Previous Entry | Next Entry

Adding some updates with indications. - 13 May 2009. More updates. - 1 June 2009.

Kylin logo Today, I was in the midst of info security discussions about a Chinese operating system called "Kylin".

This set of discussions was launched by a Washington Times article by Bill Gertz today, "China blocks U.S. from cyber warfare". The article claimed:
---
China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies.

The secure operating system, known as Kylin, was disclosed to Congress during recent hearings that provided new details on how China's government is preparing to wage cyberwarfare with the United States.
---

The hearings mentioned by the Washington Times included the 30 April 2009 US-China Economic and Security Review Commission's Hearing on China’s Propaganda and Influence Operations, Its Intelligence Activities that Target the United States, and the Resulting Impacts on U.S. National Security. At that hearing, Mr. Kevin G. Coleman, Senior Fellow with the Technolytics Institute was on the panel concerning Chinese cyber-espionage directed at the US. In his opening statements, Coleman stated:
---
Chinese authors believe the United States already is carrying out offensive cyber espionage and exploitation against China. China therefore must protect its own assets first in order to preserve the capability to go on the offensive. While this is a highly unpopular statement, WE ARE IN THE EARLY STAGES OF A CYBER ARMS RACE AND NEED TO RESPOND ACCORDINGLY!

This race was intensified when China created Kylin, their own hardened server operating system and began to convert their systems back in 2007. This action also made our offensive cyber capabilities ineffective against them given the cyber weapons were designed to be used against Linux, UNIX and Windows. Refer to our report - RED SOS.
---
(I was not able to find the RED SOS report online yet.)

Looking at my Twitter feeds throughout the day, I was seeing much tweeting about Kylin OS. Then, I mentioned the topic to Heike of The Dark Visitor blog about Chinese hackers. As I kept learning more about Kylin, it became clear that I should compile the information and post it on this blog.

The Kylin Web Site

Kylin's Web site is at http://www.kylin.org.cn/
[Rough rendition of the site into English via Google Translate]

By the way, some people have noted that, ironically, the site for a secure OS has an SQL injection vulnerability.

Kylin OS History

I learned that the Kylin OS has been around for several years, going back to 2001.

China Military Online, a Web site sponsored by the PLA Daily of the Chinese Peoples Liberation Army, reported in February 2005 of the development of Kylin as a the PRC's own operating system that could replace foreign OSes. The Kylin OS was developed by the University of Science and Technology for National Defense (affiliated with the PLA). The project began when...
---
In 2001, the central government decided to assign the mission of developing an operating system with independent intellectual property right, a major special project of the state's "863 Hi-tech Program", to the Computer Science Institute of the National University of Defense Technology. Upon receiving the mission, the institute swiftly organized a strong scientific and technological task group to brave difficulties and hardships and make bold innovations. Eventually, the group succeeded in making breakthroughs in a series of core technologies and developed the first 64-bit operating system with high security level (B2 class)-the Kylin server operating system. The system is not only compatible with the mainstream operating systems in the world, but also supports several multiple microprocessors and computers of different structures. In addition, the system is also the first operating system without Linux kernel that has obtained Linux global standard authentification by the international Free Standards Group (FSG).
---
In December 2006, Xinghua reported about Kylin OS. One of the things this report mentioned was that the University had signed an agreement with the LENOVO for production and application of the Kylin system.

FreeBSD Roots?

Information Warfare Monitor has a post "Kylin operating system plagiarized from the FreeBSD5.3?" and pointed to the Dancefire site with it comparison of Kylin and FreeBSD 5.3. The similarities between the two OSes reportedly reached 99.45 percent.

The interesting Kylin information is under the Dancefire site's News section, which is in Chinese. The good news for those of us who cannot read Chinese is that Google Translate does a passable rendition of the texts. (Kylin is rendered by Google as "Kirin". I don't think it has anything to do with the Japanese beer. Does it?)

ADDED 1 June 2009: Jumper at The Dark Visitor blog has been taking a look at Kylin and has a good posting there.

How "Secure" is This "Secure OS"? [added 13 May 2009]

Much of the reporting about Kylin, including the PRC's PR about the OS, seems to take the claims it is a "secure OS" at face value. But I have not yet come across any extensive security testing of Kylin. Also, I am wondering how much ongoing security support for Kylin is there. I mean things such as security patches, forums, etc.

