Scribd
Upload
14 views37 pages

Analyzing RedStar OS Features

The document provides an in-depth analysis of RedStar OS, a North Korean operating system, focusing on its architecture, features, and custom components. It discusses the system's design, integrity checking mechanisms, and unique applications, while also speculating on the motivations behind its development. The authors conclude that RedStar OS is a self-protecting system aimed at controlling information and preventing file distribution, reflecting the oppressive nature of the regime.

Uploaded by

thehuytv07
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views37 pages

Analyzing RedStar OS Features

The document provides an in-depth analysis of RedStar OS, a North Korean operating system, focusing on its architecture, features, and custom components. It discusses the system's design, integrity checking mechanisms, and unique applications, while also speculating on the motivations behind its development. The authors conclude that RedStar OS is a self-protecting system aimed at controlling information and preventing file distribution, reflecting the oppressive nature of the regime.

Uploaded by

thehuytv07
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Lifting the Fog on RedStar OS

Niklaus Schiess && Florian Grunow [Link]


Agenda
¬ Motivation
¬ Architecture of RedStar OS
 Operating System
 Additional components
¬ Lifting the Fog
 Deep dive into the most interesting
features
¬ Conclusions
¬ Questions

12/27/2015 #2 [Link]
Disclaimer ¬ We never visited DPRK
 What we say about DPRK are mostly
speculations.
¬ We have analyzed ISOs found on the
Internet
 No guarantee that they are not fake…
 …but seems legit.
¬ It’s not about making fun of them
 Not of the developers …
[Link]
 … and certainly not of the people of DPRK.
¬ No focus on security in this talk

12/27/2015 #3 [Link]
Motivation
¬ RedStar ISOs leaked some time ago
 Most recent: end of 2014
¬ No in-depth analysis yet
 Most blogs/news articles to date are
superficial
¬ The world should know what it’s really
about
[Link]
 What RedStar users are subjected to
 State of development in DPRK

12/27/2015 #4 [Link]
Some Previous Work ¬ “Closely resembles Mac OS X”
 [Link]
system-redstar-30

¬ “Computer Science in the DPRK”


 Will Scott at 31C3

¬ “North Korea’s Naenara Web Browser: It’s


Weirder Than We Thought”
 Mostly covering the browser and email client
 Interception of traffic
 [Link]
we-thought/

[Link]

12/27/2015 #5 [Link]
RedStar OS 3.0 [Link]

The basis and custom components

12/27/2015 [Link]
Operating System
¬ Different leaked versions
 Server (3.0) and Desktop (2.0 (and 2.5?) and 3.0)
 We focused on Desktop 3.0
 Version 3.0 might even be the latest version:

12/27/2015 #7 [Link]
RedStar OS 3.0 Desktop Timeline (Our Guess)

June December
2009 2011 2013 2014

Based on Kernel 2.6.38 Latest package Public leak


Fedora 11 (Fedora 15) build dates

12/27/2015 #8 [Link]
Operating System
¬ Fully featured, general purpose desktop system based on KDE
 Look and Feel of Mac OS X
 Email client, calendar, word processor, media player, disc/file encryption utility…
¬ Kernel version [Link]
 Additional kernel modules (rtscan, pilsung, kdm, kimm, …)
¬ Developed by Korean Computer Center (KCC)
 DPRK’s leading government research center for information technology
 Had a branch office in Germany (KCCE)
¬ System hardening
 SELinux (with custom modules)
 iptables
 Snort (not running per default)
 Custom services

12/27/2015 #9 [Link]
A quote from Kim Jong-Il says:

“In the process of programming, it is


important to develop one in our own
style […]”

[Link]

12/27/2015 #10 [Link]


Custom applications
¬ Naenara (“my country”) -> Browser, based on FF
¬ Bokem (“sword”) -> Crypto tool
¬ Sogwang Office -> Open Office
¬ swmng -> Software Manager
¬ MusicScore -> Compose music!
¬ “rootsetting” -> get root!
¬ They even touched KDM

12/27/2015 #11 [Link]


RedStar OS
Demo
[Link]

12/27/2015 [Link]
Lifting the Fog
RedStar’s custom components [Link]

12/27/2015 [Link]
Interesting Red Star Packages
¬ esig-cb-2.0-a.rs3.0
¬ esig-cb-db-1.1-1.rs3.0
¬ intcheck-1.0-23.rs3.0
¬ selinux-policy-3.9.7-3.rs3.0
¬ selinux-policy-targeted-3.9.7-3.rs3.0
¬ kdebase-3.5.1-5.rs3.0
¬ securityd-1.0-1.rs3.0

12/27/2015 #15 [Link]


intcheck – Integrity Checking
¬ A daemon that checks integrity of various files
 Comes with a SQLite database with signatures
 Checks mostly system related files
 Includes signatures for some custom RedStar files
¬ Configurable via system preferences
 Check integrity at boot-up/run-time
 Log output available in system preferences
¬ Prints error messages when integrity checks fail
 No other relevant actions

12/27/2015 #16 [Link]


securityd – More Integrity Checking…
¬ Kind of mimics OS X’s securityd
 Includes various plugins
¬ Includes /usr/lib/[Link].0.0.0
 Provides a validate_os() function
 Integrity checking
 Hardcoded MD5 checksums
¬ kdm also calls validate_os()
 During startup
 Reboot loop if integrity check fails!

