Analysis of RedStar OS's (in)famous firewall

1. Pyongyang Fortress
Mayank Dhiman, Jiawei Chen

2. Red Star OS: Background
● Government sponsored OS (North Korea)
● Not much is known about the technology or
software industry in North Korea
● North Korea is one of the worst in terms of
censorship
● Supposedly ships a mysterious firewall --
Pyongyang Fortress

3. Red Star OS 2.0
● Believed to be in development since 2004
● Russian student leaked it in 2010
● RPM based Linux distribution
● Windows XP clone based on KDE3
● Closest to Fedora 9
● Base Installation + “Extra Software CD”

4. Red Star 3.0
● Leaked at the end of 2014
● Mac OS X clone
● Client and Server version
● NO “extra software CD” leaked yet
● Uses Snort by default. No Pyongyang
Fortress.

5. Red Star 2.0: Installation
● Installer seems to be based on Anaconda
● Censorship Attempts
● Weird Korean usage
● Default account is root
● Switch language to English
● Software written by North Koreans
exclusively available in Korean

7. Red Star 2.0: Exploration
● Default IPtable rules (can’t access internet)
● Interesting software packages:
○ Pyongyang Fortress
○ Tripwire
○ GFTP 2.0 and OpenSSL
○ Apache, PHP, MySQL, Squid, Sendmail
○ Wine
○ Custom Anti-virus software

8. Network Stack
● Linux Kernel 2.6.25-14
● Default IPTables configuration
● Firewall NOT installed by default!
● Naenara browser [Naenara Portal]
● All requests seem to be proxied!
● Kwangmyong [Intranet]
● Only one block of 1024 IP addresses
● Entire country behind a NAT

9. Port Scan Results
• 21/tcp ftp
• 111/tcp rpcbind
• 139/tcp netbios-ssn
• 445/tcp microsoft-ds
• 631/tcp ipp [CUPS]

10. Curious case of FTP server
● vsFTPd 2.0.5
● Known to be a secure open source FTP
server
● Minimize use of root user and uses chroot
● Counter-intuitive

11. Network Services & Exploitation
● Look for publicly available exploits
● Use Metasploit to target and launch exploits
● Test if exploits blocked by Pyongyang
Fortress or generate alarms
● Results:
○ They use old software
○ No warnings by the firewall
○ Unfortunately, no exploits were successful

12. Pyongyang Fortress
● Initial Reverse Engineering (RPM package)
● Too similar to Snort 2.3.3 (Open source
NIDS)
● Shares the following with Snort 2.3.3:
○ configuration files
○ firewall filter rules
○ some binaries
● Basically, a rip-off of Snort!!

14. Pyongyang Fortress: Analysis
● pysips
● pys
● libiqp.h
● pys.mo
● pysgethard
● pysgetdns
● bpsign
● pic_vpn

15. Pyongyang Fortress: Analysis
● pysips: Snort 2.3.3 binary but less than half
of original size
● pys: the user-interface implementation and
glue
● libiqp.h: Standard header file for iptables
● pys.mo: GNU message catalog for one to
one translation of English to Korean
messages

16. Pyongyang Fortress: Analysis
● pysgethard: smartctl, control and monitor
utility for SMART disks [predict drive failure!]
● pysgetdns: Smaller binary of nslookup
● bpsign: Some sort of certificate
signing/verification utility. Segfaults!
● pic_vpn: Seems like a wrapper for OpenVPN

17. bpSign vs OpenSSL
● OpenSSL(0.9.8a from 2005)
● bpsign is a derivative of OpenSSL
● Some custom crypto/code
● size (bpsign): 692K
● size (openssl): 364K
● Checked for anti-debugging tricks
● Seems like they started developing it and
gave up, but still shipped it!

18. Pyongyang Fortress: Architecture
Pyongyang Fortress is a glue for
● Snort (NIDS)
● Internal DNS Resolving (nslookup)
● Adding/Removing VPN Certificates
(bpsign/OpenSSL)
● Make VPN Connections (OpenVPN
derivative)
● “Cool” UI

19. Censorship Detection: Motivation

20. Censorship Detection: Goal
● Whether the firewall block the request
● Whether the firewall modify the content
● Whether the firewall takes a long time to
scan and analyze the content
● Whether firewall logs access to certain
content

21. Censorship Detection: Architecture

22. Censorship Detection: Architecture
● Make http request from RedStar
with same user agent as Naenara
○ Avoid timestamp or session id
difference
○ Avoid forbidding request
because of no user agent.
● Capture and fetch the web content
from response packet
● Result: All content are same,
without any modification. (test for
400+ URLs)

23. Censorship Time Measurement
● Run script in RedStar or
Fedora to make the host OS
has DNS cache
● Run script in RedStar and
Fedora in the same time and
same network environment.
● Compare the time difference

24. Time Measurement Result

25. Censorship: Certificate Handling
● Certificate Based Tampering
● Which CAs/Countries does North Korea
“Trust”
● Obtain their internal certificates (if any?)

26. Certificate Store Analysis
● Naenara Certificate Store:
○ Uses old cert database store
○ Is Empty!!
● Red Star OS Certificate Store:
○ /etc/tls vs /etc/ssl [standard Linux]
○ Derived from Mozilla Root Cert List!

27. Trusted Certificate List
● 41 root CAs companies
● Mostly in the US
● Heavy overlap between their cert list and
mozilla’s
● They trust some extra CAs especially Polish
● Initial analysis for 3.0 shows they trust many
Russian CAs

28. Learnings
● Pyongyang Fortress: Security Theater!
● Hypothesis: Censorship done at intranet
level as you can’t access internet directly
● Host based censorship is quite heavy

29. Future Work
● Reverse engineer binaries:
○ Snort
○ Crypto
○ Backdoor
● Look for backdoors [We found one “monitor
module” in Red Star 3.0]
● Try to get access to the internal network [If
you dare]

30. Discussion
● Bad Security
● Use of Open Source Software for Bad
● Potential Network Architecture
● Certificate Trust Dilemma
● Bad Software Development/Design Skills

31. Questions?