank you.
Herald: The next question is also
-
from this microphone.
Audience 2: Two questions:
-
Might it be possible that when you install
the system it gets code from North Korea
-
so you cannot find out if it's calling
home because you don't get the call?
-
Florian: Could be. Our guess is actually
that there is far more stuff that you get
-
when you pull up the operating system in
North Korea. One reason is the organ file
-
that Niklaus mentioned that is missing on
the system with the additional crypto
-
information that is used for the extended
watermarking that they are applying.
-
We don't know where this file is coming
from, and from our perspective it totally
-
makes sense to not distribute this file
on the ISO but to kind of give it as an--
-
I don't know, somebody has to come to
your house to install the software and
-
then he puts like this dedicated organ
file on your desktop that is specific
-
to you, for example. That would totally
make sense because, as you know,
-
stuff works a little bit different.
It's not like downloading an ISO
-
and installing it, it's probably more
complex to get this onto your system
-
if you want to use this. So there might
be more stuff that is pushed either
-
via updates - only internal - and this
organ file and other stuff that can get
-
to your computer-- We don't know if this
is possible or if something is happening
-
with this feature.
A2: And the second question is if you look
-
at it from the North Korean view, that's
like they had the problem. They are quite
-
happy, have a nice state, everything's
working fine from what they see, and
-
now people come from South Korea,
from Western countries, bring their USB
-
sticks with Western propaganda that to
have stuff like this watermarking even
-
if it is like evil. Like a natural reaction
from a closed system.
-
Florian: So actually it totally makes
sense to develop the system in the
-
way they developed it. It totally makes
sense, because it kind of reflects a
-
little bit how the government is working.
Because integrity is not only a critical
-
part not only for the operating system,
it's also a part for the state itself.
-
Like shutting down everything, closing
off everything - that's, by the way,
-
the screensaver - and closing down
everything also totally makes sense.
-
And tracking stuff that is distributed
in the country or deleting unwanted stuff
-
also makes sense. So what we think that
Red Star resembles this and matches
-
how culture is in North Korea, actually.
-
Herald: Okay, we also have two questions
of the IRC which I would like to shift in.
-
Signal angel: Thank you. Okay, the first question
is if you have any theory on how and why
-
the ISO got leaked.
-
Florian: We don't know this, actually. 'Why?' is--
We don't think that it was somebody
-
from North Korea, we think that it might
be a foreigner that got it.
-
Like Will Scott told us last year that he
was able to get a copy of it and get it
-
out of the country. There might
be others that are able.
-
There is actually tourism in North Korea.
You can go there for your holidays.
-
So I guess that if you put a little bit
of effort into it, it's possible to get
-
nearly anything out of the country if
you want to try to take the risk.
-
But we don't know who leaked the version
and we don't know why it actually was leaked.
-
Niklaus: There are actually rumours that
it was a Russian student who was studying
-
in North Korea, and he bought this on the
street and just brought it out of the country
-
and put it on his blog, but we cannot
confirm that this is actually true.
-
Signal angel: Okay, thanks. And the second question
is if there has been any attempt at the
-
custom kernel modules yet, like
reverse engineering or something.
-
Florian: Well we reverse engineered rtscan
which is pretty simple because it just
-
hooks a few function calls, that's it.
We have taken a look at the
-
Korean Display Module on a first glance.
It seems to do what it is supposed to do,
-
having something to do with display
management, but we didn't take a look
-
at all of the kernel modules, all the rest
of the remaining kernel modules,
-
because the code base is so massive
that we actually need you guys to
-
help us out a little bit.
-
Herald: Next question from the mic please.
Audience 3: Yes, I have another question.
-
You said that most of the software is
based of other open source software
-
for which you don't have the source code,
and it didn't come with the ISO, so it's
-
pretty much a massive violation of
open source licenses.
-
Florian: Yep, absolutely.
A3: So my question would be:
-
Could you get an inside on what other
packages are available, or from the
-
package manager, and what
other packages are there?
-
Florian: Actually, there is a DVD which
also was leaked. I think that it was for
-
Red Star 2. I'm not sure if it is also
for the latest version, but there is
-
a CD with additional software and you
have stuff like Apache, MYSQL-- pfff
-
I don't know. All of the stuff you
basically need to run a full-blown
-
operating system on Linux. So there is
additional software out there, you can
-
download the DVD and install this
software on the machine.
-
If you go through the RPM descriptions
you will see that for some of the
-
software they even wrote-- They kind of
used a description for the license which
-
says "KCC" which is the Korean Computer
Centre. And sometimes they use GPL,
-
and sometimes they use GNU, and yeah.
So massive violations.
-
A3: Did you ask them for the source code?
Laughter
-
Florian: Actually, we think that there is
an internal git in North Korea where you
-
can just check out everything, so...
We suppose it is this way because it's
-
open source, right? By the way,
open source. Laughter
-
Herald: Very nice. One more question
from here? Are you having a question?
-
No, okay then we have one more
question from the internet.
-
IRC: Yes, the question is if there is a
possibility to fake the watermarks
-
to get some innocent North Korean
into trouble. Quiet laughter
-
Florian: Yeah, no problem because the
key's hard coded. You could, like--
-
You know how to scramble the hardware ID
or the disk serial, and you could perfectly
-
forge documents. That would be not a
problem. Not a problem at all.
-
You just need the serial number, basically.
A3: Okay, and I've just got another question
-
that is: Does the warning.wav
have a watermark?
-
Florian: Umm...
Niklaus: No, actually it has the exact
-
same checksum as the original file.
Florian: Actually we didn't check if it--
-
No, so it does not have a watermark
because as Niklaus said, it's the same
-
checksum as the Kaspersky one.
A3: Okay, thanks.
-
Herald: Okay, thank you very much.
Please give Florian and Niklaus another
-
big round of applause for an amazing talk.
Florian: Thank you.
-
Applause
-
postroll music
-
subtitles created by c3subtitles.de
Join, and help us!