12/27/2015 #17 [Link]


esig-cb-2.0-a.rs3.0
“Electronic Signature Systems”

12/27/2015 #18 [Link]


esig-cb-2.0-a.rs3.0 - Interesting Files
¬ /etc/init/[Link]
¬ /lib/modules/[Link]-[Link]/kernel/fs/[Link]
¬ /lib/modules/[Link]-24.rs3.0.i686/kernel/fs/[Link]
¬ /usr/bin/opprc
¬ /usr/bin/[Link]
¬ /usr/bin/scnprc
¬ /usr/lib/[Link]
¬ /usr/lib/[Link]
¬ /usr/lib/[Link]
¬ /usr/lib/[Link].0
¬ /usr/lib/[Link].0
¬ /usr/lib/magiccb

12/27/2015 #19 [Link]


[Link] – The Interface to the Kernel
¬ Hooks several system calls
 kill, open, close, unlink, rename
¬ Creates /dev/res
 Interaction via ioctl calls
¬ Protects PIDs
 Processes not killable
¬ Protects files
 Files not editable
¬ Hides files
 Files not readable

12/27/2015 #20 [Link]


scnprc – “The Virus Scanner”
¬ Provides a GUI that looks like an actual virus scanner
 Transparent for the user
¬ Started by kdeinit
 Via /usr/share/autostart/[Link]
¬ Different ways to trigger scanning
 Automatically w/o opening files
 By selecting folders in the GUI
¬ Loads [Link] kernel module
¬ Starts opprc

12/27/2015 #21 [Link]


scnprc – Pattern Matching
¬ /tmp/[Link] file includes signatures
 “Angae” means “fog” in Korean
 Not readable, even by root (hidden by rtscan)
¬ Includes UTF-16 strings with Korean/Chinese/$whatever
 Google translate says terms like “strike with fists”, “punishment”, “hungry”
 We cannot confirm this
¬ Pattern updating
 Built-in update functionality (hardcoded intranet IPs)
 New [Link] versions by updating esig-cb-db package
¬ Can be used to delete malicious files
 Developers decide what is “malicious”

12/27/2015 #22 [Link]


opprc - The Evil Twin
¬ Running in background
 Not transparent for the user
¬ Cannot be killed
 Protected PID (by rtscan)
¬ Shares a lot of code with scnprc
¬ Applies watermarks to files

12/27/2015 #23 [Link]


Watermarking
¬ Watermarks are applied by opening files
 Sometimes even without opening
¬ Supported file types
 We can confirm: DOCX (from M$ Office), JPG, PNG, AVI
 Code indicates additional media file formats

 This is not a security feature, they watermark free speech!

12/27/2015 #24 [Link]


Watermarks
¬ Encrypted hard disk serial
 DES encryption
 Hardcoded key: 0x13 0x52 0x07 0x0d 0x13 0x3A 0x08 0x10
 1982 7 13 1958 8 16

¬ ASCII “EOF” at the end


 For .jpg and .avi it just appends it to the end
 For .docx it puts it near the beginning, lots of null bytes

12/27/2015 #25 [Link]


Watermarking
Demo
[Link]
[Link]

12/27/2015 [Link]
Watermark – Example in DOCX

Plaintext: WMB48Z789B3AZ97

12/27/2015 #27 [Link]


[Link]
12/27/2015 #28 [Link]
Original

First user

Second user

12/27/2015 #29 [Link]


12/27/2015 #30 [Link]
Completely Disable Custom Components
¬ Get root (via rootsetting application)
¬ Kill securityd
¬ Kill intcheck
¬ Disable rtscan via ioctl
¬ Kill scnprc and opprc
¬ Replace /usr/lib/[Link].0
¬ Delete /usr/share/autostart/[Link]

12/27/2015 #31 [Link]


Evolution – Differences
between 2.0 and 3.0 ¬ A lot of code statically linked in opprc/scnprc
 Older version used many shared libraries
¬ opprc not started by scnprc
 /sbin/init (highly customized)
 /usr/bin/signature
¬ Integrity checking by
 /sbin/init
 /usr/bin/signature
¬ File permissions on /dev/res
 Various binaries do “chmod 777 /dev/res”
¬ Custom code build into hald
¬ They moved from “init 0” to “reboot”
[Link]

12/27/2015 #32 [Link]


The Organ Mystery (thx @_fel1x)
¬ File missing on system, but referenced:
 /usr/lib/organ
¬ Is read by opprc
 Decrypts -> Gets crypto information from file
¬ opprc uses this for extended watermarking information

12/27/2015 #33 [Link]


Conclusions
¬ No backdoors?
 Probably because:
 They use it on the Internet
 Backdoors via updates
 Not included because ISO could be leaked
 Vast parts of code tainted by DPRK  Maybe we didn’t find it?

¬ Self protecting system


 Integrity checking
 System hardening

12/27/2015 #34 [Link]


Conclusions
¬ “Virus scanning” and watermarking
 Track origin and distribution of files
 Prevent distribution of files
 Wet dream for an oppressive regime
¬ Security
 Problems with file permissions
 Custom code uses basic protections (Stack cookies, NX, ASLR, …)

12/27/2015 #35 [Link]


Conclusions

 Guess: They preliminary tried to protect the system.


 Guess: The system was built for home computers.

 Guess: They know backdoors are bullshit! ;-)

 Please contribute to lifting the fog even more:

[Link]

12/27/2015 #36 [Link]


Questions?
Niklaus: @_takeshix
Florian: @0x79

[Link]

12/27/2015 #37 [Link]


Thank you!
Go make the world a safer place!

12/27/2015 #38 [Link]

You might also like