The Dark Visitor

Update 3 (May 21, 0130 GMT): Apparently there is another more recent version of Kylin out there.  A TDV reader commented that although the site (www.kylin-os.com) is down, the Kylin v3.0 based on a 2.6 Linux kernel does in fact contain some security features including MAC, RBAC and file system ACLs.  The information in the Google cache is limited but it appears that this is a lot closer to what was described in the Washington Times article.  I tested the kylin-os.com website from a proxy in the PRC to be sure that it wasn’t just blocked outside of the mainland and it appears to be down there too.  Thanks a lot to Spath for pointing out the gaping hole in my research.

So… There has been a lot of hype about the supposedly secure made-in-China OS called Kylin.  I’d like to take a moment of your time to explain the backstory and provide some of the details that I was able to find out after downloading it and taking it for a spin.

This all started with a May 12 Washington Times article titled “China blocks US from cyber warfare” by Bill Gertz.  The article starts off with a compelling bit:

China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing’s networks impenetrable to U.S. military and intelligence agencies.

I found this to be very interesting because it was the first time I had ever heard about this effort.  I was aware of Red Flag linux and Asianux but hadn’t heard of any made-in-China operating systems designed for security.  I was intrigued for sure and surprised to find out that the operating system can be downloaded in two iso files from kylin.org.cn.  It took about four days to complete both of the downloads and about ten minutes to install in a VM.

For a more complete back story, check out this article by Jonathan D. Abolins.  One thing to note is the reference to the dancefire.org site that compares the Kylin kernel to FreeBSD and indicates that the two are practically the same.  It isn’t clear what version of Kylin the dancefire.org blogger was working with on this comparison but Kylin 2.1, which is presently available for download is Linux 2.4.  Perhaps earlier versions of Kylin used FreeBSD with Linux compatibility but the only version available for download at present is Linux:

The interface is a themed Gnome similar to Microsoft Windows.  The menus look more like KDE to me but Gnome is the only manager running.

Kylin 2.1 also has RPM installed so it is probably a Red Hat derived Linux.  It has some interesting things installed in the base install like tripwire and webalizer.  Apache 2.0.46 is installed but it doesn’t start automatically.  The sshd starts at boot and is version 3.6.1p2.  There doesn’t seem to be anyway to get updates for Kylin through something like yum or synaptic.  In fact, there aren’t any updates posted to the kylin.org.cn website to download even.

The kylin.org.cn website gives us a glimpse into the activity level behind the OS.  There hasn’t been a new bug report filed in at least two years.  The forum has some recent activity but there have been long periods without any posts on the forum.  Many of the forum posts are related to complaints about how much English is used in the OS and posters seem to want an OS that is more in touch with Chinese culture and language.  There are a number of technical areas of the forum but there isn’t a lot of recent activity there.  The news page on the kylin.org.cn website is updated frequently with general news about technology in China.

So it seems that this operating system is not really what is was presented as.  The Washington Times article references Kevin G. Coleman, an advisor to the government, as the primary source for the Kylin information.  I doubt that it was an intentional misrepresentation but it is difficult to imagine presenting Kylin as anything to be concerned about when it didn’t take very much effort to figure out that it isn’t worthy of anyone’s attention.  Not only is it not widely deployed, it isn’t new, unique or in any way innovative in terms of security.

Update: This whole article was based on my very limited analysis of Kylin 2.1.  Kylin 3.0 contains several security features similar to what is found in the SELinux extensions.  Kylin 3 sounds much more like what Kevin G. Coleman was talking about in the hearing.  I was not able to download Kylin 3 and didn’t find out about it until long after this post was made.

Update: After some comments on other blogs and forums, I took a closer look at the kernel files and this is clearly FreeBSD with linux binary compatibility.  Everyone knows what happens when you ass-u-me…

Update 2: Here is a screenshot of the partitioning stage of the installer for Richard: