May 18 2009

More on Kylin…

Published by at 9:47 pm under China internet

Update 3 (May 21, 0130 GMT): Apparently there is another more recent version of Kylin out there.  A TDV reader commented that although the site (www.kylin-os.com) is down, the Kylin v3.0 based on a 2.6 Linux kernel does in fact contain some security features including MAC, RBAC and file system ACLs.  The information in the Google cache is limited but it appears that this is a lot closer to what was described in the Washington Times article.  I tested the kylin-os.com website from a proxy in the PRC to be sure that it wasn’t just blocked outside of the mainland and it appears to be down there too.  Thanks a lot to Spath for pointing out the gaping hole in my research.

So… There has been a lot of hype about the supposedly secure made-in-China OS called Kylin.  I’d like to take a moment of your time to explain the backstory and provide some of the details that I was able to find out after downloading it and taking it for a spin.

This all started with a May 12 Washington Times article titled “China blocks US from cyber warfare” by Bill Gertz.  The article starts off with a compelling bit:

China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing’s networks impenetrable to U.S. military and intelligence agencies.

I found this to be very interesting because it was the first time I had ever heard about this effort.  I was aware of Red Flag linux and Asianux but hadn’t heard of any made-in-China operating systems designed for security.  I was intrigued for sure and surprised to find out that the operating system can be downloaded in two iso files from kylin.org.cn.  It took about four days to complete both of the downloads and about ten minutes to install in a VM.

For a more complete back story, check out this article by Jonathan D. Abolins.  One thing to note is the reference to the dancefire.org site that compares the Kylin kernel to FreeBSD and indicates that the two are practically the same.  It isn’t clear what version of Kylin the dancefire.org blogger was working with on this comparison but Kylin 2.1, which is presently available for download is Linux 2.4.  Perhaps earlier versions of Kylin used FreeBSD with Linux compatibility but the only version available for download at present is Linux:

uname -a = Linux 2.4.18

The interface is a themed Gnome similar to Microsoft Windows.  The menus look more like KDE to me but Gnome is the only manager running.

Kylin 2.1 Desktop

Kylin 2.1 also has RPM installed so it is probably a Red Hat derived Linux.  It has some interesting things installed in the base install like tripwire and webalizer.  Apache 2.0.46 is installed but it doesn’t start automatically.  The sshd starts at boot and is version 3.6.1p2.  There doesn’t seem to be anyway to get updates for Kylin through something like yum or synaptic.  In fact, there aren’t any updates posted to the kylin.org.cn website to download even.

The kylin.org.cn website gives us a glimpse into the activity level behind the OS.  There hasn’t been a new bug report filed in at least two years.  The forum has some recent activity but there have been long periods without any posts on the forum.  Many of the forum posts are related to complaints about how much English is used in the OS and posters seem to want an OS that is more in touch with Chinese culture and language.  There are a number of technical areas of the forum but there isn’t a lot of recent activity there.  The news page on the kylin.org.cn website is updated frequently with general news about technology in China.

So it seems that this operating system is not really what is was presented as.  The Washington Times article references Kevin G. Coleman, an advisor to the government, as the primary source for the Kylin information.  I doubt that it was an intentional misrepresentation but it is difficult to imagine presenting Kylin as anything to be concerned about when it didn’t take very much effort to figure out that it isn’t worthy of anyone’s attention.  Not only is it not widely deployed, it isn’t new, unique or in any way innovative in terms of security.

Update: This whole article was based on my very limited analysis of Kylin 2.1.  Kylin 3.0 contains several security features similar to what is found in the SELinux extensions.  Kylin 3 sounds much more like what Kevin G. Coleman was talking about in the hearing.  I was not able to download Kylin 3 and didn’t find out about it until long after this post was made.

