2. Red Star OS: Background
● Government sponsored OS (North Korea)
● Not much is known about the technology or
software industry in North Korea
● North Korea is one of the worst in terms of
censorship
● Supposedly ships a mysterious firewall --
Pyongyang Fortress
3. Red Star OS 2.0
● Believed to be in development since 2004
● Russian student leaked it in 2010
● RPM based Linux distribution
● Windows XP clone based on KDE3
● Closest to Fedora 9
● Base Installation + “Extra Software CD”
4. Red Star 3.0
● Leaked at the end of 2014
● Mac OS X clone
● Client and Server version
● NO “extra software CD” leaked yet
● Uses Snort by default. No Pyongyang
Fortress.
5. Red Star 2.0: Installation
● Installer seems to be based on Anaconda
● Censorship Attempts
● Weird Korean usage
● Default account is root
● Switch language to English
● Software written by North Koreans
exclusively available in Korean
8. Network Stack
● Linux Kernel 2.6.25-14
● Default IPTables configuration
● Firewall NOT installed by default!
● Naenara browser [Naenara Portal]
● All requests seem to be proxied!
● Kwangmyong [Intranet]
● Only one block of 1024 IP addresses
● Entire country behind a NAT
10. Curious case of FTP server
● vsFTPd 2.0.5
● Known to be a secure open source FTP
server
● Minimize use of root user and uses chroot
● Counter-intuitive
11. Network Services & Exploitation
● Look for publicly available exploits
● Use Metasploit to target and launch exploits
● Test if exploits blocked by Pyongyang
Fortress or generate alarms
● Results:
○ They use old software
○ No warnings by the firewall
○ Unfortunately, no exploits were successful
12. Pyongyang Fortress
● Initial Reverse Engineering (RPM package)
● Too similar to Snort 2.3.3 (Open source
NIDS)
● Shares the following with Snort 2.3.3:
○ configuration files
○ firewall filter rules
○ some binaries
● Basically, a rip-off of Snort!!
15. Pyongyang Fortress: Analysis
● pysips: Snort 2.3.3 binary but less than half
of original size
● pys: the user-interface implementation and
glue
● libiqp.h: Standard header file for iptables
● pys.mo: GNU message catalog for one to
one translation of English to Korean
messages
16. Pyongyang Fortress: Analysis
● pysgethard: smartctl, control and monitor
utility for SMART disks [predict drive failure!]
● pysgetdns: Smaller binary of nslookup
● bpsign: Some sort of certificate
signing/verification utility. Segfaults!
● pic_vpn: Seems like a wrapper for OpenVPN
17. bpSign vs OpenSSL
● OpenSSL(0.9.8a from 2005)
● bpsign is a derivative of OpenSSL
● Some custom crypto/code
● size (bpsign): 692K
● size (openssl): 364K
● Checked for anti-debugging tricks
● Seems like they started developing it and
gave up, but still shipped it!
18. Pyongyang Fortress: Architecture
Pyongyang Fortress is a glue for
● Snort (NIDS)
● Internal DNS Resolving (nslookup)
● Adding/Removing VPN Certificates
(bpsign/OpenSSL)
● Make VPN Connections (OpenVPN
derivative)
● “Cool” UI
20. Censorship Detection: Goal
● Whether the firewall block the request
● Whether the firewall modify the content
● Whether the firewall takes a long time to
scan and analyze the content
● Whether firewall logs access to certain
content
22. Censorship Detection: Architecture
● Make http request from RedStar
with same user agent as Naenara
○ Avoid timestamp or session id
difference
○ Avoid forbidding request
because of no user agent.
● Capture and fetch the web content
from response packet
● Result: All content are same,
without any modification. (test for
400+ URLs)
23. Censorship Time Measurement
● Run script in RedStar or
Fedora to make the host OS
has DNS cache
● Run script in RedStar and
Fedora in the same time and
same network environment.
● Compare the time difference
25. Censorship: Certificate Handling
● Certificate Based Tampering
● Which CAs/Countries does North Korea
“Trust”
● Obtain their internal certificates (if any?)
26. Certificate Store Analysis
● Naenara Certificate Store:
○ Uses old cert database store
○ Is Empty!!
● Red Star OS Certificate Store:
○ /etc/tls vs /etc/ssl [standard Linux]
○ Derived from Mozilla Root Cert List!
27. Trusted Certificate List
● 41 root CAs companies
● Mostly in the US
● Heavy overlap between their cert list and
mozilla’s
● They trust some extra CAs especially Polish
● Initial analysis for 3.0 shows they trust many
Russian CAs
28. Learnings
● Pyongyang Fortress: Security Theater!
● Hypothesis: Censorship done at intranet
level as you can’t access internet directly
● Host based censorship is quite heavy
29. Future Work
● Reverse engineer binaries:
○ Snort
○ Crypto
○ Backdoor
● Look for backdoors [We found one “monitor
module” in Red Star 3.0]
● Try to get access to the internal network [If
you dare]
30. Discussion
● Bad Security
● Use of Open Source Software for Bad
● Potential Network Architecture
● Certificate Trust Dilemma
● Bad Software Development/Design Skills