Security researcher Dancho Danchev raises several excellent points that challenge the notions that the PRC's (or any other country's) "secure OS" poses a real threat to the US cyber-offensice capabilities.  Danchev writes regarding the "re-branding" of FreeBSD as Kylin and about the limits of "national security OSes":
---
All warfare is indeed based on deception, especially when you’re re-branding.

The rush to participate in the “national security operating system” arms race is pretty evident across the world, with the European Union’s secure OS Minix, the U.S Air Force new ‘secure distribution of Windows XP‘ and Russia’s interest in a similar secure OS.

What everyone appears to be forgetting is the fact that security is proportional with usability, and as well as the fact that complexity is the worst enemy of security.
---
Then, Danchev provides the example of a US penetration test of a US government site and found "763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical file folders.” The assortment of applications on the systems and their complexity gave ample footholds for exploitation. Then, there are human factors, including human foibles, that can affect security. Although better designed or hardened OSes can help, they are but one component of security.

So is the PRC's Kylin a Part of Cyber-Warfare, Cyber-Security, or Both?


It's both. (Note, I am leery of the cyber-warfare term. It can encourage massive, costly projects and bad analogies.)

I understand Mr. Coleman's concerns about cyberwarfare aspects and how the PRC's cyber-defence could hinder US cyber cababilities against their systems. But, we should not deem overall attempts to have more secure operating systems as "warfare" in a sinister sense per se. Improving cyber-security is something that we all should be doing. Being "peaceful" in the networked world does not mean having servers running unpatched Windows. The US, UK, etc. should be encouraging their government, corporate, and infrastructure systems to be better secured. (The US has done projects such NSA's work on Security Enhanced Linux. Some might call that as an example of US cyber-warfare.)

Special thanks to

Regards,
Jonathan D. Abolins


Comments

( 5 comments — Leave a comment )
(Anonymous)
May. 13th, 2009 06:18 pm (UTC)
kiberkarsh
Yo, tevi lasa ari latvija :)
.... via dark visitor blog...
jabolins
May. 14th, 2009 03:07 am (UTC)
Re: kiberkarsh
Sveiks, paldies.
(Hello, thank you.)

About me reading well with Latvian...
Although Latvian was my first language, I am quite out of practice. Starting to relearn it as I can, along with learning some of the other langauges in which I'm interested.
(Anonymous)
Mar. 10th, 2011 03:42 pm (UTC)
Re: kiberkarsh
The kylin server cannot be reached on ipv4 because the whole kylin os is ipv6 only. Actually the chinese government separated their financial government and military and put it on their own intranet. Something the U.S. should have done a long time ago. This way hackers can't even get to it. So no wonder it is secure. You got to be Tom Cruz to get in.
(Anonymous)
May. 19th, 2009 03:50 am (UTC)
Strange Phenomenon
Looking at the bright side, Chinese government awares on the problems in cyber-topia and the inadequacy of Windows. Kylin and SE Linux does increase the resistance on botnet, So far, Americans claimed the attacks from China; now China is trying to secure its networks. This can avoid the 3rd World War. Of course, Kylin can also be a defence from any attack from U.S. Coleman has ignored on fact: the core machines of U.S. government is using Novell Linux which is the best secured Linux.
(Anonymous)
Mar. 10th, 2011 03:48 pm (UTC)
Re: Strange Phenomenon
One comment on this kylin business. It is said that kylin is based on free bsd. Wasn't there a story of a defected fbi or cia that claimed that bsd has an fbi or cia back door programed in natively. So way to go china. Using that code just made your core os so much more secure from american invasion. Chinese are so much smarter than the average stupid American. And let me guess is there a reason why most americans don't even give bsd a first look. I guess the back door is a common hacker or user knowledge now at home.
( 5 comments — Leave a comment )

Profile

crypto. hebern, secret
jabolins
Jonathan D. Abolins

Latest Month

April 2013
S M T W T F S
 123456
78910111213
14151617181920
21222324252627
282930    

Tags

Page Summary

Powered by LiveJournal.com
Designed by Tiffany Chow