Update: After some comments on other blogs and forums, I took a closer look at the kernel files and this is clearly FreeBSD with linux binary compatibility.  Everyone knows what happens when you ass-u-me…

Update 2: Here is a screenshot of the partitioning stage of the installer for Richard:

Kylin disk partitioning

16 responses so far

16 Responses to “More on Kylin…”

  1. Lottaon 19 May 2009 at 8:22 am

    I think the Abolins article explains the origins of this pretty well. I was at the USCC hearing, and the members of the press corps in attendance were already chattering about the possible implications of Kylin as they were walking out. It seemed to me that Gertz blew the very minor Kylin reference way out of proportion, only because it makes for good headlines.

    I think it’s prudent to not paint Mr. Coleman as some sort of really important “advisor to the government”. He was one of the many witnesses who have appeared in front of the USCC on this issue, that’s all. Mr. Rohozinski was WAY more impressive, I thought, and the buzz afterward was how obvious it was that he knew his stuff.

    Keep an eye out for the actual transcript from the hearing. If the USCC follows their normal schedule, the full transcript should be posted at http://www.uscc.gov by about mid-June or so.

    FYI, this wasn’t the first USCC hearing on China’s activities on cyber warfare either – the May 20, 2008 hearing was on this subject specifically.

  2. jumperon 19 May 2009 at 10:23 am

    Thanks for your comments Lotta – very helpful information. I think you’re right on about Coleman. The comments at a couple of other blogs about Kylin have gone nuts with consipracy about using Kylin as an excuse to request additional funding for projects. Probably because the WT article doesn’t make Coleman’s roll in the government very clear.

    Was he the only witness to talk about Kylin?

  3. the Pullon 19 May 2009 at 10:51 am

    There is an excellent thread on Kylin here:

    http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&gid=1836487&discussionID=3351224&sik=1242755036635&trk=ug_qa_q&goback=%2Eana_1836487_1242755036635_3_1

    (May require having an account and even joining the open group, I am not sure.)

    Input from a very wide range of industry sources.

    One poster sums the thread up very well:
    OK. I’m awarding myself a merit badge for having read this thread from top to “Know your enemy.” And all I gotta say is: Wow. This is a short course in the security mind. I actually think the METHODS of inquiry that have been open sourced here need to be packaged up and taught in some IA 101 class. I was about to call my brother, who’s an intelligence and military history buff, but now… i’m not even sure he’s my brother. For over four decades now, I’ve used Dr. Pepper as my “portal” to an alternative version of reality. Now, thanks to this thread, I can put my Dr. Pepper away. Seriously, thanks to you all for a very interesting discussion.

  4. Lottaon 19 May 2009 at 11:32 am

    Jumper: Was he the only witness to talk about Kylin?

    Yea, as far as I recall he was. There might have been some minor discussion about it when the commissioners asked questions, but my notes from the Q/A are not very good.

  5. Bill Gertzon 19 May 2009 at 1:25 pm

    My original story led with Kylin and included other elements about Chinese cyber activities and information warfare. I also interviewed Coleman for additional details.
    To view the entire article, go here: http://www.washingtontimes.com/news/2009/may/12/china-bolsters-for-cyber-arms-race-with-us/

  6. Richard Bejtlichon 19 May 2009 at 5:17 pm

    Jumper, did you actually install KYLIN-2.1-1A.iso ?

    I tried but got stuck here at the disk partitioning stage:

    http://www.taosecurity.com/Screenshot-6.png

    I can create a slice but not assign it a name like / or whatever! I found this to be the case in the text or graphical installation options. The “edit” buttons or the “double click on the selection” options described in the manual are not there (as you can see in the screen capture). Anyone else encounter this? Tell me it’s PEBKAC, please!

    The OS is clearly FreeBSD — I recognize the kernel messages as the system exits.

    Thank you.

  7. jumperon 19 May 2009 at 6:40 pm

    Hi Richard,

    I did install from the 2.1A iso. I remember having some problems with the interface when I got to the disk partitioning. It took a few tries but basically, add a slice and then highlight the “unused part” that corresponds to the size of slice you created and click “add part”. The root / should be there by default with UFS2 selected and swap optional in the pull-down.

    Regards,

    jumper

  8. spathon 20 May 2009 at 2:25 pm

    Dear jumper,

    Thank you for your interesting research and post.

    However, from my own research it seems that Kylin 2.1 is
    obsolete, and that development is now focused on version 3.0,
    which includes a hardened Linux 2.6 kernel and a SELinux-like
    MAC. The website for this new version (kylin-os.com / kylin-os.cn)
    is apparently down, but google cache still gives interesting
    technical details about its technologies (see for instance
    http://is.gd/BMpy). Therefore it seems to me that more
    investigation is needed before dismissing Mr Coleman’s
    statements so quickly.

    regards,
    –spath

  9. jumperon 20 May 2009 at 5:46 pm

    Spath,

    Thank you very much for pointing this out. I have updated the article.

    Regards,

    jumper

  10. jumperon 20 May 2009 at 6:08 pm

    See the new K3 forum at http://kylin3.cn for more info.

    Also:
    http://blog.chinaunix.net/u1/51057/showart_498917.html&tbb=1&rurl=translate.google.com&usg=ALkJrhhY1XXfZYn3yzBBR4NtTy7KjQKavg

    And it comes with a Yum updater:
    http://blog.chinaunix.net/u1/51057/showart_472491.html&tbb=1&rurl=translate.google.com&usg=ALkJrhg6nbPcUiFK9imjj-DUMgp0KRDb9A

  11. Jokeron 22 May 2009 at 8:38 am

    I find this very interesting in regards to the fact that, if this is the super secure OS that China is going to be installing on tens of millions of computers including their infrastructure, why make it public? Wouldn’t you want this to be as quiet as possible? Seems strange to me.

    Makes me wonder if this is done on purpose to make a lot of noise in one direction only to hide something else in another area.

  12. Heikeon 22 May 2009 at 9:30 am

    Joker,

    Looks like you have read your 36 Stratagems, “Make a noise in the east, attack in the west.”

  13. jumperon 22 May 2009 at 10:04 am

    Hi Joker,

    The researcher that made the presentation to the USCC is the one who described Kylin that way. Keep in mind that Kylin is funded by the national innovation project 863 and based on forum activity and Chinese blog posts, it is a research project. I doubt that it is very widely deployed. It is no longer free so the idea that it would be installed on tens of millions of computers is probably incorrect. Kylin 3.0 has some interesting security features but nothing particularly innovative.

    I doubt that there is any conspiracy here. I would expect the government of China to be interested in having an OS that they can manage inside China. It doesn’t matter that it wasn’t built from scratch as long as future code changes are reviewed by someone on the inside. This is a worthwhile effort on the part of people running 863. It isn’t anything at all to be suprised, concerned or suspicious of.

    BTW, Kevin G. Coleman stated that current cyber weapons are designed for Linux, Windows and UNIX and would be innefective against Kylin. That would not necessarily be the case. Kylin < 2.1 is FreeBSD without any security features like stack protection. Kylin 3.0 is Linux 2.6 with MAC, RBAC and file ACLs. If Kylin is deployed like SELinux is deployed, the security features will either be turned off or there won't be a profile for the most important appliactions like Oracle. In any case, I don't know what is in the US cyber weapons armory but I doubt that the US offensive cyber capability shuts down when it comes across FreeBSD.

    http://www.uscc.gov/hearings/2009hearings/written_testimonies/09_04_30_wrts/09_04_30_coleman_statement.pdf

    Read the statement and decide for yourself if Kylin is something to worry about.

  14. xorton 30 May 2009 at 12:07 pm

    looks like soemthing here:
    http://selinuxproject.org/~jmorris/kylin/

  15. jumperon 31 May 2009 at 5:49 am

    Thanks Xort,

    That is the same version that I looked at for this post. It is not the most recent 3.0 version that has the security extensions.

    -jumper

  16. [...] http://www.thedarkvisitor.com/2009/05/more-on-kylin/ [...]